matthew/Custom-Detections
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "/"

Browse Source
This commit is contained in:
Matthew Iverson
2025-03-23 23:52:45 -04:00
commit 2c833f112d
4 changed files with 989 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
ioc.md Normal file
View File

@ -0,0 +1,236 @@
## MD5
```
f8df6cf748cc3cf7c05ab18e798b3e91,md5, info Stealer Implants,,,
ef8c77dc451f6c783d2c4ddb726de111,md5, info Stealer Implants,,,
de26f488328ea0436199c5f728ecd82a,md5, info Stealer Implants,,,
d4b75a8318befdb1474328a92f0fc79d,md5, info Stealer Implants,,,
ba40c097e9d06130f366b86deb4a8124,md5, info Stealer Implants,,,
b0844bb9a6b026569f9baf26a40c36f3,md5, info Stealer Implants,,,
89052678dc147a01f3db76febf8441e4,md5, info Stealer Implants,,,
842f8064a81eb5fc8828580a08d9b044,md5, info Stealer Implants,,,
7c527c6607cc1bfa55ac0203bf395939,md5, info Stealer Implants,,,
75fd9018433f5cbd2a4422d1f09b224e,md5, info Stealer Implants,,,
729c24cc6a49fb635601eb88824aa276,md5, info Stealer Implants,,,
69f6dcdb3d87392f300e9052de99d7ce,md5, info Stealer Implants,,,
5e17d1a077f86f7ae4895a312176eba6,md5, info Stealer Implants,,,
373ebf513d0838e1b8c3ce2028c3e673,md5, info Stealer Implants,,,
351260c2873645e314a889170c7a7750,md5, info Stealer Implants,,,
23ce22596f1c7d6db171753c1d2612fe,md5, info Stealer Implants,,,
0c03efd969f6d9e6517c300f8fd92921,md5, info Stealer Implants,,,
277acb857f1587221fc752f19be27187,md5, info Stealer Implants,,,
faa47ecbcc846bf182e4ecf3f190a9f4,md5, info Stealer Payload,,,
d8c6199b414bdf298b6a774e60515ba5,md5, info Stealer Payload,,,
9d3337f0e95ece531909e4c8d9f1cc55,md5, info Stealer Payload,,,
6bd84dfb987f9c40098d12e3959994bc,md5, info Stealer Payload,,,
6396908315d9147de3dff98ab1ee4cbe,md5, info Stealer Payload,,,
1e210fcc47eda459998c9a74c30f394e,md5, info Stealer Payload,,,
fe0438938eef75e090a38d8b17687357,md5, info Stealer Payload,,,
e0f8d7ec2be638fbf3ddf8077e775b2d,md5, info Stealer Bait File,,,
cdd4cfac3ffe891eac5fb913076c4c40,md5, info Stealer Bait File,,,
b57b13e9883bbee7712e52616883d437,md5, info Stealer Bait File,,,
a3f4e422aecd0547692d172000e4b9b9,md5, info Stealer Bait File,,,
9871272af8b06b484f0529c10350a910,md5, info Stealer Bait File,,,
97b19d9709ed3b849d7628e2c31cdfc4,md5, info Stealer Bait File,,,
8e960334c786280e962db6475e0473ab,md5, info Stealer Bait File,,,
76e7cbab1955faa81ba0dda824ebb31d,md5, info Stealer Bait File,,,
7140dbd0ca6ef09c74188a41389b0799,md5, info Stealer Bait File,,,
5c3394e37c3d1208e499abe56e4ec7eb,md5, info Stealer Bait File,,,
47765d12f259325af8acda48b1cbad48,md5, info Stealer Bait File,,,
3e6cf927c0115f76ccf507d2f5913e02,md5, info Stealer Bait File,,,
32da6c4a44973a5847c4a969950fa4c4,md5, info Stealer Bait File,,,
fea50d3bb695f6ccc5ca13834cdfe298,md5, Lumma Stealer,,,
83ae58dd03f33d1fae6771e859200be6,md5, Lumma Stealer,,,
7b1f43deed8fc7e35f8394548e12dd81,md5, Lumma Stealer,,,
c39f64a31e9f15338f83411bb9fc0942,md5, Lumma Stealer,,,
b832096cf669ff4d66e04b252cb1a1dc,md5, Lumma Stealer,,,
d6ea5dcdb2f88a65399f87809f43f83c,md5, erefgojgbu - CRYPTBOT,,,
307f40ebc6d8a207455c96d34759f1f3,md5, L2.zip - CRYPTBOT,,,
d8e21ac76b228ec144217d1e85df2693,md5, Sеtup.exe - CRYPTBOT,,,
43939986a671821203bf9b6ba52a51b4,md5, oqnhustu - LUMMAC.V2,,,
58c4ba9385139785e9700898cb097538,md5, WebView2Loader.dll - LUMMAC.V2,,,
95361f5f264e58d6ca4538e7b436ab67,md5, Downloader - PEAKLIGHT,,,
b716a1d24c05c6adee11ca7388b728d3,md5, Downloader - PEAKLIGHT,,,
b15bac961f62448c872e1dc6d3931016,md5, Aaaa.exe - SHADOWLADDER,,,
e7c43dc3ec4360374043b872f934ec9e,md5, bentonite.cfg - SHADOWLADDER,,,
f98e0d9599d40ed032ff16de242987ca,md5, cymophane.doc - SHADOWLADDER,,,
b6b8164feca728db02e6b636162a2960,md5, K1.zip - SHADOWLADDER,,,
bb9641e3035ae8c0ab6117ecc82b65a1,md5, K1.zip - SHADOWLADDER,,,
236c709bbcb92aa30b7e67705ef7f55a,md5, K2.zip - SHADOWLADDER,,,
d7aff07e7cd20a5419f2411f6330f530,md5, K2.zip - SHADOWLADDER,,,
a6c4d2072961e9a8c98712c46be588f8,md5, L1.zip - SHADOWLADDER,,,
