To the "do it all" IT folks or new #SOC analysts that need a little help - a thread for you.

Cheat sheets and example queries for Endgame, CS Falcon, ATP, and CbR using a recent incident as the starting point.

cc: thanks to @AshwinRamesh94 for the query work
Yesterday we stopped a #ransomware attack at a customer where initial entry was a remote admin connection from a 3p IT provider

- Attacker had admin
- Connected to host via ConnectWise (RDP)
- Opened CMD shell to open PS download cradle to deploy SODINOKIBI from hastebin[d]com
The attacker ransomed 1 host - but by removing access 6 min after the attack started - stopped it from becoming a much bigger issue.

Let& #39;s walk through a question or two we asked along the way using different EDR tech....
First up: @EndgameInc

Let& #39;s look at process events where the args contain our delivery domain and evil PS:

Process argument events:
process where command_line ==”* http://hastebin.com"> http://hastebin.com *” or command_line == “*Invoke-CVUYDBVIUPNEXMR*”

Cheat sheet below.
First up: @EndgameInc Let& #39;s look at process events where the args contain our delivery domain and evil PS:Process argument events:process where command_line ==”* http://hastebin.com *” or command_line == “*Invoke-CVUYDBVIUPNEXMR*”Cheat sheet below.
First up: @EndgameInc Let& #39;s look at process events where the args contain our delivery domain and evil PS:Process argument events:process where command_line ==”* http://hastebin.com *” or command_line == “*Invoke-CVUYDBVIUPNEXMR*”Cheat sheet below.
Let& #39;s also ask: How often does CMD / PS spawn from ScreenConnect.ClientService.exe? The remote admin tool.

Here& #39;s the EQL search:

process where child of [process where process_name == "ScreenConnect.ClientService.exe"] on active endpoints

It wasn& #39;t common. Detection?
How about CrowdStrike Falcon...

Let& #39;s use their event search here:

CommandLine=”* http://hastebin.com"> http://hastebin.com *” OR CommandLine=”*Invoke-CVUYDBVIUPNEXMR*” OR FileName=*ge4545*

Note the use of the *wildcard operator to search for the encrypted file extension
Or maybe you& #39;re running MS Defender ATP.

DeviceProcessEvents
| where FileName in~(“cmd.exe”, “powershell.exe”)
| where ProcessCommandLine has “ http://hastebin.com"> http://hastebin.com ”
or ProcessCommandLine has “Invoke-CVUYDBVIUPNEXMR”

I couldn& #39;t include the full query, shared below
Or if your EDR wasn& #39;t mentioned above, practice searching for these IOCs:

Delivery domain https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> netconn to http://hastebin.com"> http://hastebin.com 
Evil PS https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> Invoke-CVUYDBVIUPNEXMR
Encrypted file extension https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡️" title="Pfeil nach rechts" aria-label="Emoji: Pfeil nach rechts"> ge4545
Now try searching for activity more broadly:

How often do you see PowerShell download / execute a file from a remote resource?

Endgame:

sequence [process where command_line == "*iex*" and process_name in ("powershell.exe", "powershell_ise.exe")] [network where true]
CrowdStrike Falcon:

FileName="powershell.exe" AND CommandLine="* iex *"
(the spaces in between iex is important to remove fp wildcard matching)
Once you have the ContextProcessID_decimal value, use that in this query to determine outbound network connections:

(ContextProcessId_decimal=<enter_value> OR TargetProcessId_decimal=<enter_value>) AND NetworkConnectCount_decimal >=1
Windows Defender ATP:
union DeviceProcessEvents, DeviceNetworkEvents
| where ProcessCommandLine has “iex”
or ProcessCommandLine has “invoke-expression”
| where FileName in~(“powershell.exe”, “powershell_ise.exe”)
| where isnotempty(RemoteUrl)
Carbon Black:
cmdline:”iex” AND (process_name:powershell.exe OR process_name:powershell_ise.exe) AND netconn_count:[1 TO *]

Before, "well actually" enters the chat. Good to include processes loading http://system.management"> http://system.management .automation

modload: http://system.management"> http://system.management .automation*
The above were basic queries to help you learn the tools.

Think about the questions you want to ask and practice asking them using EDR.

Don& #39;t forget to learn about host containment. Learn how it works, how to use it.

It could be a thing that ends up saving your org.
Or try this....

1. Open PS
2. wmic /node:localhost process call create “cmd.exe /c notepad”
3. winrs:localhost “cmd.exe /c calc”
4. Interrogate your SIEM and EDR
5. Practice containment
6. Do it again
7. Talk about what this mean as a team
You can follow @jhencinski.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more