search

OTRF / detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
GNU General Public License v3.0
132 stars 41 forks source link

9.C) File Deletion #23

Open Cyb3rWard0g opened 4 years ago

Cyb3rWard0g commented 4 years ago

Description

Finally, the attacker deletes various files (T1107) associated with that access

Cyb3rWard0g commented 4 years ago

9.C.1 File Deletion

Procedure: Deleted rar.exe on disk using SDelete Criteria: sdelete64.exe deleting the file rar.exe

Sysmon Logs

SELECT Message
FROM apt29Host j
INNER JOIN (
    SELECT h.ProcessGuid
    FROM apt29Host h
    INNER JOIN (
        SELECT f.ProcessGuid
        FROM apt29Host f
        INNER JOIN (
          SELECT d.ProcessGuid
          FROM apt29Host d
          INNER JOIN (
              SELECT b.ProcessGuid
              FROM apt29Host b
              INNER JOIN (
                SELECT ProcessGuid
                FROM apt29Host
                WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
                    AND EventID = 1
                    AND ParentImage LIKE '%services.exe'
              ) a
              ON b.ParentProcessGuid = a.ProcessGuid
              WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
                AND Image LIKE '%python.exe'
          ) c
          ON d.ParentProcessGuid = c.ProcessGuid
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
        ) e
        ON f.ParentProcessGuid = e.ProcessGuid
        WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
          AND Image LIKE '%cmd.exe'
    ) g
    ON h.ParentProcessGuid = g.ProcessGuid
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
        AND h.EventID = 1
) i
ON j.ProcessGuid = i.ProcessGuid
WHERE j.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND j.EventID = 23

Results

-RECORD 0----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File Delete:
RuleName: -
UtcTime: 2020-05-02 03:17:41.353
ProcessGuid: {5aa8ec29-e655-5eac-8303-000000000400}
ProcessId: 6640
User: DMEVALS\pbeesly
Image: C:\Windows\Temp\sdelete64.exe
TargetFilename: C:\Users\pbeesly\Desktop\working.zip
Hashes: SHA1=321A74E1D43B00DF8D3D4A55CE36C5E7A143A5C4,MD5=14C4E1AB76CF430C499E8509CA488F54,SHA256=1125328F7A204931E2E22C5BBE7238E382B35C1456F6961B1EF8566C5EE06863,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: false - shredded file with pattern 0x00         
-RECORD 1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File Delete:
RuleName: -
UtcTime: 2020-05-02 03:17:18.102
ProcessGuid: {5aa8ec29-e63e-5eac-8203-000000000400}
ProcessId: 6116
User: DMEVALS\pbeesly
Image: C:\Windows\Temp\sdelete64.exe
TargetFilename: C:\Users\pbeesly\ZZZZZZZZZZZZZZZZZZZZZZZ.ZZZ
Hashes: SHA1=61A5FFA57DFE0D9B3E4938439FF3452109D4E709,MD5=58B9030861D1CC69344164EE048D9ABC,SHA256=DD4969A104193430D250956C52C2498786C4922361D306B9CBB0148F69C1339C,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: false - shredded file with pattern 0x00 
-RECORD 2----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Message | File Delete:
RuleName: -
UtcTime: 2020-05-02 03:16:52.587
ProcessGuid: {5aa8ec29-e624-5eac-7f03-000000000400}
ProcessId: 3552
User: DMEVALS\pbeesly
Image: C:\Windows\Temp\sdelete64.exe
TargetFilename: C:\Windows\Temp\Rar.exe
Hashes: SHA1=408238F3BEA1DF74E8B9B672E8F95C5BA2C5DBC0,MD5=FD021D31F1DFA5E00EFA035758023064,SHA256=8FD96796FCDB8CAC8DB026C2C78E24493507CEDC500E358B1564F184DA18D94C,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: false - shredded file with pattern 0x00
Cyb3rWard0g commented 4 years ago

9.C.2 File Deletion

Procedure: Deleted working.zip (from Desktop) on disk using SDelete Criteria: sdelete64.exe deleting the file \Desktop\working.zip

9.C.3 File Deletion

Procedure: Deleted working.zip (from AppData directory) on disk using SDelete Criteria: sdelete64.exe deleting the file \AppData\Roaming\working.zip

Same as before

Cyb3rWard0g commented 4 years ago

9.C.4 File Deletion

Procedure: Deleted SDelete on disk using cmd.exe del command Criteria: cmd.exe deleting the file sdelete64.exe

Sysmon

SELECT h.Message
FROM apt29Host h
INNER JOIN (
    SELECT f.ProcessGuid
    FROM apt29Host f
    INNER JOIN (
      SELECT d.ProcessGuid
      FROM apt29Host d
      INNER JOIN (
          SELECT b.ProcessGuid
          FROM apt29Host b
          INNER JOIN (
            SELECT ProcessGuid
            FROM apt29Host
            WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
                AND EventID = 1
                AND ParentImage LIKE '%services.exe'
          ) a
          ON b.ParentProcessGuid = a.ProcessGuid
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
            AND Image LIKE '%python.exe'
      ) c
      ON d.ParentProcessGuid = c.ProcessGuid
      WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
          AND EventID = 1
    ) e
    ON f.ParentProcessGuid = e.ProcessGuid
    WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
      AND EventID = 1
      AND Image LIKE '%cmd.exe'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND h.EventID = 23

Results

File Delete:
RuleName: -
UtcTime: 2020-05-02 03:17:52.009
ProcessGuid: {5aa8ec29-e618-5eac-7e03-000000000400}
ProcessId: 8772
User: DMEVALS\pbeesly
Image: C:\windows\system32\cmd.exe
TargetFilename: C:\Windows\Temp\sdelete64.exe
Hashes: SHA1=7BCD946326B67F806B3DB4595EDE9FBDF29D0C36,MD5=2B5CB081721B8BA454713119BE062491,SHA256=FEEC1457836A5F84291215A2A003FCDE674E7E422DF8C4ED6FE5BB3B679CDC87,IMPHASH=342934F7499D0F57D88D4434E41B7BF9
IsExecutable: true
Archived: true