To the "do it all" IT folks or new #SOC analysts that need a little help - a thread for you.

Cheat sheets and example queries for Endgame, CS Falcon, ATP, and CbR using a recent incident as the starting point.

cc: thanks to @AshwinRamesh94 for the query work
Yesterday we stopped a #ransomware attack at a customer where initial entry was a remote admin connection from a 3p IT provider

- Attacker had admin
- Connected to host via ConnectWise (RDP)
- Opened CMD shell to open PS download cradle to deploy SODINOKIBI from hastebin[d]com
The attacker ransomed 1 host - but by removing access 6 min after the attack started - stopped it from becoming a much bigger issue.

Let& #39;s walk through a question or two we asked along the way using different EDR tech....
First up: @EndgameInc

Let& #39;s look at process events where the args contain our delivery domain and evil PS:

Process argument events:
process where command_line ==”* http://hastebin.com"> http://hastebin.com *” or command_line == “*Invoke-CVUYDBVIUPNEXMR*”

Cheat sheet below.
Let& #39;s also ask: How often does CMD / PS spawn from ScreenConnect.ClientService.exe? The remote admin tool.

Here& #39;s the EQL search:

process where child of [process where process_name == "ScreenConnect.ClientService.exe"] on active endpoints

It wasn& #39;t common. Detection?
How about CrowdStrike Falcon...

Let& #39;s use their event search here:

CommandLine=”* http://hastebin.com"> http://hastebin.com *” OR CommandLine=”*Invoke-CVUYDBVIUPNEXMR*” OR FileName=*ge4545*

Note the use of the *wildcard operator to search for the encrypted file extension
Or maybe you& #39;re running MS Defender ATP.

DeviceProcessEvents
| where FileName in~(“cmd.exe”, “powershell.exe”)
| where ProcessCommandLine has “ http://hastebin.com"> http://hastebin.com ”
or ProcessCommandLine has “Invoke-CVUYDBVIUPNEXMR”

I couldn& #39;t include the full query, shared below
Or if your EDR wasn& #39;t mentioned above, practice searching for these IOCs:

Delivery domain https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> netconn to http://hastebin.com"> http://hastebin.com 
Evil PS https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> Invoke-CVUYDBVIUPNEXMR
Encrypted file extension https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> ge4545
Now try searching for activity more broadly:

How often do you see PowerShell download / execute a file from a remote resource?

Endgame:

sequence [process where command_line == "*iex*" and process_name in ("powershell.exe", "powershell_ise.exe")] [network where true]
CrowdStrike Falcon:

FileName="powershell.exe" AND CommandLine="* iex *"
(the spaces in between iex is important to remove fp wildcard matching)
Once you have the ContextProcessID_decimal value, use that in this query to determine outbound network connections:

(ContextProcessId_decimal=<enter_value> OR TargetProcessId_decimal=<enter_value>) AND NetworkConnectCount_decimal >=1
Windows Defender ATP:
union DeviceProcessEvents, DeviceNetworkEvents
| where ProcessCommandLine has “iex”
or ProcessCommandLine has “invoke-expression”
| where FileName in~(“powershell.exe”, “powershell_ise.exe”)
| where isnotempty(RemoteUrl)
Carbon Black:
cmdline:”iex” AND (process_name:powershell.exe OR process_name:powershell_ise.exe) AND netconn_count:[1 TO *]

Before, "well actually" enters the chat. Good to include processes loading http://system.management"> http://system.management .automation

modload: http://system.management"> http://system.management .automation*
The above were basic queries to help you learn the tools.

Think about the questions you want to ask and practice asking them using EDR.

Don& #39;t forget to learn about host containment. Learn how it works, how to use it.

It could be a thing that ends up saving your org.
Or try this....

1. Open PS
2. wmic /node:localhost process call create “cmd.exe /c notepad”
3. winrs:localhost “cmd.exe /c calc”
4. Interrogate your SIEM and EDR
5. Practice containment
6. Do it again
7. Talk about what this mean as a team
You can follow @jhencinski.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: