2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

[Cyb3rWard0g]

Description

The attacker runs a one-liner command to search for filesystem for document and media files (T1083, T1119), collecting (T1005) and compressing (T1002) content into a single file (T1074).

[Cyb3rPandaH]

Interesting event 4104 of PowerShell/Operational has a field ExecutionProcessID that can be related to ProcessId of event 1 of Sysmon

ps4104 = spark.sql(
    '''
SELECT `@timestamp`,EventID,ScriptBlockText
FROM apt29Table
WHERE (Channel = "Microsoft-Windows-PowerShell/Operational")
        AND (EventID = 4104)
        AND (ExecutionProcessID = 5944)
                          ''')
ps4104.show(truncate = 90, vertical = False)

[Cyb3rWard0g]

Thank you very much for the initial query @cyb3rpanda , I modified it a little bit and it captured other commands where ChildItem to enumerate files was used ; ) . It matched the DRAFT.zip and working.zip exfil 🎊 . What I like about adding the Process ID is that we can correlate the process creation and potentially creation of files with extension .zip .

ps4104 = spark.sql(
    '''
SELECT `@timestamp`,EventID,ScriptBlockText
FROM apt29Table
WHERE Channel = "Microsoft-Windows-PowerShell/Operational"
        AND EventID = 4104
        AND ScriptBlockText LIKE "%ChildItem%"
                          ''')
ps4104.show(truncate = False, vertical = False)

Results:

|2020-05-02T02:56:18.140Z|4104   |$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force 

|2020-05-02T03:04:57.406Z|4104   |function Get-PrivateKeys {
    $mypwd = ConvertTo-SecureString -String "saribas" -Force -AsPlainText
    $CertPaths = Get-ChildItem -Path cert:\LocalMachine -Recurse
    foreach ($CertPath in $CertPaths) ...

|2020-05-02T03:16:00.205Z|4104   |$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force                                                                                                                                                                                                                                                           |

[Cyb3rWard0g]

@cyb3rpanda 😱 😱 Check this one out 😄

Powershell Execution (ChildItem) -> Process Creation (Sysmon 1) -> File Creation (Sysmon 1)

PSProcessFileCreation = spark.sql(
    '''
SELECT TargetFilename
FROM apt29Table a
INNER JOIN (
    SELECT d.ProcessGuid, d.ProcessId
    FROM apt29Table c
    INNER JOIN (
        SELECT ProcessGuid, ProcessId
        FROM apt29Table
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
        ) d
    ON c.ExecutionProcessID = d.ProcessId
    WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
            AND c.EventID = 4104
            AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
            AND a.EventID = 11
            AND LOWER(a.TargetFilename) LIKE "%zip"
                          ''')
PSProcessFileCreation.show(truncate = False, vertical = True)

Results:

-RECORD 0------------------------------------------------------
 TargetFilename | C:\Users\pbeesly\AppData\Roaming\Draft.Zip   
-RECORD 1------------------------------------------------------
 TargetFilename | C:\Users\pbeesly\AppData\Roaming\working.zip 

[Cyb3rWard0g]

2.A.1 File and Directory Discovery

Procedure: Searched filesystem for document and media files using PowerShell
Criteria: powershell.exe executing (Get-)ChildItem

SYSMON + PSLogs

SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
    SELECT ParentProcessGuid, ProcessGuid, ProcessId
    FROM apt29Table
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
    ) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
        AND c.EventID = 4104
        AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

SECURITY + PSLogs

SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
    SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
    FROM apt29Table
    WHERE LOWER(Channel) = "security"
        AND EventID = 4688
    ) d
ON hex(c.ExecutionProcessID) = d.NewProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
        AND c.EventID = 4104
        AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
        AND a.EventID = 4688
        AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

Output

$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force

[Cyb3rWard0g]

2.A.2 Automated Collection

Procedure: Scripted search of filesystem for document and media files using PowerShell
Criteria: powershell.exe executing (Get-)ChildItem

Same rule as the previous one

[Cyb3rWard0g]

2.A.4 Data Compressed

Procedure: Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria: powershell.exe executing Compress-Archive

Sysmon + PS Logs

SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
    SELECT ParentProcessGuid, ProcessGuid, ProcessId
    FROM apt29Table
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
    ) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
        AND c.EventID = 4104
        AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND a.EventID = 1
        AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

Security + PS Logs

SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
  SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
  FROM apt29Table c
  INNER JOIN (
      SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
      FROM apt29Table
      WHERE LOWER(Channel) = "security"
          AND EventID = 4688
      ) d
  ON hex(c.ExecutionProcessID) = d.NewProcessId
  WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
          AND c.EventID = 4104
          AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
          AND a.EventID = 4688
          AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'

Output

$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force

[Cyb3rWard0g]

2.A.5 Data Staged

Procedure: Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria: powershell.exe creating the file draft.zip

Sysmon + PS Logs

SELECT Message
FROM apt29Table a
INNER JOIN (
    SELECT d.ProcessGuid, d.ProcessId
    FROM apt29Table c
    INNER JOIN (
        SELECT ProcessGuid, ProcessId
        FROM apt29Table
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND EventID = 1
        ) d
    ON c.ExecutionProcessID = d.ProcessId
    WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
            AND c.EventID = 4104
            AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
            AND a.EventID = 11
            AND LOWER(a.TargetFilename) LIKE "%zip"

Output

|File created:
RuleName: -
UtcTime: 2020-05-02 02:56:18.032
ProcessGuid: {47ab858c-e14e-5eac-ac03-000000000400}
ProcessId: 5944
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\pbeesly\AppData\Roaming\Draft.Zip
CreationUtcTime: 2020-05-02 02:56:18.032  |

|File created:
RuleName: -
UtcTime: 2020-05-02 03:16:00.353
ProcessGuid: {5aa8ec29-e5e4-5eac-7a03-000000000400}
ProcessId: 4876
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\pbeesly\AppData\Roaming\working.zip
CreationUtcTime: 2020-05-02 03:16:00.353|