Recommended Score: Number (1-100): 50 Query (example): ( cmdline:"net user" and cmdline:add ) OR ( cmdline:"net localgroup users" ) OR ( cmdline:"net localgroup administrators" ) URL Query (example) : cb.urlver=1&q=((%20cmdline%3A%22net%20user%22%20and%20cmdline%3Aadd%20)%20OR%20(%20cmdline%3A%22net%20localgroup%20users%22%20)%20%20OR%20(%20cmdline%3A%22net%20localgroup%20administrators%22%20))&sort=&rows=10&start=0 Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
6 Comments - For example, this: (cmdline:"net user" OR cmdline:"net localgroup users" OR cmdline:"net localgroup administrators") AND cmdline:add Also, I wonder if using "process name:net.exe" might be a more effecient search than just looking for net on the cmdline. I guess it depends on how the data is indexed
False Positives : TBD, only implemented in a small lab at the moment Recommended Score: Number (1-100) depends on your false positives Query (example): ((cmdline:"/c echo" AND cmdline:"\\.\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Cyber security team will need to know this information on which users are trying to execute those commands for possible compromise of that user account in case it was not admin user and or the user didn't actually execute from the known host. Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.
Hi Alessandro, The best place to look is on the Support Site at the Knowledge articles. https://support.broadcom.com/web/ecx/search?searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Description : Finds Ramnit infections in an environment based on observed behavior. Supporting Link : Science Threat : This query identifies Ramnit by looking for the ways it creates persistence on a system as well as how it modifies system security settings. False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - You may have to "ignore" the original report in the feed to stop the alerts. On the "Threat Reports" page for the Community feed: Flip the "no" to a "yes" to stop it alerting entirely
Supporting Link: Fun with Windows binaries – application whitelist bypass using msiexec – Nettitude Labs Threat: MsiExec.exe is a trusted executable, and can be used to download an installer from the Internet. Depending on the policies in place on your endpoints, this method may allow for an adversary to bypass application white-listing configurations. False Positives : Low Recommended Score: Number (1-100) 75 Query: process name:msiexec.exe cmdline:"/i" (cmdline:"http:" OR cmdline:"https:") URL Query: cb.urlver=1&q=(process name%3Amsiexec.exe%20cmdline%3A%22%2Fi%22%20(cmdline%3A%22http%3A%22%20OR%20cmdline%3A%22https%3A%22))
3 Comments - It seem like this attacker made a typo. Which leads me on to thinking that, if we were to put typos into Watchlists, that is less about covering a technique, and more about a specific indicator (of the specific attacker who seems to have made a specific typo)
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - Now that this query is included in the CbER Community feed, I did just come across one FP on usage of the Sysinternals Autoruns tool......Zero hits on our clusters. Ran a 30 day across Splunk and nothing
Description: This query detects the usage of the PowerMemory tool on an endpoint. Supporting Link: GitHub - giMini/PowerMemory: Exploit the credentials present in files and memory Threat: This query is specific to PowerMemory, and works by looking for fragments of PowerShell command lines
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)