Roberto Rodriguez comments

Results 214 comments of


                                            Roberto Rodriguez

4.B) Process Discovery, File Deletion

# 4.B.3 File Deletion Procedure: Deleted Draft.zip on disk using SDelete Criteria: sdelete64.exe deleting the file draft.zip

4.B) Process Discovery, File Deletion

Leveraging new event 23 and a correlation from the BypassUAC detection https://github.com/OTRF/detection-hackathon-apt29/issues/6 Sysmon ``` SELECT Message, g.CommandLine FROM apt29Host h INNER JOIN ( SELECT f.ProcessGuid, f.CommandLine FROM apt29Host f INNER...

4.B) Process Discovery, File Deletion

Sysmon + Registry ``` SELECT Message FROM apt29Host h INNER JOIN ( SELECT f.ProcessGuid FROM apt29Host f INNER JOIN ( SELECT d.ProcessId, d.ProcessGuid FROM apt29Host d INNER JOIN ( SELECT...

4.B) Process Discovery, File Deletion

Security Logs ``` SELECT Message FROM apt29Host f INNER JOIN ( SELECT d.NewProcessId FROM apt29Host d INNER JOIN( SELECT a.ProcessId, a.NewProcessId FROM apt29Host a INNER JOIN ( SELECT NewProcessId FROM...

4.B) Process Discovery, File Deletion

# 4.B.4 File Deletion Procedure: Deleted SysinternalsSuite.zip on disk using SDelete Criteria: sdelete64.exe deleting the file SysinternalsSuite.zip Same as before but looking for sysinternalssuite.zip 😉

2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

Thank you very much for the initial query @Cyb3rPanda , I modified it a little bit and it captured other commands where `ChildItem` to enumerate files was used ; )...

2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

@Cyb3rPanda 😱 😱 Check this one out 😄 Powershell Execution (ChildItem) -> Process Creation (Sysmon 1) -> File Creation (Sysmon 1) ``` PSProcessFileCreation = spark.sql( ''' SELECT TargetFilename FROM apt29Table...

2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

# 2.A.1 File and Directory Discovery Procedure: Searched filesystem for document and media files using PowerShell Criteria: powershell.exe executing (Get-)ChildItem SYSMON + PSLogs ``` SELECT b.ScriptBlockText FROM apt29Table a INNER...

2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

# 2.A.2 Automated Collection Procedure: Scripted search of filesystem for document and media files using PowerShell Criteria: powershell.exe executing (Get-)ChildItem Same rule as the previous one

2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged

# 2.A.4 Data Compressed Procedure: Compressed and stored files into ZIP (Draft.zip) using PowerShell Criteria: powershell.exe executing Compress-Archive Sysmon + PS Logs ``` SELECT b.ScriptBlockText FROM apt29Table a INNER JOIN...