Open Cyb3rWard0g opened 4 years ago
Procedure: Spawned interactive cmd.exe Criteria: cmd.exe spawning from the rcs.3aka3.doc process
Telemetry can show cmd.exe spawning from rcs.3aka3.doc. This event can be correlated with a previous detection for masquerading.
SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
AND LOWER(Image) LIKE "%cmd.exe"
test = spark.sql(
'''
SELECT Message
FROM apt29Host a
INNER JOIN (
SELECT ProcessGuid
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*'
AND LOWER(Image) LIKE '%cmd.exe'
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
AND LOWER(Image) LIKE '%powershell.exe'
'''
)
test.show(10,truncate = False)
Description
The attacker then uses the active C2 connection to spawn interactive cmd.exe (T1059) and powershell.exe (T1086) shells.