059d94e8944eca4056e92d60f7044f14,md5, LiteSkinUtils.dll - SHADOWLADDER,,,
dfdc331e575dae6660d6ed3c03d214bd,md5, toughie.txt - SHADOWLADDER,,,
47eee41b822d953c47434377006e01fe,md5, WCLDll.dll - SHADOWLADDER,,,
```
## Sha256
```
b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624, sha256, Malware, PS, medium
cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54, sha256, Malware, PS, medium
632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c, sha256, Malware, ZIP, medium
19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a, sha256, Malware, ZIP, medium
d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207, sha256, Malware, EXE, medium
bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55, sha256, Malware, EXE, medium
fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511, sha256, Malware, HTA, medium
ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef, sha256, AntiSpam.exe, nan, medium
d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08, sha256, AntiSpam.exe, nan, medium
dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b, sha256, AntiSpam.exe, nan, medium
24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793, sha256, , nan, medium
9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7, sha256, , nan, medium
ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c, sha256, update6.exe Used, nan, medium
ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f, sha256, update7.exe, nan, medium
9ED2B4D88B263F5078003EF35654ED5C205AC2F2C0E9225D4CDB4C24A5EA9AF2, sha256, update8.exe, nan, medium
ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa, sha256, atiumdag.dll, nan, medium
7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93, sha256, Log.dll., nan, medium
9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372, sha256, proxy, nan, medium
fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506, sha256, , PS, medium
fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3, sha256, , nan, medium
949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed, sha256, , nan, medium
b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64, sha256, update2.dll , nan, medium
cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732, sha256, APEXScan.exe , nan, medium
cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50, sha256, unnamed , nan, medium
ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd, sha256, update1.exe , nan, medium
1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e, sha256, update4.exe , nan, medium
ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7, sha256, lu2.exe , nan, medium
```
## IPs
```
77.73.134.68,ip_address, Lumma Stealer
144.76.173.247,ip_address, Lumma Stealer
157.90.248.179,ip_address, Lumma Stealer
213.252.244.62,ip_address, Lumma Stealer
45.155.249.97,ip_address, Cobalt Strike C2 IP address
77.238.224.56,ip_address, C2 address
77.238.229.63,ip_address, C2 address
77.238.250.123,ip_address, C2 address
77.238.245.233,ip_address,C2 address
91.142.74.28,ip_address,C2 address
191.142.74.28,ip_address,C2 address
195.2.70.38,ip_address,C2 address
37.221.126.202,ip_address,C2 address used by the threat actor to connect via Anydesk
91.196.70.160,ip_address, Socks proxy server
217.15.175.191,ip_address, SystemBC C2 IP address
```
## Domains
```
testdomain123123.shop, domain, maliciousmd5, infoStealers
savefrom.net, domain,streamingmd5, infoStealers
unblocked.watch, domain,streamingmd5, infoStealers
mp3fromlink.com, domain,streamingmd5, infoStealers
hisotv.com, domain,streamingmd5, infoStealers
www.portalmovies.com.ar, domain,streamingmd5, infoStealers
sfrom.net, domain,streamingmd5, infoStealers
tagalogdubbed.com, domain,streamingmd5, infoStealers
www.youtubepp.com, domain,streamingmd5, infoStealers
ssyoutube.com, domain,streamingmd5, infoStealers
www.y2mate.com, domain,streamingmd5, infoStealers
Multicanais.love, domain,streamingmd5, infoStealers
averageorganicfallfaw.shop, domain, Command Servers -md5, infoStealers
distincttangyflippan.shop, domain, Command Servers -md5, infoStealers
macabrecondfucews.shop, domain, Command Servers -md5, infoStealers
greentastellesqwm.shop, domain, Command Servers -md5, infoStealers
stickyyummyskiwffe.shop, domain, Command Servers -md5, infoStealers
sturdyregularrmsnhw.shop, domain, Command Servers -md5, infoStealers
lamentablegapingkwaq.shop, domain, Command Servers -md5, infoStealers
Innerverdanytiresw.shop, domain, Command Servers -md5, infoStealers
standingcomperewhitwo.shop, domain, Command Servers -md5, infoStealers
uniedpureevenywjk.shop, domain, samples -md5, infoStealers
spotlessimminentys.shop, domain, samples -md5, infoStealers
specialadventurousw.shop, domain, samples -md5, infoStealers
stronggemateraislw.shop, domain, samples -md5, infoStealers
willingyhollowsk.shop, domain, samples -md5, infoStealers
handsomelydicrwop.shop, domain, samples -md5, infoStealers
softcallousdmykw.shop, domain, samples -md5, infoStealers
celebratioopz.shop, domain, Lumma Stealer, infoStealers
writerospzm.shop, domain, Lumma Stealer, infoStealers
deallerospfosu.shop, domain, Lumma Stealer, infoStealers
bassizcellskz.shop, domain, Lumma Stealer, infoStealers
mennyudosirso.shop, domain, Lumma Stealer, infoStealers
languagedscie.shop, domain, Lumma Stealer, infoStealers
complaintsipzzx.shop, domain, Lumma Stealer, infoStealers
quialitsuzoxm.shop, domain, Lumma Stealer, infoStealers
relaxtionflouwerwi.shop, domain, LUMMAC.V2 C2s, infoStealers
deprivedrinkyfaiir.shop, domain, LUMMAC.V2 C2s, infoStealers
detailbaconroollyws.shop, domain, LUMMAC.V2 C2s, infoStealers
messtimetabledkolvk.shop, domain, LUMMAC.V2 C2s, infoStealers
considerrycurrentyws.shop, domain, LUMMAC.V2 C2s, infoStealers
understanndtytonyguw.shop, domain, LUMMAC.V2 C2s, infoStealers
patternapplauderw.shop, domain, LUMMAC.V2 C2s, infoStealers
horsedwollfedrwos.shop, domain, LUMMAC.V2 C2s, infoStealers
tropicalironexpressiw.shop, domain, LUMMAC.V2 C2s, infoStealers
falseaudiencekd.shop, domain,Lumma C2 domain, infoStealers
feighminoritsjda.shop, domain,Lumma C2 domain, infoStealers
justifycanddidatewd.shop, domain,Lumma C2 domain, infoStealers
marathonbeedksow.shop, domain,Lumma C2 domain, infoStealers
pleasurenarrowsdla.shop, domain,Lumma C2 domain, infoStealers
raiseboltskdlwpow.shop, domain,Lumma C2 domain, infoStealers
richardflorespoew.shop, domain,Lumma C2 domain, infoStealers
strwawrunnygjwu.shop, domain,Lumma C2 domain, infoStealers
https://ch3.dlvideosfre.click/human-verify-system.html, domain, Lumma Stealer, infoStealers
https://verif.dlvideosfre.click/2ndhsoru, domain, Lumma Stealer, infoStealers
https://verif.dlvideosfre.click/K1.zip, domain, Lumma Stealer, infoStealers
https://verif.dlvideosfre.click/K2.zip, domain, Lumma Stealer, infoStealers
https://verif.dlvideosfre.click, domain, Lumma Stealer, infoStealers
Ofsetvideofre.click/, domain, Fake Captcha Websites, infoStealers
Newvideozones.click/veri.html, domain, Fake Captcha Websites, infoStealers
Clickthistogo.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59, domain, Fake Captcha Websites, infoStealers
Downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c, domain, Fake Captcha Websites, infoStealers
Betterdirectit.com/, domain, Fake Captcha Websites, infoStealers
Betterdirectit.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67, domain, Fake Captcha Websites, infoStealers
heroic-genie-2b372e.netlify.app/please-verify-z.html, domain, Fake Captcha Websites, infoStealers
Downloadstep.com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4, domain, Fake Captcha Websites, infoStealers
Downloadsbeta.com/go/08a742f2-0a36-4a00-a979-885700e3028c, domain, Fake Captcha Websites, infoStealers
Streamingsplays.com/go/6754805d-41c5-46b7-929f-6655b02fce2c, domain, Fake Captcha Websites, infoStealers
Streamingsplays.com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f, domain, Fake Captcha Websites, infoStealers
