Supporting Link: https://www.virusbulletin.com/virusbulletin/2016/04/how-it-works-steganography-hides-malware-image-files/ Threat: detects Gatak/Stegoloader malware and possibly related C&C traffic False Positives : tested in a number of CbR instances and so far no false positives Recommended Score: Number (1-100): 100 Query (example): process name:rundll32.exe AND cmdline:shell32.dll,Control RunDLL AND modload:gdiplus.dll AND netconn count:[1 TO *] URL Query (example) : cb.urlver=1&q=process name%3Arundll32.exe%20AND%20cmdline%3Ashell32.dll%2CControl RunDLL%20AND%20modload%3Agdiplus.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D Cb Process Tree: #CbResponse
False Positives : Low to none Recommended Score: Number (1-100) 80 Query (example): parent name:wscript.exe and -alliance score srstrust:* and digsig result:unsigned and alliance score virustotal:[7 TO *] URL Query (example) : cb.urlver=1&q=parent name%3Awscript.exe%20and%20-alliance score srstrust%3A*%20and%20digsig result%3Aunsigned%20and%20alliance score virustotal%3A%5B7%20TO%20*%5D&sort=&rows=10&start=0 Cb Process Tree (attach CB Art here if you have it) (example) : detected ransomware process chain: Be sure to set the correct Category below and add Tags that are appropriate
2 Comments - no search term matches found in comments.
Description: My attempt to detect meterpreter doing a "webcam snap" Supporting Link: None, my own work in a lab Threat: This has only been proven to detect webcam snap on Windows10 target from a meterpreter reverse tcp so far False Positives : I'm getting 0 FP in an environment of over 50k endpoints Recommended Score: Number (1-100) 100 Query (example): digsig result:"Unsigned" AND childproc name:conhost.exe AND crossproc count:[1 to *] AND modload:dciman32.dll AND modload:vidcap.ax URL Query (example) : cb.urlver=1&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=start%20desc&cb.min last update=2017-07-31T18%3A17%3A06Z&cb.max last update=2017-08-03T18%3A17%3A06Z&cb.query source=ui&start=0&q=digsig result%3A%22Unsigned%22%20AND%20childproc name%3Aconhost.exe%20AND%20crossproc count%3A%5B1%20to%20*%5D%20AND%20modload%3Adciman32.dll%20AND%20modload%3Avidcap.ax Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100) 70+ (**I have seen environments where this is "normal" behavior) Query (example): process name:wscript.exe and is executable image filewrite:"true" and netconn count:[1 to *] URL Query (example) : cb.urlver=1&q=process name%3Awscript.exe%20and%20is executable image filewrite%3A%22true%22%20and%20netconn count%3A%5B1%20to%20*%5D&sort=&rows=10&start=0 Cb Process Tree: [EDIT: On second thought, this may apply to more than just lockers, but its all I am really seeing now-days...]
16 Comments - no search term matches found in comments.
Supporting Link: https://threatpost.com/local-windows-admins-can-hijack-sessions-without-credentials/124427/ Threat: A n attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to False Positives : None found Recommended Score: 90 Query: cmdline:"PsExec" and "-s" and "-i" and "taskmgr" URL Query: /#search/cb.urlver=1&q=%20cmdline%3A%22PsExec%22%20and%20%20%22-s%22%20and%20%22-i%22%20and%20%22taskmgr%22&sort=&rows=10&start=0 Cb Process Tree : #CbResponse
4 Comments - no search term matches found in comments.
Recommended Score: Number (1-100) 50 Query (example): regmod:"software\classes\htmlfile\shell\open\command" URL Query (example) : cb.urlver=1&q=process name%3Apowershell.exe%20-ipaddr%3A%5B167772160%20TO%20184549375%5D%20%20&cb.q.netconn count=%5B1%20TO%20*%5D&cb.q.ipaddr=%5B-1408237568%20TO%20-1407188993%5D&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
The Clearing House is hiring: https://www.theclearinghouse.org/careers/epmo%20senior%20process%20manager https://www.theclearinghouse.org/careers/operations%20and%20technology%20administrative%20manager
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.