keyboardcrunch

A few days back Red Canary dropped a blog post titled A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak that highlighted 10 detection opportunities for stopping the most recent Bazar/Ryuk ransomware infections. Below are the 10 SentinelOne Deep Visibility queries I've come up with for detecting the techniques.

1. Process hollowing of cmd.exe

T1055.012 Hollowing of cmd.exe

SrcProcParentName = "cmd.exe" AND SrcProcName In Anycase ("svchost.exe","explorer.exe","nltest.exe","net.exe") AND DstPort In ("443","53")

2. Enumerating domain trusts activity with nltest.exe

T1482 Domain Trust Discovery

mitsuhiko

#!/usr/bin/env python
# Quick and dirty demonstration of CVE-2014-0160 by
# Jared Stafford (jspenguin@jspenguin.org)
# Modified so that it finds cookies

import sys
import struct
import socket
import time
import select

takeshixx

#!/usr/bin/env python2
"""
Author: takeshix <takeshix@adversec.com>
PoC code for CVE-2014-0160. Original PoC by Jared Stafford (jspenguin@jspenguin.org).

Supportes all versions of TLS and has STARTTLS support for SMTP,POP3,IMAP,FTP and XMPP.
"""

import sys,struct,socket
from argparse import ArgumentParser

archon810

package com.deviant.security.shield;

public final class BuildConfig {
    public static final String BUILD_TYPE = "debug";
    public static final boolean DEBUG;
    public static final String FLAVOR = "";
    public static final String PACKAGE_NAME = "com.deviant.security.shield";
    public static final int VERSION_CODE = 4;
    public static final String VERSION_NAME = "2.2";