Streamingszone.com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ, domain, Fake Captcha Websites, infoStealers
Streamingsplays.com/go/1c406539-b787-4493-a61b-f4ea31ffbd56, domain, Fake Captcha Websites, infoStealers
github-scanner.shop/, domain, Fake Captcha Websites, infoStealers
github-scanner.com/, domain, Fake Captcha Websites, infoStealers
botcheck.b-cdn.net/captcha-verify-v7.html, domain, Fake Captcha Websites, infoStealers
Rungamepc.ru/?load=Black-Myth-Wukong-crack, domain, Redirectingmd5, infoStealers
game02-com.ru/?load=Cities-Skylines-2-Crack-Setup, domain, Redirectingmd5, infoStealers
Rungamepc.ru/?load=Dragons-Dogma-2-Crack, domain, Redirectingmd5, infoStealers
Rungamepc.ru/?load=Dying-Light-2-Crack, domain, Redirectingmd5, infoStealers
Rungamepc.ru/?load=Monster-Hunter-Rise-Crack, domain, Redirectingmd5, infoStealers
Runkit.com/wukong/black-myth-wukong-crack-pc, domain, Websites Containing Malicious URLsmd5, infoStealers
Runkit.com/skylinespc/cities-skylines-ii-crack-pc-full-setup, domain, Websites Containing Malicious URLsmd5, infoStealers
Runkit.com/masterposte/dying-light-2-crack-on-pc-denuvo-fix, domain, Websites Containing Malicious URLsmd5, infoStealers
Runkit.com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone, domain, Websites Containing Malicious URLsmd5, infoStealers
Groups.google.com/g/hogwarts-legacy-crack-empress, domain, Websites Containing Malicious URLsmd5, infoStealers
By.tribuna.com/extreme/blogs/3143511-black-myth-wukong-full-unlock/, domain, Websites Containing Malicious URLsmd5, infoStealers
https://human-check.b-cdn.net/verify-captcha-v7.html, domain, Lumma Stealer CAPTCHA, infoStealers
https://poko.b-cdn.net/poko, domain,Lumma Stealer Mshta, infoStealers
https://fatodex.b-cdn.net/fatodex, domain, PEAKLIGHT NBIsmd5, infoStealers
https://matodown.b-cdn.net/matodown, domain, PEAKLIGHT NBIsmd5, infoStealers
https://potexo.b-cdn.net/potexo, domain, PEAKLIGHT NBIsmd5, infoStealers
hxxp://gceight8vt.top/upload.php, domain,CRYPTBOT C2s, infoStealers
https://brewdogebar.com/code.vue, domain,CRYPTBOT C2s, infoStealers
hxxp://62.133.61.56/Downloads/Full%20Video%20HD%20(1080p).lnk, domain,SHADOWLADDER, infoStealers
https://fatodex.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers
https://fatodex.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers
https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png, domain,SHADOWLADDER, infoStealers
https://matodown.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers
https://matodown.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers
https://nextomax.b-cdn.net/L1.zip, domain,SHADOWLADDER, infoStealers
https://nextomax.b-cdn.net/L2.zip, domain,SHADOWLADDER, infoStealers
https://potexo.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers
https://potexo.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers
spamicrosoft.com, domain,Used to make external Microsoft Teams calls after email bombing users., infoStealers
halagifts.com, domain,SystemBC C2 domain, infoStealers
preservedmoment.com, domain,Cobalt Strike domain, infoStealers
```
[1][2][3][4][5][6]
[1]: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/
[2]: https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/
[3]: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
[4]: https://denwp.com/dissecting-lumma-malware/
[5]: https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/
[6]: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/

710
rules.md Normal file
View File

@ -0,0 +1,710 @@
# Rules for Info Stealers
[] Suspicious File Access and Modifications
```
`indextime` `sysmon` EventID=11 TargetFilename IN ("*\\Chrome\\User Data\\Default\\Cookies", "*\\Edge\\User Data\\Default\\Cookies", "*\\Chrome\\User Data\\Default\\History", "*\\Edge\\User Data\\Default\\History")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="Python decryption routine detected",
mitre_category="Defense_Evasion",
mitre_technique="Deobfuscate/Decode Files or Information",
