SIEM Derin Konular

title: Silence.Downloader V3
id: 170901d1-de11-4de7-bccb-8fa13678d857
status: test
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
fields:
- ComputerName
- User
- Image
- CommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.t1547.001
- attack.discovery
- attack.t1057
- attack.t1082
- attack.t1016
- attack.t1033
- attack.g0091
title: CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
status: experimental
author: Christian Burkard
date: 2021/08/04
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|re: '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- '0x1028'
- '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.t1106
- attack.defense_evasion
- attack.t1562.001

--

--

--

Entrepreneur,Security Analyst,Research.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ertugrul Akbas

Ertugrul Akbas

Entrepreneur,Security Analyst,Research.

More from Medium

Threat and Risk Assessment What?

Lionel Messi returns to Barcelona, meets Busquets, others

5 Steps to Start Using Forecasting Techniques to Anticipate Cyber Threats

Meta Quarterly Adversarial Threat Report Q1 2022. Is it Malicious?