Description: Watchlist looks for cli interrogation of admin groups in an Active Directory domain (not local admin group enumeration) Supporting Link: 1) Net group 2) Dsquery group 3) Dsget group Threat: Administrative group enumeration with an Active Directory environment is a common reconnaissance technique used by attackers to learn which accounts should be targeted for credential theft to assist in gaining persistent access to an environment. False Positives : IT users may use this command as a part of administrative scripts for managing an environment. Recommended Score: Number (1-100) 55 Query (example): (((process name:net.exe OR (process name:net1.exe AND -parent name:net.exe) OR process name:dsquery.exe OR process name:dsget.exe) AND (cmdline:"domain admins" OR cmdline:"administrators /domain" OR cmdline:"admins" OR cmdline:"cn=administrators"))) URL Query (example) : cb.urlver=1&q=(((process name%3Anet.exe%20OR%20(process name%3Anet1.exe%20AND%20-parent name%3Anet.exe)%20OR%20process name%3Adsquery.exe%20OR%20process name%3Adsget.exe)%20AND%20(cmdline%3A%22domain%20admins%22%20OR%20cmdline%3A%22administrators%20%2Fdomain%22%20OR%20cmdline%3A%22admins%22%20OR%20cmdline%3A%22cn%3Dadministrators%22)))
Cyber security team will need to know this information on which users are trying to execute those commands for possible compromise of that user account in case it was not admin user and or the user didn't actually execute from the known host. Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - The Cb Community feed currently has the query: (process name:net.exe OR (process name:net1.exe AND -parent name:net.exe) OR process name:dsquery.exe) and ((cmdline:domain or cmdline:localgroup) and (cmdline:admins or cmdline:administrators)) But I've found that to have a high number of false positives in environments where users are allowed to be local administrators of their own computers
Description: Detecting Meterpreter "getsystem" command (exploitation of named pipes) Supporting Link: https://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537 section 4.2 Threat: Only detects named pipe methods, not secdebug option detailed in the SANS link above
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Description: This query detects the usage of the PowerMemory tool on an endpoint. Supporting Link: GitHub - giMini/PowerMemory: Exploit the credentials present in files and memory Threat: This query is specific to PowerMemory, and works by looking for fragments of PowerShell command lines
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - That is probably the most accurate means of identifying what we're after
searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - I have a certain set of computers that modify autologon daily, and have their AV and FWs off
False Positives : Low Recommended Score: Number (1-100) 75 Query: process name:msiexec.exe cmdline:"/i" (cmdline:"http:" OR cmdline:"https:") URL Query: cb.urlver=1&q=(process name%3Amsiexec.exe%20cmdline%3A%22%2Fi%22%20(cmdline%3A%22http%3A%22%20OR%20cmdline%3A%22https%3A%22))
3 Comments - Yeah, that other article referencing this seems like a weird one to me. To the best of my awareness, MSIEXEC won't accept -i or -I as a parameter, so I am thinking the actual command would have failed out