mitre_technique_id="T1140",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1140/",
creator="Cpl Iverson",
last_tested=""),
upload_date="2025-03-10",
last_modify_date="2025-03-10",
mitre_version="v16",
priority="High"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[] Suspicious Process Execution
```
`indextime` `sysmon` EventID=1 Image="*python.exe" CommandLine="*decrypt_value*"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="Python decryption routine detected",
mitre_category="Defense_Evasion",
mitre_technique="Deobfuscate/Decode Files or Information",
mitre_technique_id="T1140",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1140/",
creator="Cpl Iverson",
last_tested=""),
upload_date="2025-03-10",
last_modify_date="2025-03-10",
mitre_version="v16",
priority="High"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[] Encoded Powershell command [1]
```
`indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-enc *" OR command_line="*-EncodedCommand *")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - Encoded PowerShell command detected",
mitre_category="Defense_Evasion",
mitre_technique="Obfuscated Files or Information",
mitre_technique_id="T1027",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1027/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-10",
last_modify_date="2025-03-10"),
mitre_version="v16",
priority="High"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[] Hidden Powershell
```
`indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-W Hidden*" AND command_line="*Invoke-WebRequest*" AND command_line="*/uploads/*")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - Suspicious PowerShell web download with hidden window",
mitre_category="Command and Control",
mitre_technique="Ingress Tool Transfer",
mitre_technique_id="T1105",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1105/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="High"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[]
```
`indextime` `sysmon` (process_name="mshta.exe" OR command_line="*mshta*") AND (command_line="*http://*" OR command_line="*https://*")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - Suspicious mshta execution with remote URL detected",
mitre_category="Execution",
mitre_technique="Mshta",
mitre_technique_id="T1218.005",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1218/005/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="High"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[]
```
`indextime` `powershell` EventCode="4103"
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - PowerShell enumeration using Get-Process and mainWindowTitle",
mitre_category="Discovery",
mitre_technique="System Information Discovery",
mitre_technique_id="T1082",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1082/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[T1010] Suspicious Process Enumeration via Get-Process and mainWindowTitle
```
`indextime` (`sysmon` EventCode=1) OR (`windows` EventCode=4688) OR (`powershell` EventCode=4103)
| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1010 - Analytic 1 - Suspicious Process Enumeration",
mitre_category="Discovery",
mitre_technique="Application Window Discovery",
mitre_technique_id="T1010",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1010/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
(CHECK) T1012 - Analytic 1 - Suspicious Commands
```
`indextime` ('powershell' EventCode="4103")
| where CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands",
mitre_category="Discovery",
mitre_technique="",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
(CHECK) T1012 - Analytic 1 - Suspicious Processes with Registry keys
```
`indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")
| search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands",
mitre_category="Discovery",
mitre_technique="",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
(CHECK) T1012 - Analytic 2 - reg.exe spawned from suspicious cmd.exe
