Supporting Link: N/A Threat: NetworkSpreader worm's lateral movement. False Positives : No known false positives. Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - no search term matches found in comments.
Description: Detecting Meterpreter "getsystem" command (exploitation of named pipes) Supporting Link: https://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537 section 4.2 Threat: Only detects named pipe methods, not secdebug option detailed in the SANS link above. False Positives : TBD, only implemented in a small lab at the moment Recommended Score: Number (1-100) depends on your false positives Query (example): ((cmdline:"/c echo" AND cmdline:"\\.\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
PowerMemory attempts to recover credentials from memory. False Positives : No false positives observed - this query is pretty specific
Depending on the policies in place on your endpoints, this method may allow for an adversary to bypass application white-listing configurations. False Positives : Low Recommended Score: Number (1-100) 75 Query: process name:msiexec.exe cmdline:"/i" (cmdline:"http:" OR cmdline:"https:") URL Query: cb.urlver=1&q=(process name%3Amsiexec.exe%20cmdline%3A%22%2Fi%22%20(cmdline%3A%22http%3A%22%20OR%20cmdline%3A%22https%3A%22))
3 Comments - Or alternately just alert on any occurrence of "http" in the command-line, although I haven't investigated what knock-on effects or false positives there might be with that
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - The Cb Community feed currently has the query: (process name:net.exe OR (process name:net1.exe AND -parent name:net.exe) OR process name:dsquery.exe) and ((cmdline:domain or cmdline:localgroup) and (cmdline:admins or cmdline:administrators)) But I've found that to have a high number of false positives in environments where users are allowed to be local administrators of their own computers
Supporting Link : Science Threat : This query identifies Ramnit by looking for the ways it creates persistence on a system as well as how it modifies system security settings. False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - I'm getting false positives on this one!...I've now marked this as "False Positive" in CBER - hopefully it will stop with the alerts
addition to this one as previous was a very simple one and there are false positive if you simply type a command. False Positives : None found. Recommended Score: Number (1-100) 100 Query (example):process name:cmd.exe (cmdline:"bitsadmin /cancel" OR cmdline:"bitsadmin /complete" OR cmdline:"bitsadmin /resume") childproc name:regsvr32.exe URL Query(example): cb.urlver=1&q=process name%3Acmd.exe%20(cmdline%3A%22bitsadmin%20%2Fcancel%22%20OR%20cmdline%3A%22bitsadmin%20%2Fcomplete%22%20OR%20cmdline%3A%22bitsadmin%20%2Fresume%22)%20childproc name%3Aregsvr32.exe&rows=10&start=0&sort= Cb Process Tree: Advanced Threats: High-confidence threat indicators that are suitable for generating alerts
14 Comments - Has anyone seen False Positives with Dells SupportAssist / PC Doctor?...For example: observed filename:svchost.exe -internal name:svchost.exe This typically only yields a false positive when the binary is MalwareBytes' mbam-chameleon.exe
Not sure if this is a threat in the wild but use it to track Blue Team and classroom activities where these methods are used. False Positives : Fairly high hit rate for internal activities but does not occur with great frequency
6 Comments - no search term matches found in comments.
Threat: Powershell spawning and running an encoded command False Positives : None that I am aware of Recommended Score: Number (1-100) 100 Query (example): process name:powershell.exe AND (cmdline:-e OR cmdline:-ec OR cmdline:-en OR cmdline:-enc OR cmdline:-enco OR cmdline:-encod OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedc OR cmdline:-encodedco OR cmdline:-encodedcom OR cmdline:-encodedcomm OR cmdline:-encodedcomma OR cmdline:-encodedcomman OR cmdline:-encodedcommand) (os type:"windows") URL Query (example) : cb.urlver=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22)&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=&cb.min last update=2017-07-03T15%3A52%3A20Z&cb.max last update=2017-07-06T15%3A52%3A20Z&cb.query source=ui&start=0&q=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22 #CbResponse