Roberto Rodriguez

# 4.A.3 Deobfuscate/Decode Files or Information Procedure: Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell Criteria: powershell.exe executing Expand-Archive

Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. Sysmon...

# 3.A.1 Remote File Copy Procedure: Dropped stage 2 payload (monkey.png) to disk Criteria: The rcs.3aka3.doc process creating the file monkey.png

We could use Sysmon EventID 11 only, but I wanted to correlate it with another query looking for the RTLO file name to potentially get additional context around the malicious...

# 3.A.2 Obfuscated Files or Information Procedure: Embedded PowerShell payload in monkey.png using steganography Criteria: Evidence that a PowerShell payload was within monkey.png Sysmon & PS Logs ``` SELECT d.Image,...

https://github.com/OTRF/ATTACK-Python-Client/blob/master/attackcti/attack_api.py#L31

Thank you very much @olafhartong ! Reviewing the PR at the moment.

That's awesome @DarthRaki ! Is that something that can be queried with Zeek logs too?

Thank you @DarthRaki , if it is possible, it would be good to have something similar to the Sigma queries that @neu5ron and @patrickstjohn are putting together! it would be...

niceeeee! Thank you for sharing @DarthRaki ! Would it be good to add the external dest filter also to the second one? maybe? merge both? We are talking about exfiltration...