Roberto Rodriguez

# 8.A.2 Windows Remote Management Procedure: Established WinRM connection to remote host Scranton (10.0.1.4) Criteria: Network connection to Scranton (10.0.1.4) over port 5985

Sysmon Logs ``` SELECT f.Message, f.EventTime FROM apt29Host f INNER JOIN ( SELECT d.ProcessId, d.ParentProcessId FROM apt29Host d INNER JOIN ( SELECT a.ProcessGuid, a.ParentProcessGuid FROM apt29Host a INNER JOIN (...

# 8.A.3 Process Discovery Procedure: Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell Criteria: powershell.exe executing Get-Process Sysmon & PowerShell Logs ``` SELECT b.Message, b.EventTime FROM apt29Host b INNER...

Security Logs & PowerShell ``` SELECT b.ScriptBlockText FROM apt29Host b INNER JOIN ( SELECT split(NewProcessId, '0x')[1] as NewProcessId FROM apt29Host WHERE LOWER(Channel) = "security" AND EventID = 4688 AND LOWER(NewProcessName)...

Hey @neu5ron , would it be good to tag those JA3 sigs for each C2? Like ``` 72a589da586844d7f0818ce684948eea #Metasploit ``` Also, if the JA3 query is done. Would you mind...

# 2.B.1 Exfiltration Over Command and Control Channel Procedure: Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) Criteria: The rcs.3aka3.doc process reading the file draft.zip...

# 6.C.1 Credential Dumping Procedure: Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe Criteria: powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under...

CreateRemoteThread API Sysmon ``` SELECT Message FROM apt29Host f INNER JOIN ( SELECT d.ProcessGuid, d.ParentProcessGuid FROM apt29Host d INNER JOIN ( SELECT a.ProcessGuid, a.ParentProcessGuid FROM apt29Host a INNER JOIN (...

Hey @nicolasreich ! Yes that's something that we have not defined yet. Have you done that yet in your organization? what worked and what would be something that can be...

Niceee I like it! Is that something that can be applied to the Sigma Integration @neu5ron ?