searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
o CA Workload Automation DE r11 3 SP2 - Customer Access Only-ENU: https://support.ca.com/cadocs/7/CA%20Workload%20Automation%20DE%20r11%203%20SP2%20-%20Customer%20Access%20Only-ENU/Bookshelf.html In DE R11.3 SP2 Release Notes, you will find now LDAP Groups configuration procedure under “Related Documentation” section
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.
Location for DE R11.3 SP2 bookshelf https://support.ca.com/cadocs/7/CA%20Workload%20Automation%20DE%20r11%203%20SP2%20-%20Customer%20Access%20Only-ENU/Bookshelf.html
\GAME\Demine-TheField.ps1" URL Query (example) : cb.urlver=1&q=cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CEYLR%5CPower-Escalate.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CEYLR%5CGet-MacAfee.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CGet-ActiveDirectoryInfo.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CScan-SPN.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CCreate-TGSInMemory.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CGAME%5CDemine-TheField.ps1%22 Cb Process Tree (attach CB Art here if you have it) (example) :
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100): 50 Query (example): ( cmdline:"net user" and cmdline:add ) OR ( cmdline:"net localgroup users" ) OR ( cmdline:"net localgroup administrators" ) URL Query (example) : cb.urlver=1&q=((%20cmdline%3A%22net%20user%22%20and%20cmdline%3Aadd%20)%20OR%20(%20cmdline%3A%22net%20localgroup%20users%22%20)%20%20OR%20(%20cmdline%3A%22net%20localgroup%20administrators%22%20))&sort=&rows=10&start=0 Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
6 Comments - no search term matches found in comments.
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
Recommended Score: Number (1-100) 55 Query (example): (((process name:net.exe OR (process name:net1.exe AND -parent name:net.exe) OR process name:dsquery.exe OR process name:dsget.exe) AND (cmdline:"domain admins" OR cmdline:"administrators /domain" OR cmdline:"admins" OR cmdline:"cn=administrators"))) URL Query (example) : cb.urlver=1&q=(((process name%3Anet.exe%20OR%20(process name%3Anet1.exe%20AND%20-parent name%3Anet.exe)%20OR%20process name%3Adsquery.exe%20OR%20process name%3Adsget.exe)%20AND%20(cmdline%3A%22domain%20admins%22%20OR%20cmdline%3A%22administrators%20%2Fdomain%22%20OR%20cmdline%3A%22admins%22%20OR%20cmdline%3A%22cn%3Dadministrators%22)))