Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
Recommended Score: Number (1-100) 55 Query (example): (((process name:net.exe OR (process name:net1.exe AND -parent name:net.exe) OR process name:dsquery.exe OR process name:dsget.exe) AND (cmdline:"domain admins" OR cmdline:"administrators /domain" OR cmdline:"admins" OR cmdline:"cn=administrators"))) URL Query (example) : cb.urlver=1&q=(((process name%3Anet.exe%20OR%20(process name%3Anet1.exe%20AND%20-parent name%3Anet.exe)%20OR%20process name%3Adsquery.exe%20OR%20process name%3Adsget.exe)%20AND%20(cmdline%3A%22domain%20admins%22%20OR%20cmdline%3A%22administrators%20%2Fdomain%22%20OR%20cmdline%3A%22admins%22%20OR%20cmdline%3A%22cn%3Dadministrators%22)))
Supporting Link: https://threatpost.com/local-windows-admins-can-hijack-sessions-without-credentials/124427/ Threat: A n attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to False Positives : None found Recommended Score: 90 Query: cmdline:"PsExec" and "-s" and "-i" and "taskmgr" URL Query: /#search/cb.urlver=1&q=%20cmdline%3A%22PsExec%22%20and%20%20%22-s%22%20and%20%22-i%22%20and%20%22taskmgr%22&sort=&rows=10&start=0 Cb Process Tree : #CbResponse
4 Comments - no search term matches found in comments.
False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - no search term matches found in comments.
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.
Threat: Powershell spawning and running an encoded command False Positives : None that I am aware of Recommended Score: Number (1-100) 100 Query (example): process name:powershell.exe AND (cmdline:-e OR cmdline:-ec OR cmdline:-en OR cmdline:-enc OR cmdline:-enco OR cmdline:-encod OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedc OR cmdline:-encodedco OR cmdline:-encodedcom OR cmdline:-encodedcomm OR cmdline:-encodedcomma OR cmdline:-encodedcomman OR cmdline:-encodedcommand) (os type:"windows") URL Query (example) : cb.urlver=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22)&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=&cb.min last update=2017-07-03T15%3A52%3A20Z&cb.max last update=2017-07-06T15%3A52%3A20Z&cb.query source=ui&start=0&q=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22 #CbResponse
Description: My attempt to detect meterpreter doing a "webcam snap" Supporting Link: None, my own work in a lab Threat: This has only been proven to detect webcam snap on Windows10 target from a meterpreter reverse tcp so far False Positives : I'm getting 0 FP in an environment of over 50k endpoints Recommended Score: Number (1-100) 100 Query (example): digsig result:"Unsigned" AND childproc name:conhost.exe AND crossproc count:[1 to *] AND modload:dciman32.dll AND modload:vidcap.ax URL Query (example) : cb.urlver=1&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=start%20desc&cb.min last update=2017-07-31T18%3A17%3A06Z&cb.max last update=2017-08-03T18%3A17%3A06Z&cb.query source=ui&start=0&q=digsig result%3A%22Unsigned%22%20AND%20childproc name%3Aconhost.exe%20AND%20crossproc count%3A%5B1%20to%20*%5D%20AND%20modload%3Adciman32.dll%20AND%20modload%3Avidcap.ax Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate