search

OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
GNU General Public License v3.0
132 stars 41 forks source link

8.B) Software Packing #19

Open Cyb3rWard0g opened 4 years ago

Cyb3rWard0g commented 4 years ago

Description

Next, the attacker uploads a new UPX-packed payload (T1045) to the secondary victim.

[meterpreter (PowerShell)\*] > Invoke-SeaDukeStage -ComputerName NASHUA
patrickstjohn commented 4 years ago

49 Not sure how you want to accept Sigma rules. Feel free to toss it out if you have something else planned.

Cyb3rWard0g commented 4 years ago

Thank you for sharing @patrickstjohn ! That works. Thank you for creating the folder and starting the contributions :) I appreciate it!

Cyb3rWard0g commented 4 years ago

8.B.1 Remote File Copy

Procedure: Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) Criteria: The file python.exe created on Scranton (10.0.1.4)

Cyb3rWard0g commented 4 years ago

Security Events

SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 5145
  AND RelativeTargetName LIKE '%python.exe'

Results

 Message | A network share object was checked to see whether client can be granted desired access.

Subject:
    Security ID:        S-1-5-21-1830255721-3727074217-2423397540-1107
    Account Name:       pbeesly
    Account Domain:     DMEVALS
    Logon ID:       0x861A79

Network Information:    
    Object Type:        File
    Source Address:     10.0.1.4
    Source Port:        59967

Share Information:
    Share Name:     \\*\ADMIN$
    Share Path:     \??\C:\windows
    Relative Target Name:   Temp\python.exe

Access Request Information:
    Access Mask:        0x80
    Accesses:       ReadAttributes

Access Check Results:
    -
 Message | A network share object was checked to see whether client can be granted desired access.

Subject:
    Security ID:        S-1-5-21-1830255721-3727074217-2423397540-1107
    Account Name:       pbeesly
    Account Domain:     DMEVALS
    Logon ID:       0x861A79

Network Information:    
    Object Type:        File
    Source Address:     10.0.1.4
    Source Port:        59967

Share Information:
    Share Name:     \\*\ADMIN$
    Share Path:     \??\C:\windows
    Relative Target Name:   Temp\python.exe

Access Request Information:
    Access Mask:        0x17019F
    Accesses:       DELETE
                READ_CONTROL
                WRITE_DAC
                SYNCHRONIZE
                ReadData (or ListDirectory)
                WriteData (or AddFile)
                AppendData (or AddSubdirectory or CreatePipeInstance)
                ReadEA
                WriteEA
                ReadAttributes
                WriteAttributes

Access Check Results:
    -
 Message | A network share object was checked to see whether client can be granted desired access.

Subject:
    Security ID:        S-1-5-21-1830255721-3727074217-2423397540-1107
    Account Name:       pbeesly
    Account Domain:     DMEVALS
    Logon ID:       0x861A79

Network Information:    
    Object Type:        File
    Source Address:     10.0.1.4
    Source Port:        59967

Share Information:
    Share Name:     \\*\ADMIN$
    Share Path:     \??\C:\windows
    Relative Target Name:   Temp\python.exe

Access Request Information:
    Access Mask:        0x2
    Accesses:       WriteData (or AddFile)

Access Check Results:
    -
Cyb3rWard0g commented 4 years ago

Sysmon Logs

SELECT Message
FROM apt29Host
WHERE Channel = 'Microsoft-Windows-Sysmon/Operational'
    AND EventID = 11
    AND TargetFilename LIKE '%python.exe'

Results

File created:
RuleName: -
UtcTime: 2020-05-02 03:10:23.626
ProcessGuid: {5aa8ec29-cad1-5eac-0100-000000000400}
ProcessId: 4
Image: System
TargetFilename: C:\Windows\Temp\python.exe
CreationUtcTime: 2020-05-02 03:10:23.626
Cyb3rWard0g commented 4 years ago

8.B.2 Software Packing

Procedure: python.exe payload was packed with UPX Criteria: Evidence that the file python.exe is packed