From 8f7245dd18db77c69fe26114b263007f542450e4 Mon Sep 17 00:00:00 2001 From: junk Date: Sun, 12 Jan 2025 16:04:12 -0500 Subject: [PATCH] Add ben_week_1.md --- ben_week_1.md | 277 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 277 insertions(+) create mode 100644 ben_week_1.md diff --git a/ben_week_1.md b/ben_week_1.md new file mode 100644 index 0000000..a1abe5c --- /dev/null +++ b/ben_week_1.md @@ -0,0 +1,277 @@ +[T1566.001] Spearphishing Attachment - Opened + +``` +`indextime` `sysmon` event_id=13 registry_key_path="*trustrecords*" OR registry_key_path="*TargetObject=*Software\\Microsoft\\VBA\\7.1\\Common*" +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Macro enabled for document", +mitre_category="Initial_Access", +mitre_technique="Phishing", +mitre_technique_id="T1566", +mitre_subtechnique="Spearphishing Attachment", +mitre_subtechnique_id="T1566.001", +apt="", +mitre_link="https://attack.mitre.org/techniques/T1566/001/", +creator="Cpl Iverson", +last_tested="", +upload_date="2024-01-01", +last_modify_date="2025-01-09", +mitre_version="v16", +priority="" +| `registry_whitelist` +| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_details mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1050] New Service - Process + +``` +`indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="sc.exe" OR process_name="powershell.exe" OR process_name="cmd.exe") AND (process_command_line="*New-Service*BinaryPathName*" OR process_command_line="*sc*create*binpath*" OR process_command_line="*Get-WmiObject*Win32_Service*create*") +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.", +mitre_category=mvappend("Persistence","Privilege_Escalation"), +mitre_technique="Create or Modify System Process", +mitre_technique_id="T1543", +mitre_subtechnique="Windows Service", +mitre_subtechnique_id="T1543.003", +apt="", +mitre_link="https://attack.mitre.org/techniques/T1543/003/", +creator="Cpl Iverson", +upload_date="2024-01-01", +last_modify_date="2025-01-08", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1053] Scheduled Task - FileAccess + +``` +`indextime` `sysmon` event_id=11 process_path!="C:\\WINDOWS\\system32\\svchost.exe" (file_path="C:\\Windows\\System32\\Tasks\\*" OR file_path="C:\\Windows\\Tasks\\*") +| eval mitre_technique="Scheduled Task" +| eval mitre_technique_id="T1053" +| eval apt=mvappend("Volt Typhoon") +| `file_create_whitelist` +| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id mitre_category mitre_technique mitre_technique_id hunting_trigger +| collect `jarvis_index` +``` + + +[T1087.003] Email Account + +``` +`indextime` (`sysmon` OR `windows`) AND ('powershell /c' AND ('Get-ADUser -Filter * -Properties EmailAddress' OR 'Select-Object Name, EmailAddress') OR 'powershell /c Get-ADUser') +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).", +mitre_category="Discovery", +mitre_technique="Account Discovery", +mitre_technique_id="T1087", +mitre_subtechnique="Email Account", +mitre_subtechnique_id="T1087.003", +apt="Magic Hound", +mitre_link="https://attack.mitre.org/techniques/T1087/003", +creator="Cpl Iverson", +upload_date="2025-01-08", +last_modify_date="2025-01-08", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + + +[T1087] Account Discovery - net group + +``` +`indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*" +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Office Application Process Execution", +mitre_category="Execution", +mitre_technique="Exploitation for Client Execution", +mitre_technique_id="T1203", +mitre_subtechnique="", +mitre_subtechnique_id="" +cve=mvappend("CVE-2020-0938","CVE-2020-1020"), +apt="", +mitre_link="https://attack.mitre.org/techniques/T1203/", +creator="Cpl Iverson", +upload_date="2024-12-11", +last_modify_date="2024-12-11", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger +| collect `jarvis_index` +``` + + + + + +[T1010] Application Window Discovery_Analytic_1 + + +``` +`indextime` `powershell` EventCode="4103" | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Suspicious