Supporting Link: https://threatpost.com/local-windows-admins-can-hijack-sessions-without-credentials/124427/ Threat: A n attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to False Positives : None found Recommended Score: 90 Query: cmdline:"PsExec" and "-s" and "-i" and "taskmgr" URL Query: /#search/cb.urlver=1&q=%20cmdline%3A%22PsExec%22%20and%20%20%22-s%22%20and%20%22-i%22%20and%20%22taskmgr%22&sort=&rows=10&start=0 Cb Process Tree : #CbResponse
4 Comments - no search term matches found in comments.
The Clearing House is hiring: https://www.theclearinghouse.org/careers/epmo%20senior%20process%20manager https://www.theclearinghouse.org/careers/operations%20and%20technology%20administrative%20manager
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
Supporting Link: https://www.virusbulletin.com/virusbulletin/2016/04/how-it-works-steganography-hides-malware-image-files/ Threat: detects Gatak/Stegoloader malware and possibly related C&C traffic False Positives : tested in a number of CbR instances and so far no false positives Recommended Score: Number (1-100): 100 Query (example): process name:rundll32.exe AND cmdline:shell32.dll,Control RunDLL AND modload:gdiplus.dll AND netconn count:[1 TO *] URL Query (example) : cb.urlver=1&q=process name%3Arundll32.exe%20AND%20cmdline%3Ashell32.dll%2CControl RunDLL%20AND%20modload%3Agdiplus.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D Cb Process Tree: #CbResponse
False Positives : Low to none Recommended Score: Number (1-100) 80 Query (example): parent name:wscript.exe and -alliance score srstrust:* and digsig result:unsigned and alliance score virustotal:[7 TO *] URL Query (example) : cb.urlver=1&q=parent name%3Awscript.exe%20and%20-alliance score srstrust%3A*%20and%20digsig result%3Aunsigned%20and%20alliance score virustotal%3A%5B7%20TO%20*%5D&sort=&rows=10&start=0 Cb Process Tree (attach CB Art here if you have it) (example) : detected ransomware process chain: Be sure to set the correct Category below and add Tags that are appropriate
2 Comments - no search term matches found in comments.
Description: My attempt to detect meterpreter doing a "webcam snap" Supporting Link: None, my own work in a lab Threat: This has only been proven to detect webcam snap on Windows10 target from a meterpreter reverse tcp so far False Positives : I'm getting 0 FP in an environment of over 50k endpoints Recommended Score: Number (1-100) 100 Query (example): digsig result:"Unsigned" AND childproc name:conhost.exe AND crossproc count:[1 to *] AND modload:dciman32.dll AND modload:vidcap.ax URL Query (example) : cb.urlver=1&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=start%20desc&cb.min last update=2017-07-31T18%3A17%3A06Z&cb.max last update=2017-08-03T18%3A17%3A06Z&cb.query source=ui&start=0&q=digsig result%3A%22Unsigned%22%20AND%20childproc name%3Aconhost.exe%20AND%20crossproc count%3A%5B1%20to%20*%5D%20AND%20modload%3Adciman32.dll%20AND%20modload%3Avidcap.ax Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
\\pipe AND cmdline:"//c echo" AND process name:cmd.exe AND parent name:services.exe URL Query (example) : cb.urlver=1&q=cmdline%3A%5C%5C%5C%5C.%5C%5Cpipe%20AND%20cmdline%3A%22%2F%2Fc%20echo%22%20AND%20process name%3Acmd.exe%20AND%20parent name%3Aservices.exe Cb Process Tree (attach CB Art here if you have it) (example) :
URL Query (example) : cb.urlver=1&q=((process name%3Acmd.exe%20or%20process name%3Apowershell.exe)%20and%20(process name%3Awinword.exe%20or%20process name%3Aadobe.exe%20or%20process name%3Aexcel.exe%20or%20process name%3Apowerpnt.exe)%20and%20parent name%3Aoutlook.exe%20and%20is executable image filewrite%3A%22true%22)&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
7 Comments - no search term matches found in comments.
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate