detection-hackathon-apt29
detection-hackathon-apt29 copied to clipboard
OTRF
2.A) File and Directory Discovery, Automated Collection, Data from Local System, Data Compressed, Data Staged
Description
The attacker runs a one-liner command to search for filesystem for document and media files (T1083, T1119), collecting (T1005) and compressing (T1002) content into a single file (T1074).
Interesting event 4104 of PowerShell/Operational has a field ExecutionProcessID that can be related to ProcessId of event 1 of Sysmon
ps4104 = spark.sql(
'''
SELECT `@timestamp`,EventID,ScriptBlockText
FROM apt29Table
WHERE (Channel = "Microsoft-Windows-PowerShell/Operational")
AND (EventID = 4104)
AND (ExecutionProcessID = 5944)
''')
ps4104.show(truncate = 90, vertical = False)
Thank you very much for the initial query @Cyb3rPanda , I modified it a little bit and it captured other commands where ChildItem to enumerate files was used ; ) . It matched the DRAFT.zip and working.zip exfil 🎊 . What I like about adding the Process ID is that we can correlate the process creation and potentially creation of files with extension .zip .
ps4104 = spark.sql(
'''
SELECT `@timestamp`,EventID,ScriptBlockText
FROM apt29Table
WHERE Channel = "Microsoft-Windows-PowerShell/Operational"
AND EventID = 4104
AND ScriptBlockText LIKE "%ChildItem%"
''')
ps4104.show(truncate = False, vertical = False)
Results:
|2020-05-02T02:56:18.140Z|4104 |$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force
|2020-05-02T03:04:57.406Z|4104 |function Get-PrivateKeys {
$mypwd = ConvertTo-SecureString -String "saribas" -Force -AsPlainText
$CertPaths = Get-ChildItem -Path cert:\LocalMachine -Recurse
foreach ($CertPath in $CertPaths) ...
|2020-05-02T03:16:00.205Z|4104 |$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force |
@Cyb3rPanda 😱 😱 Check this one out 😄
Powershell Execution (ChildItem) -> Process Creation (Sysmon 1) -> File Creation (Sysmon 1)
PSProcessFileCreation = spark.sql(
'''
SELECT TargetFilename
FROM apt29Table a
INNER JOIN (
SELECT d.ProcessGuid, d.ProcessId
FROM apt29Table c
INNER JOIN (
SELECT ProcessGuid, ProcessId
FROM apt29Table
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 11
AND LOWER(a.TargetFilename) LIKE "%zip"
''')
PSProcessFileCreation.show(truncate = False, vertical = True)
Results:
-RECORD 0------------------------------------------------------
TargetFilename | C:\Users\pbeesly\AppData\Roaming\Draft.Zip
-RECORD 1------------------------------------------------------
TargetFilename | C:\Users\pbeesly\AppData\Roaming\working.zip
2.A.1 File and Directory Discovery
Procedure: Searched filesystem for document and media files using PowerShell Criteria: powershell.exe executing (Get-)ChildItem
SYSMON + PSLogs
SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
SELECT ParentProcessGuid, ProcessGuid, ProcessId
FROM apt29Table
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 1
AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
SECURITY + PSLogs
SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
FROM apt29Table
WHERE LOWER(Channel) = "security"
AND EventID = 4688
) d
ON hex(c.ExecutionProcessID) = d.NewProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%childitem%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
AND a.EventID = 4688
AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
Output
$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force
2.A.2 Automated Collection
Procedure: Scripted search of filesystem for document and media files using PowerShell Criteria: powershell.exe executing (Get-)ChildItem
Same rule as the previous one
2.A.4 Data Compressed
Procedure: Compressed and stored files into ZIP (Draft.zip) using PowerShell Criteria: powershell.exe executing Compress-Archive
Sysmon + PS Logs
SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.ParentProcessGuid, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
SELECT ParentProcessGuid, ProcessGuid, ProcessId
FROM apt29Table
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ParentProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 1
AND LOWER(a.ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
Security + PS Logs
SELECT b.ScriptBlockText
FROM apt29Table a
INNER JOIN (
SELECT d.NewProcessId, d.ProcessId, c.ScriptBlockText
FROM apt29Table c
INNER JOIN (
SELECT split(NewProcessId, '0x')[1] as NewProcessId, ProcessId
FROM apt29Table
WHERE LOWER(Channel) = "security"
AND EventID = 4688
) d
ON hex(c.ExecutionProcessID) = d.NewProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.NewProcessId = b.ProcessId
WHERE LOWER(a.Channel) = "security"
AND a.EventID = 4688
AND LOWER(a.ParentProcessName) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
Output
$env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force
2.A.5 Data Staged
Procedure: Staged files for exfiltration into ZIP (Draft.zip) using PowerShell Criteria: powershell.exe creating the file draft.zip
Sysmon + PS Logs
SELECT Message
FROM apt29Table a
INNER JOIN (
SELECT d.ProcessGuid, d.ProcessId
FROM apt29Table c
INNER JOIN (
SELECT ProcessGuid, ProcessId
FROM apt29Table
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
) d
ON c.ExecutionProcessID = d.ProcessId
WHERE c.Channel = "Microsoft-Windows-PowerShell/Operational"
AND c.EventID = 4104
AND LOWER(c.ScriptBlockText) LIKE "%compress-archive%"
) b
ON a.ProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 11
AND LOWER(a.TargetFilename) LIKE "%zip"
Output
|File created:
RuleName: -
UtcTime: 2020-05-02 02:56:18.032
ProcessGuid: {47ab858c-e14e-5eac-ac03-000000000400}
ProcessId: 5944
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\pbeesly\AppData\Roaming\Draft.Zip
CreationUtcTime: 2020-05-02 02:56:18.032 |
|File created:
RuleName: -
UtcTime: 2020-05-02 03:16:00.353
ProcessGuid: {5aa8ec29-e5e4-5eac-7a03-000000000400}
ProcessId: 4876
Image: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\pbeesly\AppData\Roaming\working.zip
CreationUtcTime: 2020-05-02 03:16:00.353|