Commands", +mitre_category="Discovery", +mitre_technique="Application Window Discovery", +mitre_technique_id="T1010", +mitre_subtechnique="", +mitre_subtechnique_id="", +apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"), +mitre_link="https://attack.mitre.org/techniques/T1010/", +creator="Cpl Iverson", +last_tested="", +upload_date="2024-12-04", +last_modify_date="2024-12-04", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + + + + +[T1010] Application Window Discovery_Analytic_2 + + +``` +`indextime` (`sysmon` EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Suspicious Processes", +mitre_category="Discovery", +mitre_technique="Application Window Discovery", +mitre_technique_id="T1010", +mitre_subtechnique="", +mitre_subtechnique_id="", +apt=mvappend("HEXANE","Lazarus Group","Volt Typhoon"), +mitre_link="https://attack.mitre.org/techniques/T1010/", +creator="Cpl Iverson", +last_tested="", +upload_date="2024-12-04", +last_modify_date="2024-12-04", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + + + + + +[T1560.001] Archive via Utility + +``` +`indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip") +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration.", +mitre_category="Collection", +mitre_technique="Archive Collected Data", +mitre_technique_id="T1560", +mitre_subtechnique="Archive via Utility", +mitre_subtechnique_id="T1560.001", +apt="Magic Hound", +mitre_link="https://attack.mitre.org/techniques/T1560/001/", +creator="Cpl Iverson", +upload_date="2025-01-08", +last_modify_date="2025-01-08", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + + + + + +[T1560] Archive Collected Data + +``` +`indextime` ((`sysmon` event_id=1) OR (`windows-security` event_id=4688)) (process_name="powershell.exe" AND process_command_line="*-Recurse | Compress-Archive*") OR (process_name="rar.exe" AND process_command_line="rar*a*") OR process_name="7z.exe" OR process_name="*zip.exe" +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Command Line Usage of Archiving Software", +mitre_category="Collection", +mitre_technique="Archive Collected Data", +mitre_technique_id="T1560", +mitre_subtechnique="Archive via Utility", +mitre_subtechnique_id="T1560.001", +apt=mvappend("APT1","APT28","APT3","APT33","APT39","APT41","APT5","Agrius","Akira","Aquatic Panda","BRONZE BUTLER","Chimera","CopyKittens","Earth Lusca","FIN13","FIN8","Fox Kitten","GALLIUM","Gallmaker","HAFNIUM","INC Ransom","Ke3chang","Kimsuky","Magic Hound","MuddyWater","Mustang Panda","Play","RedCurl","Sowbug","ToddyCat","Turla","Volt Typhoon","Wizard Spider","menuPass"), +mitre_link="https://attack.mitre.org/techniques/T1560/001/", +creator="Cpl Iverson", +last_tested="", +upload_date="2024-12-04", +last_modify_date="2024-12-04", +mitre_version="v16", +priority="" +| `process_create_whitelist` +| `file_create_whitelist` +| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger +| collect `jarvis_index` +``` + + + + +[T1560] LOLBAS Chinese APT Creating a 7z Archive in temp + + +``` +`indextime` `windows-security` AND ((Image="*\\7z.exe" OR OriginalFileName="7z.exe") AND CommandLine="*a -p*" AND CommandLine="*c:\\windows\\temp\\*") +``` name: LOLBAS Chinese APT Creating a 7z Archive in temp ``` +``` uuid: 805be6dd-20d2-42dc-b70a-b058ae83002b ``` +``` author: SIMKRA, @SIMKRA202 ``` +| eval hash_sha256= lower(hash_sha256), +hunting_trigger="Detects the suspicious creation of a 7z achrive into the c:\windows\temp\ folder.", +mitre_category="Collection", +mitre_technique="OS Credential Dumping", +mitre_technique_id="T1560", +mitre_subtechnique="", +mitre_subtechnique_id="", +apt="Volt Typhoon", +mitre_link="https://github.com/Schmouni242/Sigma-Rules/blob/main/LOLBAS%20Chinese%20APT%20Creating%20a%207z%20Archive%20in%20temp.yml", +creator="Cpl Iverson", +last_tested="", +upload_date="2025-01-07", +last_modify_date="2025-01-07", +mitre_version="v16", +priority="high" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + + + + + + + + + + +