| { | |
| "rule": { | |
| "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", | |
| "name": "HackTool - CACTUSTORCH Remote Thread Creation", | |
| "description": "Detects remote thread creation from CACTUSTORCH as described in references.", | |
| "logic": "{\n \"selection\": {\n \"SourceImage|endswith\": [\n \"\\\\System32\\\\cscript.exe\",\n \"\\\\System32\\\\wscript.exe\",\n \"\\\\System32\\\\mshta.exe\",\n \"\\\\winword.exe\",\n \"\\\\excel.exe\"\n ],\n \"TargetImage|contains\": \"\\\\SysWOW64\\\\\",\n \"StartModule\": null\n },\n \"condition\": \"selection\"\n}", | |
| "risk_score": 0, | |
| "severity": "high", | |
| "meta": { | |
| "_type": "sigma:hq", |
| { | |
| "rule": { | |
| "id": "01d29b48-ff6f-11eb-b81e-acde48001123", | |
| "name": "7zip CommandLine To SMB Share Path", | |
| "description": "The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.", | |
| "logic": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.process_name = \"7zr.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_ |
| { | |
| "rule": { | |
| "id": "5d676480-9655-4507-adc6-4eec311efff8", | |
| "name": "Unsigned DLL loaded by DNS Service", | |
| "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll\r\nfunctionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.\r\n", | |
| "logic": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\r\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\r\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and\r\n not ?dll.code_signature.trusted == true and\r\n not file.code_signature.status == \"Valid\"\r\n", | |
| "severity": "medium", | |
| "risk_score": 47, | |
| "meta": { | |
| "_type": "eql", |
| // Website you intended to retrieve for users. | |
| const upstream = 'api.openai.com' | |
| // Custom pathname for the upstream website. | |
| const upstream_path = '/' | |
| // Website you intended to retrieve for users using mobile devices. | |
| const upstream_mobile = upstream | |
| // Countries and regions where you wish to suspend your service. |
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |
Download hMailServer from here: http://www.hmailserver.com/index.php?page=background_download_file&downloadid=207.