```
`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")
| where (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")
| rename ProcessParentGuid as guid
| join type=inner guid[
| search ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")
| rename ProcessGuid as guid ]
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 2 - reg.exe spawned from suspicious cmd.exe",
mitre_category="Discovery",
mitre_technique="",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
(CHECK) T1012 - Analytic 3 - Rare LolBAS command lines
```
`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5
| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound
| WHERE ProcessCount < LowerBound
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands",
mitre_category="Discovery",
mitre_technique="",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
(CHECK) T1012 - Analytic 1 - Suspicious Registry
```
`indextime` (`windows-security` EventCode IN (4663, 4656)) AND ObjectType="Key"
| where ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Registry",
mitre_category="Discovery",
mitre_technique="",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[T1570] Suspicious Named Pipe Creation (C2 / Browser Exfil)
```
`indextime` `sysmon` EventCode=17
| where match(Pipe, ".*\\\\pipe\\\\(msse-|postex|srvsvc).*") OR Pipe="*Chrome*" OR Pipe="*Edge*" OR Pipe="*sqlite*"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1570 - Suspicious Named Pipe Activity (C2 / Browser Exfil)",
mitre_category="Lateral Movement",
mitre_technique="Lateral Tool Transfer",
mitre_technique_id="T1570",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1570/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name Pipe Image ProcessId ProcessGuid original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[I1012] Spike in Registry Access (Potential Pre-Reverse Shell Activity)
```
`indextime` `sysmon` EventCode=13
| timechart span=1m count by Image
| eventstats avg(count) as avg_count, stdev(count) as stddev_count
| eval threshold=(avg_count + (2 * stddev_count))
| where count > threshold
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Registry Spike (Anomaly)",
mitre_category="Discovery",
mitre_technique="Query Registry",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime count threshold Image mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[I1012] High Volume Registry Access (TargetObject Enumeration)
```
`indextime` `sysmon` EventCode=13
| stats count by _time, TargetObject
| where count > 5
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - High Volume Registry Enumeration",
mitre_category="Discovery",
mitre_technique="Query Registry",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name TargetObject count mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1059] Python Script Execution Logging to “results” File (Suspicious Scripting Activity)
```
`indextime` `sysmon` EventCode=1
| search Image="*python*.exe" CommandLine="*results*"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1059 - Analytic 1 - Suspicious Script Execution",
mitre_category="Execution",
mitre_technique="Command and Scripting Interpreter",
mitre_technique_id="T1059",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1059/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[T1012] Registry Modification Spike Indicative of Enumeration or Pre-Execution Behavior
```
`indextime` `sysmon` EventCode=13
| stats count by _time, TargetObject
| where count > 5
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Registry Queries",
mitre_category="Discovery",
mitre_technique="Query Registry",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-16",
last_modify_date="2025-03-16",
mitre_version="v16",
priority="Medium"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[T1555.003] Unauthorized Access to Browser Credential Stores (SQLite: Cookies, History, Web Data)
```
`indextime` `sysmon` EventCode=10
