-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.A) User Execution, Masquerading, Uncommonly Used Port #1
Comments
C:\ProgramData\victim\‮cod.3aka3.scr uses Right To Left Override |
files = spark.sql( is not picking anything so I am probably missing out something there :) I tried to look for alternate data stream (download evidence) without much luck files = spark.sql( |
Yeah it doesn look like @emiliedns ..mm..
|
maybe because of the way the automation was done, the browser wasn't used, was it? that could explain |
Correct @emiliedns :) Good one! I didnt remember that one https://github.com/hunters-forge/OSSEM/blob/master/data_dictionaries/windows/sysmon/events/event-15.md |
Right To Left Override files executed
Results
|
I like this approach @gonzalomarcos ! Thank you for sharing. i wonder how something like that can be written in Sigma. @thomaspatzke is that something that can be done with Sigma? |
@Cyb3rWard0g I can't find the executable download anywhere if I should move this somewhere else let me know, but here is a sigma rule for that: title: Executable from Webdav
status: experimental
date: 2020/05/01
description: Detects executable access via webdav6
author: 'Adam Swan'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
tags:
- attack.command_and_control
- attack.T1043
logsource:
category: proxy
detection:
selection_webdav:
- c-useragent: '*WebDAV*'
- c-uri: '*webdav*'
selection_executable:
- resp_mime_types: '*dosexec*'
- c-uri: '*.exe'
condition: selection_webdav AND selection_executable
falsepositives:
- unknown
level: medium |
Hey @neu5ron , I believe that goes to this Issue right? #19 Let me know. . @patrickstjohn created one but to detect if it was a python application. So that query works there too! Thats awesome! Thank you Adam! If you can move the query there it would be awesome to track it! 👍 |
I wonder how noisy the SeProfileSingleProcessPrivilege user privileges requested is for non SYSTEM
Results:
|
I liked this query @cyb3rpanda from the Initial Exploratory analysis notebook:
I was going over the APT29 Evals results and some EDR solutions also look for that combination. |
Detection CategoriesMain - Technique(originally file during evams was executed from C:\users\ and not C:\programdata) However, the execution of the file was captured from C:\programdata\ and it would have been captured anyways from C:\users) Process creation / Execution from users directory
Main - GeneralInformation about new process running on endpoint leveraging registry modifications to
|
Main - TelemetryExecution of payload was captured
Results:
|
1.A.4 Standard Cryptographic ProtocolProcedure: Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
|
Description
The scenario begins with an initial breach, where a legitimate user clicks (T1204) an executable payload (screensaver executable) masquerading as a benign word document (T1036). Once executed, the payload creates a C2 connection over port 1234 (T1065) using the RC4 cryptographic cipher
The text was updated successfully, but these errors were encountered: