OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets

GNU General Public License v3.0

130 stars 41 forks source link

1.B) Command-Line Interface, PowerShell #2

Open Cyb3rWard0g opened 4 years ago

Cyb3rWard0g commented 4 years ago

Description

The attacker then uses the active C2 connection to spawn interactive cmd.exe (T1059) and powershell.exe (T1086) shells.

Cyb3rWard0g commented 4 years ago

Procedure: Spawned interactive cmd.exe Criteria: cmd.exe spawning from the rcs.3aka3.doc process

Cyb3rWard0g commented 4 years ago

Telemetry can show cmd.exe spawning from rcs.3aka3.doc. This event can be correlated with a previous detection for masquerading.

SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(ParentImage) RLIKE '.*\\â€Ž|â€|â€ª|â€«|â€¬|â€|â€®.*'
    AND LOWER(Image) LIKE "%cmd.exe"

Cyb3rWard0g commented 4 years ago

test = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
    SELECT ProcessGuid
    FROM apt29Host
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND EventID = 1
        AND LOWER(ParentImage) RLIKE '.*\\â€Ž|â€|â€ª|â€«|â€¬|â€|â€®.*'
        AND LOWER(Image) LIKE '%cmd.exe'
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND LOWER(Image) LIKE '%powershell.exe'
'''
)
test.show(10,truncate = False)