Materials for speaking at Positive Hack Days 2021
- This notes: https://github.com/aw350m33d/PHD2021
- fork of MSTICPy: https://github.com/aw350m33d/msticpy
- ptnad_api: https://github.com/aw350m33d/ptnad_api
- mpsiem_api: https://github.com/aw350m33d/mpsiem_api
- fork of Sigma: https://github.com/aw350m33d/sigma
Install via PIP from GitHub:
pip3 install -e 'git+https://github.com/aw350m33d/msticpy.git@mpsiem_data_provider#egg=msticpy[all]' docker pull aw350m3/threat_research
docker run -it --name pt_hunter \
-p 127.0.0.1:8080:8080 -p 8888:8888 \
-v "$HOME/.config:/home/coder/.config" \
-v "$PWD:/home/coder/project" \
-u "$(id -u):$(id -g)" \
-e "DOCKER_USER=$USER" \
-e PASSWORD=PHD2021 \
aw350m3/threat_researchDownload Dockerfile:
https://raw.githubusercontent.com/aw350m33d/PHD2021/main/Dockerfile
docker build -t phd_threat_research . title: <TITLE>
id: <UUID>
description: <DESCRIPTION>
status: experimental
date: 2021/05/21
author: <AUTHOR>
tags:
- defense.evasion
- attack.T1055.012
references:
- <REFERENCE>
logsource:
product: windows
service: sysmon
detection:
<NAME>:
EventID:
- <ID>
condition: <CONDITION>
falsepositives:
- <FPs>
level: <low, medium, high>Process Tampering:
- https://jxy-s.github.io/herpaderping
- https://medium.com/falconforce/sysmon-13-process-tampering-detection-820366138a6c
- https://pentestlaboratories.com/2021/01/18/process-herpaderping-windows-defender-evasion
Susp UA:
- https://gist.github.com/GossiTheDog/77527a34cdecb0ad840910c0beb8ba41
- https://lolbas-project.github.io/lolbas/Binaries/Certreq/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
User agents:
// certreq
'Mozilla/4.0 (compatible; Win32; NDES client*'
// powershell Invoke-WebRequest
'Mozilla/*WindowsPowerShell/'
// certutil.exe
'Microsoft-CryptoAPI/*'
OR
'CertUtil URL Agent'
// regsvr32.exe
'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E*'
// msiexec.exe
'Windows Installer' Process Tampering whitelist (Image field):
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\updater.exe
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
C:\Program Files\Mozilla Firefox\pingsender.exe
C:\Program Files\Git\cmd\git.exe
C:\Program Files\Git\mingw64\bin\git.exe
C:\Program Files\Git\mingw64\libexec\git-core\git.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
C:\Program Files (x86)\Microsoft\Edge\Application\*\BHO\ie_to_edge_stub.exe
C:\Program Files (x86)\Microsoft\Edge\Application\*\identity_helper.exe</Image>
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\*\MicrosoftEdge_X64_*
// SYSTEM activity
unknown process
C:\Program Files\Microsoft VS Code\Code.exe