commit 2c833f112d9c637d93e923d5b0cc04d890ca2524 Author: Matthew Iverson Date: Sun Mar 23 23:52:45 2025 -0400 Upload files to "/" diff --git a/ioc.md b/ioc.md new file mode 100644 index 0000000..0320174 --- /dev/null +++ b/ioc.md @@ -0,0 +1,236 @@ +## MD5 +``` +f8df6cf748cc3cf7c05ab18e798b3e91,md5, info Stealer Implants,,, +ef8c77dc451f6c783d2c4ddb726de111,md5, info Stealer Implants,,, +de26f488328ea0436199c5f728ecd82a,md5, info Stealer Implants,,, +d4b75a8318befdb1474328a92f0fc79d,md5, info Stealer Implants,,, +ba40c097e9d06130f366b86deb4a8124,md5, info Stealer Implants,,, +b0844bb9a6b026569f9baf26a40c36f3,md5, info Stealer Implants,,, +89052678dc147a01f3db76febf8441e4,md5, info Stealer Implants,,, +842f8064a81eb5fc8828580a08d9b044,md5, info Stealer Implants,,, +7c527c6607cc1bfa55ac0203bf395939,md5, info Stealer Implants,,, +75fd9018433f5cbd2a4422d1f09b224e,md5, info Stealer Implants,,, +729c24cc6a49fb635601eb88824aa276,md5, info Stealer Implants,,, +69f6dcdb3d87392f300e9052de99d7ce,md5, info Stealer Implants,,, +5e17d1a077f86f7ae4895a312176eba6,md5, info Stealer Implants,,, +373ebf513d0838e1b8c3ce2028c3e673,md5, info Stealer Implants,,, +351260c2873645e314a889170c7a7750,md5, info Stealer Implants,,, +23ce22596f1c7d6db171753c1d2612fe,md5, info Stealer Implants,,, +0c03efd969f6d9e6517c300f8fd92921,md5, info Stealer Implants,,, +277acb857f1587221fc752f19be27187,md5, info Stealer Implants,,, +faa47ecbcc846bf182e4ecf3f190a9f4,md5, info Stealer Payload,,, +d8c6199b414bdf298b6a774e60515ba5,md5, info Stealer Payload,,, +9d3337f0e95ece531909e4c8d9f1cc55,md5, info Stealer Payload,,, +6bd84dfb987f9c40098d12e3959994bc,md5, info Stealer Payload,,, +6396908315d9147de3dff98ab1ee4cbe,md5, info Stealer Payload,,, +1e210fcc47eda459998c9a74c30f394e,md5, info Stealer Payload,,, +fe0438938eef75e090a38d8b17687357,md5, info Stealer Payload,,, +e0f8d7ec2be638fbf3ddf8077e775b2d,md5, info Stealer Bait File,,, +cdd4cfac3ffe891eac5fb913076c4c40,md5, info Stealer Bait File,,, +b57b13e9883bbee7712e52616883d437,md5, info Stealer Bait File,,, +a3f4e422aecd0547692d172000e4b9b9,md5, info Stealer Bait File,,, +9871272af8b06b484f0529c10350a910,md5, info Stealer Bait File,,, +97b19d9709ed3b849d7628e2c31cdfc4,md5, info Stealer Bait File,,, +8e960334c786280e962db6475e0473ab,md5, info Stealer Bait File,,, +76e7cbab1955faa81ba0dda824ebb31d,md5, info Stealer Bait File,,, +7140dbd0ca6ef09c74188a41389b0799,md5, info Stealer Bait File,,, +5c3394e37c3d1208e499abe56e4ec7eb,md5, info Stealer Bait File,,, +47765d12f259325af8acda48b1cbad48,md5, info Stealer Bait File,,, +3e6cf927c0115f76ccf507d2f5913e02,md5, info Stealer Bait File,,, +32da6c4a44973a5847c4a969950fa4c4,md5, info Stealer Bait File,,, +fea50d3bb695f6ccc5ca13834cdfe298,md5, Lumma Stealer,,, +83ae58dd03f33d1fae6771e859200be6,md5, Lumma Stealer,,, +7b1f43deed8fc7e35f8394548e12dd81,md5, Lumma Stealer,,, +c39f64a31e9f15338f83411bb9fc0942,md5, Lumma Stealer,,, +b832096cf669ff4d66e04b252cb1a1dc,md5, Lumma Stealer,,, +d6ea5dcdb2f88a65399f87809f43f83c,md5, erefgojgbu - CRYPTBOT,,, +307f40ebc6d8a207455c96d34759f1f3,md5, L2.zip - CRYPTBOT,,, +d8e21ac76b228ec144217d1e85df2693,md5, Sеtup.exe - CRYPTBOT,,, +43939986a671821203bf9b6ba52a51b4,md5, oqnhustu - LUMMAC.V2,,, +58c4ba9385139785e9700898cb097538,md5, WebView2Loader.dll - LUMMAC.V2,,, +95361f5f264e58d6ca4538e7b436ab67,md5, Downloader - PEAKLIGHT,,, +b716a1d24c05c6adee11ca7388b728d3,md5, Downloader - PEAKLIGHT,,, +b15bac961f62448c872e1dc6d3931016,md5, Aaaa.exe - SHADOWLADDER,,, +e7c43dc3ec4360374043b872f934ec9e,md5, bentonite.cfg - SHADOWLADDER,,, +f98e0d9599d40ed032ff16de242987ca,md5, cymophane.doc - SHADOWLADDER,,, +b6b8164feca728db02e6b636162a2960,md5, K1.zip - SHADOWLADDER,,, +bb9641e3035ae8c0ab6117ecc82b65a1,md5, K1.zip - SHADOWLADDER,,, +236c709bbcb92aa30b7e67705ef7f55a,md5, K2.zip - SHADOWLADDER,,, +d7aff07e7cd20a5419f2411f6330f530,md5, K2.zip - SHADOWLADDER,,, +a6c4d2072961e9a8c98712c46be588f8,md5, L1.zip - SHADOWLADDER,,, +059d94e8944eca4056e92d60f7044f14,md5, LiteSkinUtils.dll - SHADOWLADDER,,, +dfdc331e575dae6660d6ed3c03d214bd,md5, toughie.txt - SHADOWLADDER,,, +47eee41b822d953c47434377006e01fe,md5, WCLDll.dll - SHADOWLADDER,,, +``` + +## Sha256 +``` +b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624, sha256, Malware, PS, medium +cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54, sha256, Malware, PS, medium +632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c, sha256, Malware, ZIP, medium +19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a, sha256, Malware, ZIP, medium +d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207, sha256, Malware, EXE, medium +bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55, sha256, Malware, EXE, medium +fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511, sha256, Malware, HTA, medium +ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef, sha256, AntiSpam.exe, nan, medium +d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08, sha256, AntiSpam.exe, nan, medium +dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b, sha256, AntiSpam.exe, nan, medium +24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793, sha256, , nan, medium +9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7, sha256, , nan, medium +ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c, sha256, update6.exe Used, nan, medium +ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f, sha256, update7.exe, nan, medium +9ED2B4D88B263F5078003EF35654ED5C205AC2F2C0E9225D4CDB4C24A5EA9AF2, sha256, update8.exe, nan, medium +ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa, sha256, atiumdag.dll, nan, medium +7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93, sha256, Log.dll., nan, medium +9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372, sha256, proxy, nan, medium +fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506, sha256, , PS, medium +fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3, sha256, , nan, medium +949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed, sha256, , nan, medium +b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64, sha256, update2.dll , nan, medium +cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732, sha256, APEXScan.exe , nan, medium +cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50, sha256, unnamed , nan, medium +ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd, sha256, update1.exe , nan, medium +1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e, sha256, update4.exe , nan, medium +ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7, sha256, lu2.exe , nan, medium +``` + + +## IPs +``` +77.73.134.68,ip_address, Lumma Stealer +144.76.173.247,ip_address, Lumma Stealer +157.90.248.179,ip_address, Lumma Stealer +213.252.244.62,ip_address, Lumma Stealer +45.155.249.97,ip_address, Cobalt Strike C2 IP address +77.238.224.56,ip_address, C2 address +77.238.229.63,ip_address, C2 address +77.238.250.123,ip_address, C2 address +77.238.245.233,ip_address,C2 address +91.142.74.28,ip_address,C2 address +191.142.74.28,ip_address,C2 address +195.2.70.38,ip_address,C2 address +37.221.126.202,ip_address,C2 address used by the threat actor to connect via Anydesk +91.196.70.160,ip_address, Socks proxy server +217.15.175.191,ip_address, SystemBC C2 IP address +``` + + +## Domains +``` +testdomain123123.shop, domain, maliciousmd5, infoStealers +savefrom.net, domain,streamingmd5, infoStealers +unblocked.watch, domain,streamingmd5, infoStealers +mp3fromlink.com, domain,streamingmd5, infoStealers +hisotv.com, domain,streamingmd5, infoStealers +www.portalmovies.com.ar, domain,streamingmd5, infoStealers +sfrom.net, domain,streamingmd5, infoStealers +tagalogdubbed.com, domain,streamingmd5, infoStealers +www.youtubepp.com, domain,streamingmd5, infoStealers +ssyoutube.com, domain,streamingmd5, infoStealers +www.y2mate.com, domain,streamingmd5, infoStealers +Multicanais.love, domain,streamingmd5, infoStealers +averageorganicfallfaw.shop, domain, Command Servers -md5, infoStealers +distincttangyflippan.shop, domain, Command Servers -md5, infoStealers +macabrecondfucews.shop, domain, Command Servers -md5, infoStealers +greentastellesqwm.shop, domain, Command Servers -md5, infoStealers +stickyyummyskiwffe.shop, domain, Command Servers -md5, infoStealers +sturdyregularrmsnhw.shop, domain, Command Servers -md5, infoStealers +lamentablegapingkwaq.shop, domain, Command Servers -md5, infoStealers +Innerverdanytiresw.shop, domain, Command Servers -md5, infoStealers +standingcomperewhitwo.shop, domain, Command Servers -md5, infoStealers +uniedpureevenywjk.shop, domain, samples -md5, infoStealers +spotlessimminentys.shop, domain, samples -md5, infoStealers +specialadventurousw.shop, domain, samples -md5, infoStealers +stronggemateraislw.shop, domain, samples -md5, infoStealers +willingyhollowsk.shop, domain, samples -md5, infoStealers +handsomelydicrwop.shop, domain, samples -md5, infoStealers +softcallousdmykw.shop, domain, samples -md5, infoStealers +celebratioopz.shop, domain, Lumma Stealer, infoStealers +writerospzm.shop, domain, Lumma Stealer, infoStealers +deallerospfosu.shop, domain, Lumma Stealer, infoStealers +bassizcellskz.shop, domain, Lumma Stealer, infoStealers +mennyudosirso.shop, domain, Lumma Stealer, infoStealers +languagedscie.shop, domain, Lumma Stealer, infoStealers +complaintsipzzx.shop, domain, Lumma Stealer, infoStealers +quialitsuzoxm.shop, domain, Lumma Stealer, infoStealers +relaxtionflouwerwi.shop, domain, LUMMAC.V2 C2s, infoStealers +deprivedrinkyfaiir.shop, domain, LUMMAC.V2 C2s, infoStealers +detailbaconroollyws.shop, domain, LUMMAC.V2 C2s, infoStealers +messtimetabledkolvk.shop, domain, LUMMAC.V2 C2s, infoStealers +considerrycurrentyws.shop, domain, LUMMAC.V2 C2s, infoStealers +understanndtytonyguw.shop, domain, LUMMAC.V2 C2s, infoStealers +patternapplauderw.shop, domain, LUMMAC.V2 C2s, infoStealers +horsedwollfedrwos.shop, domain, LUMMAC.V2 C2s, infoStealers +tropicalironexpressiw.shop, domain, LUMMAC.V2 C2s, infoStealers +falseaudiencekd.shop, domain,Lumma C2 domain, infoStealers +feighminoritsjda.shop, domain,Lumma C2 domain, infoStealers +justifycanddidatewd.shop, domain,Lumma C2 domain, infoStealers +marathonbeedksow.shop, domain,Lumma C2 domain, infoStealers +pleasurenarrowsdla.shop, domain,Lumma C2 domain, infoStealers +raiseboltskdlwpow.shop, domain,Lumma C2 domain, infoStealers +richardflorespoew.shop, domain,Lumma C2 domain, infoStealers +strwawrunnygjwu.shop, domain,Lumma C2 domain, infoStealers +https://ch3.dlvideosfre.click/human-verify-system.html, domain, Lumma Stealer, infoStealers +https://verif.dlvideosfre.click/2ndhsoru, domain, Lumma Stealer, infoStealers +https://verif.dlvideosfre.click/K1.zip, domain, Lumma Stealer, infoStealers +https://verif.dlvideosfre.click/K2.zip, domain, Lumma Stealer, infoStealers +https://verif.dlvideosfre.click, domain, Lumma Stealer, infoStealers +Ofsetvideofre.click/, domain, Fake Captcha Websites, infoStealers +Newvideozones.click/veri.html, domain, Fake Captcha Websites, infoStealers +Clickthistogo.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67?var_3=F60A0050-6F56-11EF-AA98-FFC33B7D3D59, domain, Fake Captcha Websites, infoStealers +Downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c, domain, Fake Captcha Websites, infoStealers +Betterdirectit.com/, domain, Fake Captcha Websites, infoStealers +Betterdirectit.com/go/67fe87ca-a2d4-48ae-9352-c5453156df67, domain, Fake Captcha Websites, infoStealers +heroic-genie-2b372e.netlify.app/please-verify-z.html, domain, Fake Captcha Websites, infoStealers +Downloadstep.com/go/79553157-f8b8-440b-ae81-0d81d8fa17c4, domain, Fake Captcha Websites, infoStealers +Downloadsbeta.com/go/08a742f2-0a36-4a00-a979-885700e3028c, domain, Fake Captcha Websites, infoStealers +Streamingsplays.com/go/6754805d-41c5-46b7-929f-6655b02fce2c, domain, Fake Captcha Websites, infoStealers +Streamingsplays.com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f, domain, Fake Captcha Websites, infoStealers +Streamingszone.com/go/b3ddd860-89c0-448c-937d-acf02f7a766f?c=AOsl62afSQUAEX4CAEJPFwASAAAAAABQ, domain, Fake Captcha Websites, infoStealers +Streamingsplays.com/go/1c406539-b787-4493-a61b-f4ea31ffbd56, domain, Fake Captcha Websites, infoStealers +github-scanner.shop/, domain, Fake Captcha Websites, infoStealers +github-scanner.com/, domain, Fake Captcha Websites, infoStealers +botcheck.b-cdn.net/captcha-verify-v7.html, domain, Fake Captcha Websites, infoStealers +Rungamepc.ru/?load=Black-Myth-Wukong-crack, domain, Redirectingmd5, infoStealers +game02-com.ru/?load=Cities-Skylines-2-Crack-Setup, domain, Redirectingmd5, infoStealers +Rungamepc.ru/?load=Dragons-Dogma-2-Crack, domain, Redirectingmd5, infoStealers +Rungamepc.ru/?load=Dying-Light-2-Crack, domain, Redirectingmd5, infoStealers +Rungamepc.ru/?load=Monster-Hunter-Rise-Crack, domain, Redirectingmd5, infoStealers +Runkit.com/wukong/black-myth-wukong-crack-pc, domain, Websites Containing Malicious URLsmd5, infoStealers +Runkit.com/skylinespc/cities-skylines-ii-crack-pc-full-setup, domain, Websites Containing Malicious URLsmd5, infoStealers +Runkit.com/masterposte/dying-light-2-crack-on-pc-denuvo-fix, domain, Websites Containing Malicious URLsmd5, infoStealers +Runkit.com/dz4583276/monster-hunter-rise-crack-codex-pc/1.0.0/clone, domain, Websites Containing Malicious URLsmd5, infoStealers +Groups.google.com/g/hogwarts-legacy-crack-empress, domain, Websites Containing Malicious URLsmd5, infoStealers +By.tribuna.com/extreme/blogs/3143511-black-myth-wukong-full-unlock/, domain, Websites Containing Malicious URLsmd5, infoStealers +https://human-check.b-cdn.net/verify-captcha-v7.html, domain, Lumma Stealer CAPTCHA, infoStealers +https://poko.b-cdn.net/poko, domain,Lumma Stealer Mshta, infoStealers +https://fatodex.b-cdn.net/fatodex, domain, PEAKLIGHT NBIsmd5, infoStealers +https://matodown.b-cdn.net/matodown, domain, PEAKLIGHT NBIsmd5, infoStealers +https://potexo.b-cdn.net/potexo, domain, PEAKLIGHT NBIsmd5, infoStealers +hxxp://gceight8vt.top/upload.php, domain,CRYPTBOT C2s, infoStealers +https://brewdogebar.com/code.vue, domain,CRYPTBOT C2s, infoStealers +hxxp://62.133.61.56/Downloads/Full%20Video%20HD%20(1080p).lnk, domain,SHADOWLADDER, infoStealers +https://fatodex.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers +https://fatodex.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers +https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png, domain,SHADOWLADDER, infoStealers +https://matodown.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers +https://matodown.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers +https://nextomax.b-cdn.net/L1.zip, domain,SHADOWLADDER, infoStealers +https://nextomax.b-cdn.net/L2.zip, domain,SHADOWLADDER, infoStealers +https://potexo.b-cdn.net/K1.zip, domain,SHADOWLADDER, infoStealers +https://potexo.b-cdn.net/K2.zip, domain,SHADOWLADDER, infoStealers +spamicrosoft.com, domain,Used to make external Microsoft Teams calls after email bombing users., infoStealers +halagifts.com, domain,SystemBC C2 domain, infoStealers +preservedmoment.com, domain,Cobalt Strike domain, infoStealers +``` + +[1][2][3][4][5][6] + + + +[1]: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/ +[2]: https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ +[3]: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/ +[4]: https://denwp.com/dissecting-lumma-malware/ +[5]: https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/ +[6]: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/ diff --git a/rules.md b/rules.md new file mode 100644 index 0000000..242e547 --- /dev/null +++ b/rules.md @@ -0,0 +1,710 @@ +# Rules for Info Stealers + + + +[] Suspicious File Access and Modifications +``` +`indextime` `sysmon` EventID=11 TargetFilename IN ("*\\Chrome\\User Data\\Default\\Cookies", "*\\Edge\\User Data\\Default\\Cookies", "*\\Chrome\\User Data\\Default\\History", "*\\Edge\\User Data\\Default\\History") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="Python decryption routine detected", + mitre_category="Defense_Evasion", + mitre_technique="Deobfuscate/Decode Files or Information", + mitre_technique_id="T1140", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1140/", + creator="Cpl Iverson", + last_tested=""), + upload_date="2025-03-10", + last_modify_date="2025-03-10", + mitre_version="v16", + priority="High" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[] Suspicious Process Execution +``` +`indextime` `sysmon` EventID=1 Image="*python.exe" CommandLine="*decrypt_value*" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="Python decryption routine detected", + mitre_category="Defense_Evasion", + mitre_technique="Deobfuscate/Decode Files or Information", + mitre_technique_id="T1140", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1140/", + creator="Cpl Iverson", + last_tested=""), + upload_date="2025-03-10", + last_modify_date="2025-03-10", + mitre_version="v16", + priority="High" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[] Encoded Powershell command [1] +``` +`indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-enc *" OR command_line="*-EncodedCommand *") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - Encoded PowerShell command detected", + mitre_category="Defense_Evasion", + mitre_technique="Obfuscated Files or Information", + mitre_technique_id="T1027", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1027/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-10", + last_modify_date="2025-03-10"), + mitre_version="v16", + priority="High" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[] Hidden Powershell +``` +`indextime` `powershell` (process_name="powershell.exe" OR command_line="*powershell.exe*") AND (command_line="*-W Hidden*" AND command_line="*Invoke-WebRequest*" AND command_line="*/uploads/*") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - Suspicious PowerShell web download with hidden window", + mitre_category="Command and Control", + mitre_technique="Ingress Tool Transfer", + mitre_technique_id="T1105", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1105/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="High" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[] +``` +`indextime` `sysmon` (process_name="mshta.exe" OR command_line="*mshta*") AND (command_line="*http://*" OR command_line="*https://*") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - Suspicious mshta execution with remote URL detected", + mitre_category="Execution", + mitre_technique="Mshta", + mitre_technique_id="T1218.005", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1218/005/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="High" +| `process_create_whitelist` +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[] +``` +`indextime` `powershell` EventCode="4103" +| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - PowerShell enumeration using Get-Process and mainWindowTitle", + mitre_category="Discovery", + mitre_technique="System Information Discovery", + mitre_technique_id="T1082", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1082/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1010] Suspicious Process Enumeration via Get-Process and mainWindowTitle +``` +`indextime` (`sysmon` EventCode=1) OR (`windows` EventCode=4688) OR (`powershell` EventCode=4103) +| where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1010 - Analytic 1 - Suspicious Process Enumeration", + mitre_category="Discovery", + mitre_technique="Application Window Discovery", + mitre_technique_id="T1010", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1010/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +(CHECK) T1012 - Analytic 1 - Suspicious Commands + +``` +`indextime` ('powershell' EventCode="4103") +| where CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands", + mitre_category="Discovery", + mitre_technique="", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +(CHECK) T1012 - Analytic 1 - Suspicious Processes with Registry keys +``` +`indextime` (`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") +| search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%")) +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands", + mitre_category="Discovery", + mitre_technique="", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +(CHECK) T1012 - Analytic 2 - reg.exe spawned from suspicious cmd.exe +``` +`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") +| where (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%") +| rename ProcessParentGuid as guid +| join type=inner guid[ +| search ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%") +| rename ProcessGuid as guid ] +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 2 - reg.exe spawned from suspicious cmd.exe", + mitre_category="Discovery", + mitre_technique="", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` +(CHECK) T1012 - Analytic 3 - Rare LolBAS command lines +``` +`indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5 +| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound +| WHERE ProcessCount < LowerBound +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Commands", + mitre_category="Discovery", + mitre_technique="", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +(CHECK) T1012 - Analytic 1 - Suspicious Registry +``` +`indextime` (`windows-security` EventCode IN (4663, 4656)) AND ObjectType="Key" +| where ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe') +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Registry", + mitre_category="Discovery", + mitre_technique="", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1570] Suspicious Named Pipe Creation (C2 / Browser Exfil) +``` +`indextime` `sysmon` EventCode=17 +| where match(Pipe, ".*\\\\pipe\\\\(msse-|postex|srvsvc).*") OR Pipe="*Chrome*" OR Pipe="*Edge*" OR Pipe="*sqlite*" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1570 - Suspicious Named Pipe Activity (C2 / Browser Exfil)", + mitre_category="Lateral Movement", + mitre_technique="Lateral Tool Transfer", + mitre_technique_id="T1570", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1570/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name Pipe Image ProcessId ProcessGuid original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[I1012] Spike in Registry Access (Potential Pre-Reverse Shell Activity) +``` +`indextime` `sysmon` EventCode=13 +| timechart span=1m count by Image +| eventstats avg(count) as avg_count, stdev(count) as stddev_count +| eval threshold=(avg_count + (2 * stddev_count)) +| where count > threshold +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Registry Spike (Anomaly)", + mitre_category="Discovery", + mitre_technique="Query Registry", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime count threshold Image mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` + +``` + +[I1012] High Volume Registry Access (TargetObject Enumeration) +``` +`indextime` `sysmon` EventCode=13 +| stats count by _time, TargetObject +| where count > 5 +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - High Volume Registry Enumeration", + mitre_category="Discovery", + mitre_technique="Query Registry", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name TargetObject count mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1059] Python Script Execution Logging to “results” File (Suspicious Scripting Activity) +``` +`indextime` `sysmon` EventCode=1 +| search Image="*python*.exe" CommandLine="*results*" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1059 - Analytic 1 - Suspicious Script Execution", + mitre_category="Execution", + mitre_technique="Command and Scripting Interpreter", + mitre_technique_id="T1059", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1059/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1012] Registry Modification Spike Indicative of Enumeration or Pre-Execution Behavior +``` +`indextime` `sysmon` EventCode=13 +| stats count by _time, TargetObject +| where count > 5 +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Analytic 1 - Suspicious Registry Queries", + mitre_category="Discovery", + mitre_technique="Query Registry", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-16", + last_modify_date="2025-03-16", + mitre_version="v16", + priority="Medium" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + + +[T1555.003] Unauthorized Access to Browser Credential Stores (SQLite: Cookies, History, Web Data) +``` +`indextime` `sysmon` EventCode=10 +| search TargetFilename="*Cookies" OR TargetFilename="*History" OR TargetFilename="*Web Data" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1555.003 - Analytic 1 - Unauthorized Browser Data Access", + mitre_category="Credential Access", + mitre_technique="Credentials from Password Stores", + mitre_technique_id="T1555", + mitre_subtechnique="Web Browsers", + mitre_subtechnique_id="T1555.003", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1555/003/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer", +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority +| collect `jarvis_index` +``` + +[T1041] High-Volume HTTP/S Exfiltration Attempt via Suspicious Process +``` +`indextime` `sysmon` EventCode=3 +| search DestinationPort=80 OR DestinationPort=443 +| stats count by DestinationIp Image +| where count > 5 +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1041 - Analytic 1 - Suspicious Data Exfiltration", + mitre_category="Exfiltration", + mitre_technique="Exfiltration Over C2 Channel", + mitre_technique_id="T1041", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1041/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer", +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + + +[T1059.006] Detect Execution of Python Infostealer +``` +`indextime` `windows` EventCode=4688 +| search NewProcessName="*python.exe" CommandLine="*results*" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Execution", + mitre_category="Execution", + mitre_technique="Command and Scripting Interpreter", + mitre_technique_id="T1059", + mitre_subtechnique="Python", + mitre_subtechnique_id="T1059.006", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1059/006/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName ProcessId ParentProcessName ParentProcessId CommandLine mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1555.003] Detect Access to Browser Credential Storage +``` +`indextime` `windows` EventCode=4663 +| search ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1555.003 - Unauthorized Browser Credential Access", + mitre_category="Credential Access", + mitre_technique="Credentials from Password Stores", + mitre_technique_id="T1555", + mitre_subtechnique="Web Browsers", + mitre_subtechnique_id="T1555.003", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1555/003/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1012] Detect Registry Modification for Browser Decryption Key +``` +indextime +index=wineventlog EventCode=4657 +| search ObjectName="*os_crypt*" +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Query (Master Key Extraction)", + mitre_category="Discovery", + mitre_technique="Query Registry", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName ProcessName ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1036.003] Detection: File Renamed or Created as .py (Suspicious Python Script Drop) +``` +`indextime` (`windows` EventCode=4663 ObjectName="*.py") OR (`sysmon` EventCode=11 TargetFilename="*.py") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1036.003 - File Renamed or Created as Python Script", + mitre_category="Defense Evasion", + mitre_technique="Masquerading", + mitre_technique_id="T1036", + mitre_subtechnique="Rename System Utilities", + mitre_subtechnique_id="T1036.003", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1036/003/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1059] Python Script Execution (Suspicious Results File Usage) +``` +`indextime` (`windows` EventCode=4688 NewProcessName="*python.exe" CommandLine="*results*") OR (`sysmon` EventCode=1 Image="*python.exe" CommandLine="*results*") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1059.006 - Suspicious Python Script Execution", + mitre_category="Execution", + mitre_technique="Command and Scripting Interpreter", + mitre_technique_id="T1059", + mitre_subtechnique="Python", + mitre_subtechnique_id="T1059.006", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1059/006/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name NewProcessName Image ProcessId CommandLine ParentProcessName ParentProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1555] Browser Credential File Access +``` +`indextime` (`windows` EventCode=4663 ObjectName="*Cookies" OR ObjectName="*Login Data" OR ObjectName="*Web Data" OR ObjectName="*History") OR (`sysmon` EventCode=10 TargetFilename="*Cookies" OR TargetFilename="*Login Data" OR TargetFilename="*Web Data" OR TargetFilename="*History") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1555.003 - Browser Credential File Access", + mitre_category="Credential Access", + mitre_technique="Credentials from Password Stores", + mitre_technique_id="T1555", + mitre_subtechnique="Web Browsers", + mitre_subtechnique_id="T1555.003", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1555/003/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetFilename ProcessName Image ProcessId Accesses mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1012] Registry Key Access (Browser Master Key) +``` +`indextime` (`windows` EventCode=4657 ObjectName="*os_crypt*") OR (`sysmon` EventCode=13 TargetObject="*os_crypt*") +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1012 - Suspicious Registry Key Query", + mitre_category="Discovery", + mitre_technique="Query Registry", + mitre_technique_id="T1012", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1012/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="Medium", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ObjectName TargetObject ProcessName Image ProcessId mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + +[T1041] Exfiltration over Network (HTTP/HTTPS burst) +``` +`indextime` (`windows` EventCode=5156 DestinationPort=80 OR DestinationPort=443) OR (`sysmon` EventCode=3 DestinationPort=80 OR DestinationPort=443) +| stats count by DestinationIp ApplicationName Image +| where count > 5 +| eval hash_sha256=lower(hash_sha256), + hunting_trigger="INFOSTEALER - T1041 - High-Volume C2 Exfiltration", + mitre_category="Exfiltration", + mitre_technique="Exfiltration Over C2 Channel", + mitre_technique_id="T1041", + mitre_subtechnique="", + mitre_subtechnique_id="", + apt="", + mitre_link="https://attack.mitre.org/techniques/T1041/", + creator="Cpl Iverson", + last_tested="", + upload_date="2025-03-20", + last_modify_date="2025-03-20", + mitre_version="v16", + priority="High", + custom_category="infostealer" +| eval indextime = _indextime +| convert ctime(indextime) +| table _time indextime event_description hash_sha256 host_fqdn user_name ApplicationName Image DestinationIp DestinationPort mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority custom_category +| collect `jarvis_index` +``` + + +## References +[1]: https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims +[2]: https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ diff --git a/steps.md b/steps.md new file mode 100644 index 0000000..6be7cb4 --- /dev/null +++ b/steps.md @@ -0,0 +1,4 @@ +index=infostealer +1000 - 1030 20250319 +nmap > email > phishing link > rdp > file upload > run py script (data staging) > exfil > remove files + diff --git a/yara.md b/yara.md new file mode 100644 index 0000000..06bc932 --- /dev/null +++ b/yara.md @@ -0,0 +1,39 @@ +rule M_AES_Encrypted_payload { + meta: + author = "Mandiant" + description = "This rule is desgined to detect on events that +exhibits indicators of utilizing AES encryption for payload obfuscation." + target_entity = "Process" + strings: + $a = /(\$\w+\.Key(\s|)=((\s|)(\w+|));|\$\w+\.Key(\s|)=(\s|)\w+\('\w+'\);)/ + $b = /\$\w+\.IV/ + $c = /System\.Security\.Cryptography\.(AesManaged|Aes)/ + condition: + all of them +} + +rule M_Downloader_PEAKLIGHT_1 { + meta: + mandiant_rule_id = "e0abae27-0816-446f-9475-1987ccbb1bc0" + author = "Mandiant" + category = "Malware" + description = "This rule is designed to detect on events related to peaklight. +PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for +the presence of hard-coded filenames and downloads files from a remote CDN +if the files are not present." + family = "Peaklight" + platform = "Windows" + strings: + $str1 = /function\s{1,16}\w{1,32}\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\ +{\[IO\.File\]::WriteAllBytes\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\}/ ascii wide + $str2 = /Expand-Archive\s{1,16}-Path\s{1,16}\$\w{1,32}\ +s{1,16}-DestinationPath/ ascii wide + $str3 = /\(\w{1,32}\s{1,4}@\((\d{3,6},){3,12}/ ascii wide + $str4 = ".DownloadData(" ascii wide + $str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide + $str6 = /\.EndsWith\(((["']\.zip["'])|(\(\w{1,32}\s{1,16}@\((\d{3,6},){3}\d{3,6}\)\)))/ ascii wide + $str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide + $str8 = "[IO.Compression.ZipFile]::OpenRead" + condition: + 4 of them and filesize < 10KB +}