Roberto Rodriguez

icon indicating a website link https://blog.openthreatresearch.com/

icon company Microsoft icon location @Cyb3rWard0g

Results 214 comments of Roberto Rodriguez

16.A) Remote System Discovery

That's awesome brother you are on 🔥 . We are adding the rules here. I was asking in the other issue where you shared a rule also if it would...

16.A) Remote System Discovery

Hey @neu5ron , yeah it would be `Open Threat Research` (OTR) . Open Threat Research Forge is the GitHub repo (a Forge) for the OTR initiative 😉 . so Open...

16.A) Remote System Discovery

Hey @neu5ron , did you update the link? it does not work.

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

Maybe?: https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/Day%201/payloads/SysinternalsSuite/readme.txt#L591 Basic Query to find for handles requested to AD objects over the network ``` SELECT o.`@timestamp`, o.TargetUserName, o.TargetLogonId, a.EventID, a.ObjectName, a.ObjectType, a.ObjectServer, a.Hostname FROM apt29Table o INNER JOIN...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.12 Execution through API ## Detection Gategory - Telemetry Procedure: Executed API call by reflectively loading Netapi32.dll Criteria: The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll Query needs...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.1 File and Directory Discovery Procedure: Enumerated user's temporary directory path using PowerShell Criteria: powershell.exe executing $env:TEMP

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

Sysmon + PowerShell Logs ``` SELECT Message FROM apt29Host f INNER JOIN ( SELECT d.ProcessId FROM apt29Host d INNER JOIN ( SELECT a.ProcessGuid, a.ParentProcessGuid FROM apt29Host a INNER JOIN (...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

Security Logs + PowerShell Logs ``` SELECT Message FROM apt29Host f INNER JOIN ( SELECT split(d.NewProcessId, '0x')[1] as NewProcessId FROM apt29Host d INNER JOIN( SELECT a.ProcessId, a.NewProcessId FROM apt29Host a...

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.2 System Owner/User Discovery Procedure: Enumerated the current username using PowerShell Criteria: powershell.exe executing $env:USERNAME Same as before but looking for `LIKE "%$env:username%"`

4.C) File and Directory Discovery, System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, Process Discovery, Security Software Discovery, Permission Groups Discovery, Execution through API

# 4.C.3 System Information Discovery Procedure: Enumerated the computer hostname using PowerShell Criteria: powershell.exe executing $env:COMPUTERNAME Same as before but looking for `LIKE "%$env:computername%"`