Roberto Rodriguez
Roberto Rodriguez
Hey @neu5ron , I believe that goes to this Issue right? https://github.com/OTRF/detection-hackathon-apt29/issues/19 Let me know. . @patrickstjohn created one but to detect if it was a python application. So that...
I wonder how noisy the SeProfileSingleProcessPrivilege user privileges requested is for non SYSTEM ``` rtlo = spark.sql( ''' SELECT PrivilegeList, SubjectUserName, ObjectServer, ProcessName FROM apt29Table WHERE EventID = 4673 AND...
I liked this query @Cyb3rPanda from the Initial Exploratory analysis notebook: ``` networkConnection8524 = spark.sql( ''' SELECT o.`@timestamp`, o.ProcessId, a.ParentImage, o.Image, o.SourceIp, o.DestinationIp, o.DestinationPort FROM apt29Table o INNER JOIN (...
# Detection Categories ## Main - Technique (originally file during evams was executed from C:\users\ and not C:\programdata\) However, the execution of the file was captured from C:\programdata\ and it...
## Main - Telemetry Execution of payload was captured ``` SELECT Message FROM apt29Table WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND EventID = 1 AND LOWER(ParentImage) LIKE "%explorer.exe" AND LOWER(Image) LIKE "%3aka3%"...
## 1.A.4 Standard Cryptographic Protocol Procedure: Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Criteria: Evidence that the network data sent over the C2 channel is encrypted ``` rcs.3aka3.doc...
PSSession Context ``` SELECT o.`@timestamp`, o.TargetUserName, o.TargetLogonId, o.IpAddress, o.WorkstationName, a.EventID, a.ObjectName, a.ObjectType, a.ObjectServer, a.Hostname, a.ProcessName, a.ProcessId FROM apt29Table o INNER JOIN ( SELECT EventID, SubjectLogonId, ObjectName, ObjectType, ObjectServer, Hostname, ProcessName,...
# 8.A.1 Remote System Discovery Procedure: Enumerated remote systems using LDAP queries Criteria: powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Even though this is very targeted looking for the function Ad-Search, at least we have telemetry correlating with the initial BypassUAC execution 😉 Security & PowerShell Logs ``` SELECT f.ScriptBlockText...
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe....