Roberto Rodriguez
Roberto Rodriguez
# 5.A.1 New Service Procedure: Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup Criteria: powershell.exe creating the Javamtsup service
Sysmon + PowerShell Logs ``` SELECT Payload FROM apt29Host f INNER JOIN ( SELECT d.ProcessId, d.ParentProcessId FROM apt29Host d INNER JOIN ( SELECT a.ProcessGuid, a.ParentProcessGuid FROM apt29Host a INNER JOIN...
Telemetry showed a registry event for the creation of javamtsup service. Sysmon ``` SELECT Message FROM apt29Host WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND EventID IN (12,13,14) AND (LOWER(TargetObject) LIKE "%javamtsup%" OR...
# 4.b.* File Deletion ## Detection Category (Telemetry) Deleting files with sdelete ``` sdelete = spark.sql( ''' SELECT EventID, Image, Archived, TargetFilename FROM apt29Table WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND (LOWER(TargetFilename)...
# 4.B.1 Process Discovery Procedure: Enumerated current running processes using PowerShell Criteria: powershell.exe executing Get-Process
Telemetry showed powershell.exe executing Get-Process. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. Sysmon Logs + PowerShell Logs ``` SELECT Message...
# 4.B.2 File Deletion Procedure: Deleted rcs.3aka3.doc on disk using SDelete Criteria: sdelete64.exe deleting the file rcs.3aka3.doc
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. Sysmon Logs...
Another way to identify Sysinternals Sdelete tool Sysmon ``` SELECT Message FROM apt29Host h INNER JOIN ( SELECT f.ProcessGuid FROM apt29Host f INNER JOIN ( SELECT d.ProcessId, d.ProcessGuid FROM apt29Host...
Security Logs ``` SELECT Message FROM apt29Host f INNER JOIN ( SELECT d.NewProcessId FROM apt29Host d INNER JOIN( SELECT a.ProcessId, a.NewProcessId FROM apt29Host a INNER JOIN ( SELECT NewProcessId FROM...