Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
Threat: Powershell spawning and running an encoded command False Positives : None that I am aware of Recommended Score: Number (1-100) 100 Query (example): process name:powershell.exe AND (cmdline:-e OR cmdline:-ec OR cmdline:-en OR cmdline:-enc OR cmdline:-enco OR cmdline:-encod OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedc OR cmdline:-encodedco OR cmdline:-encodedcom OR cmdline:-encodedcomm OR cmdline:-encodedcomma OR cmdline:-encodedcomman OR cmdline:-encodedcommand) (os type:"windows") URL Query (example) : cb.urlver=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22)&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=&cb.min last update=2017-07-03T15%3A52%3A20Z&cb.max last update=2017-07-06T15%3A52%3A20Z&cb.query source=ui&start=0&q=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22 #CbResponse
Recommended Score: Number (1-100) 80 Query: (process name:winword.exe OR process name:excel.exe OR process name:powerpnt.exe) AND is executable image filewrite:"true" AND os type:"windows" URL Query: cb.urlver=1&q=((process name%3Awinword.exe%20OR%20process name%3Aexcel.exe%20OR%20process name%3Apowerpnt.exe)%20AND%20is executable image filewrite%3A%22true%22%20%20)&cb.q.os type=(os type%3A%22windows%22) Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
16 Comments - no search term matches found in comments.
Recommended Score: Number (1-100) 50 Query (example): ( cmdline:bypass OR cmdline:-encodedcommand OR cmdline:-enc ) AND process name:powershell.exe AND os type:"windows" URL Query (example) : cb.urlver=1&q=((%20cmdline%3Abypass%20OR%20cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc%20)%20AND%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
1 Comment - no search term matches found in comments.
231182246.pdf
Recommended Score: Number (1-100) 100 Query (example): ( cmdline:IEX OR cmdline:net.webclient\).downloadstring\(http: ) AND process name:powershell.exe AND os type:"windows" URL Query (example) : cb.urlver=1&q=((%20cmdline%3AIEX%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20)%20AND%20process name%3Apowershell.exe%20)&cb.q.os type=(os type%3A%22windows%22) Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
17 Comments - no search term matches found in comments.
Recommended Score: Number (1-100) 100 Query (example): digsig result:Unsigned AND childproc name:svchost.exe AND os type:"windows" URL Query (example) : cb.urlver=1&q=digsig result%3AUnsigned%20AND%20childproc name%3Asvchost.exe&cb.q.os type=(os type%3A%22windows%22) Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
29 Comments - no search term matches found in comments.
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.