Hi all, We made a few updates to Connect over the weekend. Here's the rundown: Attachments (like screen captures and log files) can now be attached to forum posts and replies to forum posts. Downloads are no longer required to have attachments. They may now link to a download hosted...
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - no search term matches found in comments.
\GAME\Demine-TheField.ps1" URL Query (example) : cb.urlver=1&q=cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CEYLR%5CPower-Escalate.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CEYLR%5CGet-MacAfee.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CGet-ActiveDirectoryInfo.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CScan-SPN.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CRECON%5CCreate-TGSInMemory.ps1%22%20OR%20cmdline%3A%22-ExecutionPolicy%20Bypass%20-File%20.%5CGAME%5CDemine-TheField.ps1%22 Cb Process Tree (attach CB Art here if you have it) (example) :
False Positives : Low Recommended Score: Number (1-100) 75 Query: process name:msiexec.exe cmdline:"/i" (cmdline:"http:" OR cmdline:"https:") URL Query: cb.urlver=1&q=(process name%3Amsiexec.exe%20cmdline%3A%22%2Fi%22%20(cmdline%3A%22http%3A%22%20OR%20cmdline%3A%22https%3A%22))