9.A) Remote File Copy

[Cyb3rWard0g]

Description

The attacker uploads additional utilities to the secondary victim (T1105)

[Cyb3rWard0g]

9.A.1 Remote File Copy

Procedure: Dropped rar.exe to disk on remote host Scranton (10.0.1.4) Criteria: python.exe creating the file rar.exe

[Cyb3rWard0g]

Sysmon

SELECT Message
FROM apt29Host f
INNER JOIN (
    SELECT d.ProcessGuid
    FROM apt29Host d
    INNER JOIN (
        SELECT b.ProcessGuid
        FROM apt29Host b
        INNER JOIN (
          SELECT ProcessGuid
          FROM apt29Host
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
              AND ParentImage LIKE '%services.exe'
        ) a
        ON b.ParentProcessGuid = a.ProcessGuid
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND Image LIKE '%python.exe'
    ) c
    ON d.ParentProcessGuid = c.ProcessGuid
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
) e
ON f.ProcessGuid = e.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 11

Results

 Message | File created:
RuleName: -
UtcTime: 2020-05-02 03:15:38.985
ProcessGuid: {5aa8ec29-e5b8-5eac-7903-000000000400}
ProcessId: 2172
Image: C:\Windows\Temp\python.exe
TargetFilename: C:\Windows\Temp\sdelete64.exe
CreationUtcTime: 2020-05-02 03:15:38.985 


 Message | File created:
RuleName: -
UtcTime: 2020-05-02 03:15:31.530
ProcessGuid: {5aa8ec29-e5b8-5eac-7903-000000000400}
ProcessId: 2172
Image: C:\Windows\Temp\python.exe
TargetFilename: C:\Windows\Temp\Rar.exe
CreationUtcTime: 2020-05-02 03:15:31.530 

[Cyb3rWard0g]

9.A.2 Remote File Copy

Procedure: Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4) Criteria: python.exe creating the file sdelete64.exe

Same query as before 😉