| search TargetFilename="*Cookies" OR TargetFilename="*History" OR TargetFilename="*Web Data"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1555.003 - Analytic 1 - Unauthorized Browser Data Access",
mitre_category="Credential Access",
mitre_technique="Credentials from Password Stores",
mitre_technique_id="T1555",
mitre_subtechnique="Web Browsers",
mitre_subtechnique_id="T1555.003",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1555/003/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer",
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
[T1041] High-Volume HTTP/S Exfiltration Attempt via Suspicious Process
```
`indextime` `sysmon` EventCode=3
| search DestinationPort=80 OR DestinationPort=443
| stats count by DestinationIp Image
| where count > 5
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1041 - Analytic 1 - Suspicious Data Exfiltration",
mitre_category="Exfiltration",
mitre_technique="Exfiltration Over C2 Channel",
mitre_technique_id="T1041",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1041/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer",
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1059.006] Detect Execution of Python Infostealer
```
`indextime` `windows` EventCode=4688
| search NewProcessName="*python.exe" CommandLine="*results*"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Execution",
mitre_category="Execution",
mitre_technique="Command and Scripting Interpreter",
mitre_technique_id="T1059",
mitre_subtechnique="Python",
mitre_subtechnique_id="T1059.006",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1059/006/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName ProcessId ParentProcessName ParentProcessId CommandLine mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1555.003] Detect Access to Browser Credential Storage
```
`indextime` `windows` EventCode=4663
| search ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1555.003 - Unauthorized Browser Credential Access",
mitre_category="Credential Access",
mitre_technique="Credentials from Password Stores",
mitre_technique_id="T1555",
mitre_subtechnique="Web Browsers",
mitre_subtechnique_id="T1555.003",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1555/003/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1012] Detect Registry Modification for Browser Decryption Key
```
indextime
index=wineventlog EventCode=4657
| search ObjectName="*os_crypt*"
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Query (Master Key Extraction)",
mitre_category="Discovery",
mitre_technique="Query Registry",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1036.003] Detection: File Renamed or Created as .py (Suspicious Python Script Drop)
```
`indextime` (`windows` EventCode=4663 ObjectName="*.py") OR (`sysmon` EventCode=11 TargetFilename="*.py")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1036.003 - File Renamed or Created as Python Script",
mitre_category="Defense Evasion",
mitre_technique="Masquerading",
mitre_technique_id="T1036",
mitre_subtechnique="Rename System Utilities",
mitre_subtechnique_id="T1036.003",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1036/003/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1059] Python Script Execution (Suspicious Results File Usage)
```
`indextime` (`windows` EventCode=4688 NewProcessName="*python.exe" CommandLine="*results*") OR (`sysmon` EventCode=1 Image="*python.exe" CommandLine="*results*")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Script Execution",
mitre_category="Execution",
mitre_technique="Command and Scripting Interpreter",
mitre_technique_id="T1059",
mitre_subtechnique="Python",
mitre_subtechnique_id="T1059.006",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1059/006/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName Image ProcessId CommandLine ParentProcessName ParentProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1555] Browser Credential File Access
```
