\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100) 70+ (**I have seen environments where this is "normal" behavior) Query (example): process name:wscript.exe and is executable image filewrite:"true" and netconn count:[1 to *] URL Query (example) : cb.urlver=1&q=process name%3Awscript.exe%20and%20is executable image filewrite%3A%22true%22%20and%20netconn count%3A%5B1%20to%20*%5D&sort=&rows=10&start=0 Cb Process Tree: [EDIT: On second thought, this may apply to more than just lockers, but its all I am really seeing now-days...] Be sure to set the correct Category below and add Tags that are appropriate
16 Comments - no search term matches found in comments.
Recommended Score: Number (1-100) 50 Query (example): regmod:"software\classes\htmlfile\shell\open\command" URL Query (example) : cb.urlver=1&q=process name%3Apowershell.exe%20-ipaddr%3A%5B167772160%20TO%20184549375%5D%20%20&cb.q.netconn count=%5B1%20TO%20*%5D&cb.q.ipaddr=%5B-1408237568%20TO%20-1407188993%5D&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100) 70 Query (example): "vid 0bda&pid 8152" filemod count:[7 TO *] URL Query (example) : cb.urlver=1&q=%22vid 0bda%26pid 8152%22%20filemod count%3A%5B7%20TO%20*%5D Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
Description: My attempt to detect meterpreter doing a "webcam snap" Supporting Link: None, my own work in a lab Threat: This has only been proven to detect webcam snap on Windows10 target from a meterpreter reverse tcp so far False Positives : I'm getting 0 FP in an environment of over 50k endpoints Recommended Score: Number (1-100) 100 Query (example): digsig result:"Unsigned" AND childproc name:conhost.exe AND crossproc count:[1 to *] AND modload:dciman32.dll AND modload:vidcap.ax URL Query (example) : cb.urlver=1&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=start%20desc&cb.min last update=2017-07-31T18%3A17%3A06Z&cb.max last update=2017-08-03T18%3A17%3A06Z&cb.query source=ui&start=0&q=digsig result%3A%22Unsigned%22%20AND%20childproc name%3Aconhost.exe%20AND%20crossproc count%3A%5B1%20to%20*%5D%20AND%20modload%3Adciman32.dll%20AND%20modload%3Avidcap.ax Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!