Posts

Hunting CurrentVersion Run Key and Startup events

Hunting startup events can be tricky but rewarding. There are a lot of events which makes filtering difficult and there are some tricks to isolating the data. One way is to look at the registry keys and directories being written too but for hunting I assume that there are some past events that were missed. Here is a method of profiling the events at run time. For events from currentversion/run or start menu events the parent will be explorer.exe and the grandparent will be userinit.exe . But, they need to occur in a smallish time from after userinit executes. This example is limiting the results to keywords .vbs .wsf .bat, but we can look for all sorts of interesting things, hta files, powershell, temp directory, etc. Run key or Start Menu  .vbs .wsf .bat index=edr procstart ( userinit.exe explorer.exe parent_path=*\\userinit.exe ) OR ( explorer.exe parent_path=*\\explorer.exe ( .vbs OR .wsf OR .bat ) NOT ( [put filters here] )) | bucket _time span=5m | stats values(comma

GatherNetworkInfo.vbs is a LolBin too

Nice find by @Hexacorn on " SettingSyncHost.exe as a LolBin ". Knowing that gatherNetworkInfo.vbs had some of the same characteristics I checked it using @Hexacorn's methodology and it works great. Just rename your binary in the current working directory and trigger. I was also able to get this to work in other user writable directories so it is not just limited to TEMP. c:\windows\system32\cscript.exe c:\windows\system32\gatherNetworkInfo.vbs I don't think this is the full list of programs called but it should be most of them. reg.exe sc.exe wevtutil.exe arp.exe certutil.exe route.exe net.exe Detection Identifying a true positive for these might be tricky, not because a signature is difficult, but because even if it triggers the main indicator is not command line artifacts (which are normal) but the process path itself. A while back I did a post on detecting System32 executable from non-standard paths which would work for these occurrences. It t

Detect long running processes with netconn using Splunk subsearches

I have done a couple of posts concerning detecting C2 activity and calculating duration of processes from Carbon Black data in Splunk. In this post I'll show a method of combining the two to detect network connections only from long running processes. This hunt targets script processes which can be a backdoor in themselves but are usually pretty noisy in the enterprise. This also helps close a detection gap in the way that Carbon Black logs are presented. If a single process makes a long running C2 connection the only events seen are the procstart and procend. Within those two events any amount of data can be sent and received. The term "long running" is arbitrary, after experimenting,  I moved the time down to 5 seconds since it was easily filtered and pretty quiet. This makes sense when you think about it, there should not be many scripts that run for minutes at a time that make external network connections. Lets start with a profiling search to find long runnin

Detect PoWERsheLL mixed case obfuscation using Splunk

Mixed case obfuscation is a good technique if security appliances are case sensitive and a wash if they aren't. But looking at "PoWERsheLL -e"  you know its bad so lets do a quick signature for the case obfuscation to add to our other powershell detections. Of course this ONLY detects the mixed case but this is a valid TTP as it is seen in the wild. First you will need to profile the existing common case occurrences for your network. Turned out I see just a couple of common ones which will become our filter. Profile search index=edr powershell command_line=*powershell* | rex field=command_line "(?i)(?<case_sensitive_string>powershell)" | stats count by case_sensitive_string So (?i) to do a case insensitive match for powershell and stats does its normal case sensitive aggregation. Hopefully at this point you have a small filter list. Now for the real search index=edr powershell command_line=*powershell* | regex command_line!="(POWERSH

Advanced Powershell Hunting with the Splunk Decrypt App

If you already have powershell event logs in Splunk and want to decode the base64, this may help. This tutorial builds on the work of others with some new cleverness to provide an efficient decoding of powershell commands for threat hunting. After adding the Splunk Decrypt addon #2655 to decode powershell encoded scripts I ran into a problem. Namely that the app decodes the powershell fine but removing the null padding (seen as periods) took me a while to figure out. TL;DR  Here is the sig index=edr powershell.exe process=powershell.exe command_line!="" ( command_line="* -en*" OR command_line="* -e *" ) NOT ( -Enable* OR -Encoding ) | rex field=command_line "(?i)-en?c?o?d?e?d?c?o?m?m?a?n?d?\s('|\")?(?<base64_command>[\w/+]{16,3920}\=?\=?)('|\")?" | decrypt field=base64_command atob hex emit('base64_decoded_hex') | rex mode=sed field=base64_decoded_hex "s/([0-9A-Fa-f]{2})00/%\1/g" | eval base64_d

Evasive program files directory name

This was a great share by @subtee about misleading directory names and worthy of a quick sig. I needed a few more tunes than shown but this is the general idea. Evasive program files directory name   index=edr program process_path=c:\\program* process_path!="c:\\program files\\*" process_path!="c:\\program files (x86)\\*" process_path!=c:\\programdata\\* | table process_path md5 command_line parent_path I add the md5 to the table for quick review if I get any hits. References: https://twitter.com/subTee/status/1187037543260274688

SCR from unusual parent

Image
Screen saver files have a small filterable list of normal parents that can expose malicious scr files during execution. https://twitter.com/Timele9527/status/1186816375857139712 https://app.any.run/tasks/e076b4a8-abfb-41a1-b7b5-3eadced93192/ #APT #TransparentTribe SCR from unusual parent index=edr scr process=*.scr process_path!=*\\windows\\syswow64\\* process_path!=*\\windows\\system32\\* parent_process!=*\\winlogon.exe | table process_path md5 parent_path command_line References: https://twitter.com/Timele9527/status/1186816375857139712 https://app.any.run/tasks/e076b4a8-abfb-41a1-b7b5-3eadced93192/