`indextime` (`windows` EventCode=4663 ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History") OR (`sysmon` EventCode=10 TargetFilename="*Cookies" OR TargetFilename="*Login Data" OR TargetFilename="*Web Data" OR TargetFilename="*History")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1555.003 - Browser Credential File Access",
mitre_category="Credential Access",
mitre_technique="Credentials from Password Stores",
mitre_technique_id="T1555",
mitre_subtechnique="Web Browsers",
mitre_subtechnique_id="T1555.003",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1555/003/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1012] Registry Key Access (Browser Master Key)
```
`indextime` (`windows` EventCode=4657 ObjectName="*os_crypt*") OR (`sysmon` EventCode=13 TargetObject="*os_crypt*")
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Key Query",
mitre_category="Discovery",
mitre_technique="Query Registry",
mitre_technique_id="T1012",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1012/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="Medium",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetObject ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
[T1041] Exfiltration over Network (HTTP/HTTPS burst)
```
`indextime` (`windows` EventCode=5156 DestinationPort=80 OR DestinationPort=443) OR (`sysmon` EventCode=3 DestinationPort=80 OR DestinationPort=443)
| stats count by DestinationIp ApplicationName Image
| where count > 5
| eval hash_sha256=lower(hash_sha256),
hunting_trigger="INFOSTEALER - T1041 - High-Volume C2 Exfiltration",
mitre_category="Exfiltration",
mitre_technique="Exfiltration Over C2 Channel",
mitre_technique_id="T1041",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1041/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-03-20",
last_modify_date="2025-03-20",
mitre_version="v16",
priority="High",
custom_category="infostealer"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name ApplicationName Image DestinationIp DestinationPort mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category
| collect `jarvis_index`
```
## References
[1]: https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims
[2]: https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/

4
steps.md Normal file
View File

@ -0,0 +1,4 @@
index=infostealer
1000 - 1030 20250319
nmap > email > phishing link > rdp > file upload > run py script (data staging) > exfil > remove files

39
yara.md Normal file
View File

@ -0,0 +1,39 @@
rule M_AES_Encrypted_payload {
meta:
author = "Mandiant"
description = "This rule is desgined to detect on events that
exhibits indicators of utilizing AES encryption for payload obfuscation."
target_entity = "Process"
strings:
$a = /(\$\w+\.Key(\s|)=((\s|)(\w+|));|\$\w+\.Key(\s|)=(\s|)\w+\('\w+'\);)/
$b = /\$\w+\.IV/
$c = /System\.Security\.Cryptography\.(AesManaged|Aes)/
condition:
all of them
}
rule M_Downloader_PEAKLIGHT_1 {
meta:
mandiant_rule_id = "e0abae27-0816-446f-9475-1987ccbb1bc0"
author = "Mandiant"
category = "Malware"
description = "This rule is designed to detect on events related to peaklight.
PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for
the presence of hard-coded filenames and downloads files from a remote CDN
if the files are not present."
family = "Peaklight"
platform = "Windows"
strings:
$str1 = /function\s{1,16}\w{1,32}\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\
{\[IO\.File\]::WriteAllBytes\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\}/ ascii wide
$str2 = /Expand-Archive\s{1,16}-Path\s{1,16}\$\w{1,32}\
s{1,16}-DestinationPath/ ascii wide
$str3 = /\(\w{1,32}\s{1,4}@\((\d{3,6},){3,12}/ ascii wide
$str4 = ".DownloadData(" ascii wide
$str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide
$str6 = /\.EndsWith\(((["']\.zip["'])|(\(\w{1,32}\s{1,16}@\((\d{3,6},){3}\d{3,6}\)\)))/ ascii wide
$str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide
$str8 = "[IO.Compression.ZipFile]::OpenRead"
condition:
4 of them and filesize < 10KB
}