Blu3_Team

This was a great share by @subtee about misleading directory names and worthy of a quick sig. I needed a few more tunes than shown but this is the general idea. Evasive program files directory name   index=edr program process_path=c:\\program* process_path!="c:\\program files\\*" process_path!="c:\\program files (x86)\\*" process_path!=c:\\programdata\\* | table process_path md5 command_line parent_path I add the md5 to the table for quick review if I get any hits. References: https://twitter.com/subTee/status/1187037543260274688

Screen saver files have a small filterable list of normal parents that can expose malicious scr files during execution. https://twitter.com/Timele9527/status/1186816375857139712 https://app.any.run/tasks/e076b4a8-abfb-41a1-b7b5-3eadced93192/ #APT #TransparentTribe SCR from unusual parent index=edr scr process=*.scr process_path!=*\\windows\\syswow64\\* process_path!=*\\windows\\system32\\* parent_process!=*\\winlogon.exe | table process_path md5 parent_path command_line References: https://twitter.com/Timele9527/status/1186816375857139712 https://app.any.run/tasks/e076b4a8-abfb-41a1-b7b5-3eadced93192/

Sample: https://app.any.run/tasks/455f13a6-c615-4969-bbfb-50967760b158/ Here is a nice sample of #adwind using a few child processes (cmd, xcopy, reg, attrib, and javaw) that we can use as a cluster TTP.  In addition, the malware is impatient so it does all this in a few seconds as well, which will help isolate the behavior when searching over long time frames. Here is the search minus a couple of tunes I needed: index=edr java.exe parent_path=*\\java.exe ((cmd.exe cscript.exe) OR (reg.exe add) OR taskkill.exe OR attrib.exe OR xcopy.exe )    | bucket _time span=1m    | stats values(command_line) dc(command_line) as command_count values(process) dc(process) as proc_count count by computer_name _time    | where command_count>2 AND proc_count>2 Breakdown: The parent must be java.exe The bucket sets the one minute time frame for the events Command_count gives us the unique event count for command lines Proc_count gives us the distinct count of the process names since w

One of the TTPs for #Ursnif samples has been to use WMI classes to launch powershell.  This shows in the EDR as wmiprvse.exe as the parent of the malicious powershell process but it is not evident what initiated the process since the parent child relationship has been broken.  You probably already have a signature for the wmiprvse.exe as parent to powershell and the Word file containing the macro uses a detectable name format "info_10_1.doc".  It would be nice to fill in the attack chain a bit to speed up the analysis process. One interesting method is to use the proximity of the winword.exe startup event to the wmiprvse.exe parent event.  This might seem like a good place for a Splunk transaction but I find them slow at times so I tend to use the Stats command where possible. Detect Wmiprvse.exe as parent in close proximity to Winword.exe starting index=edr procstart ( winword.exe OR wmiprvse.exe ) (process=winword.exe OR parent_path=*\\wmiprvse.exe) | bucket _t