-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged #3
Comments
Interesting event 4104 of PowerShell/Operational has a field ExecutionProcessID that can be related to ProcessId of event 1 of Sysmon
|
Thank you very much for the initial query @cyb3rpanda , I modified it a little bit and it captured other commands where
Results:
|
@cyb3rpanda 😱 😱 Check this one out 😄 Powershell Execution (ChildItem) -> Process Creation (Sysmon 1) -> File Creation (Sysmon 1)
Results:
|
2.A.1 File and Directory DiscoveryProcedure: Searched filesystem for document and media files using PowerShell SYSMON + PSLogs
SECURITY + PSLogs
Output
|
2.A.2 Automated CollectionProcedure: Scripted search of filesystem for document and media files using PowerShell Same rule as the previous one |
2.A.4 Data CompressedProcedure: Compressed and stored files into ZIP (Draft.zip) using PowerShell Sysmon + PS Logs
Security + PS Logs
Output
|
2.A.5 Data StagedProcedure: Staged files for exfiltration into ZIP (Draft.zip) using PowerShell Sysmon + PS Logs
Output
|
Description
The attacker runs a one-liner command to search for filesystem for document and media files (T1083, T1119), collecting (T1005) and compressing (T1002) content into a single file (T1074).
The text was updated successfully, but these errors were encountered: