Meterpreter GETSYSTEM using Pipe
This query looks for cmdline parameters that indicate someone is echoing a service to a named pipe, possibly in order to get SYSTEM level privileges on a system -- Submitted to the Cb Detection eXchange by a community member
Threat:
This technique can be used to escalate an attacker's privileges.
False Positives:
None observed so far
Score:
95
This technique can be used to escalate an attacker's privileges.
None observed so far
95
3
Daserf File Mod
This query looks for a .dat file commonly associated with the Daserf/Nioupale malware family -- Submitted to the Cb Detection eXchange by a community member
Threat:
This malware family has been associated with Chinese actors. It can be used to run further commands on the host.
False Positives:
None observed so far.
Score:
95
This malware family has been associated with Chinese actors. It can be used to run further commands on the host.
None observed so far.
95
1
Possible Meterpreter Reg.Exe Enumeration
This query looks for a command string used by the Metasploit module psexec_loggedin_users.rb -- Submitted to the Cb Detection eXchange by a community member
Threat:
An attacker can query reg.exe to see a list of logged-in users on a compromised machine.
False Positives:
None observed so far.
Score:
90
An attacker can query reg.exe to see a list of logged-in users on a compromised machine.
None observed so far.
90
5
Possible WDigest Downgrade Attack
This query looks for reg.exe modifying the wdigest/uselogoncredential key. -- Submitted to the Cb Detection eXchange by a community member
Threat:
An attacker can use wdigest to configure a system to store cleartext passwords in memory, making credential theft easier.
False Positives:
GPOs and other IT admin script tools may modify the wdigest/uselogoncredential registry key.
Score:
90
An attacker can use wdigest to configure a system to store cleartext passwords in memory, making credential theft easier.
GPOs and other IT admin script tools may modify the wdigest/uselogoncredential registry key.
90
8
Possible WDigest Downgrade Attack - Powershell
This query looks for powershell modifying the wdigest/uselogoncredential key -- Submitted to the Cb Detection eXchange by a community member
Threat:
An attacker can use wdigest to configure a system to store cleartext passwords in memory, making credential theft easier.
False Positives:
GPO and other IT admin script tools may modify the wdigest/uselogoncredential registry key.
Score:
90
An attacker can use wdigest to configure a system to store cleartext passwords in memory, making credential theft easier.
GPO and other IT admin script tools may modify the wdigest/uselogoncredential registry key.
90
8
Trickbot File Mods
This query looks for file mods associated with the Trickbot malware -- Submitted to the Cb Detection eXchange by a community member
Threat:
This bot is primarily used to steal credentials from browsers and gather system information
False Positives:
None observed so far.
Score:
95
This bot is primarily used to steal credentials from browsers and gather system information
None observed so far.
95
4
MSI downloading Installer
This query looks for msiexec downloading an installer from the Internet -- Submitted to the Cb Detection eXchange by a community member
Threat:
MsiExec.exe is a trusted executable, and can be used to download an installer from the Internet. Depending on the policies in place on your endpoints, this method may allow for an adversary to bypass application white-listing configurations.
False Positives:
MsiExec may also legitimately download binaries from websites; however, this appears to be very rare.
Score:
75
MsiExec.exe is a trusted executable, and can be used to download an installer from the Internet. Depending on the policies in place on your endpoints, this method may allow for an adversary to bypass application white-listing configurations.
MsiExec may also legitimately download binaries from websites; however, this appears to be very rare.
75
7
IIS Log Tampering
This query looks for someone configuring IIS to stop collecting any logs -- Submitted to the Cb Detection eXchange by a community member
Threat:
Attackers may turn off logging in order to evade detection.
False Positives:
IT Admins may turn off and on logging.
Score:
75
Attackers may turn off logging in order to evade detection.
IT Admins may turn off and on logging.
75
2
Webex Extension Attack
This looks for the Cisco Webex Extension spawning an unusual child -- Submitted to the Cb Detection eXchange by the Threat Research team
Threat:
A vulnerability was discovered by Tavis Ormandy that allows for remote code execution from the Webex browser extension.
False Positives:
None observed so far.
Score:
95
A vulnerability was discovered by Tavis Ormandy that allows for remote code execution from the Webex browser extension.
None observed so far.
95
5
VSS NTDS Access
This query looks for cmdline arguments used when the NTDS file (Active Directory Database) is grabbed from the Volume Shadow Copy on a domain controller. -- Submitted to the Cb Detection eXchange by Red Canary - https://www.redcanary.co/
Threat:
Once an attacker has retrieved the AD database, they can crack password hashes and obtain credentials.
False Positives:
Low. Backups, exchange serives and IT Admins may need to perform operations with the Active Directory Database.
Score:
100
Once an attacker has retrieved the AD database, they can crack password hashes and obtain credentials.
Low. Backups, exchange serives and IT Admins may need to perform operations with the Active Directory Database.
100
9
Unusual Location of owaauth.dll
This query looks for owaauth.dll in unusual locations.
Threat:
A threat group used a web shell and credential stealer deployed to Microsoft Exchange servers, named owaauth.dll.
False Positives:
None observed so far
Score:
95
A threat group used a web shell and credential stealer deployed to Microsoft Exchange servers, named owaauth.dll.
None observed so far
95
r
Rundll32 Spawns Powershell
This looks for a user running powershell through rundll32 to bypass software restrictions.
Threat:
Attackers may use this to spawn powershell on a locked-down machine.
False Positives:
None observed so far
Score:
90
Attackers may use this to spawn powershell on a locked-down machine.
None observed so far
90
9
Verclsid with Netconns
This query looks for verclsid.exe making network connections. This is not expected behavior for this process. - Submitted to the Cb Detection eXchange by Red Canary - https://www.redcanary.co/
Threat:
In February 2017, Hancitor switched from using explorer and svchost as process hollowing targets to using verclsid.exe. Hancitor normally arrives in Word docs and is associated with the Pony downloader.
False Positives:
None observed so far.
Score:
100
In February 2017, Hancitor switched from using explorer and svchost as process hollowing targets to using verclsid.exe. Hancitor normally arrives in Word docs and is associated with the Pony downloader.
None observed so far.
100
8
Netsh Tunnel
This query looks for usage of the netsh.exe utility to create an outbound tunnel - Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
This technique was recently seen in a set of 'fileless' attacks conducted primarily within financial institutions. It allows attackers to set up remote access to compromised hosts by using legitimate Windows utilities that already exist on the system, instead of downloading their own tools.
False Positives:
None observed so far, but the tunnel feature could be used for legitimate purposes.
Score:
90
This technique was recently seen in a set of 'fileless' attacks conducted primarily within financial institutions. It allows attackers to set up remote access to compromised hosts by using legitimate Windows utilities that already exist on the system, instead of downloading their own tools.
None observed so far, but the tunnel feature could be used for legitimate purposes.
90
3
Netsh Tunnel Regmod
This query looks for registry modifications associated with creating an outbound tunnel using netsh.exe - Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
This technique was recently seen in a set of 'fileless' attacks conducted primarily within financial institutions. It allows attackers to set up remote access to compromised hosts by using legitimate Windows utilities that already exist on the system, instead of downloading their own tools.
False Positives:
None observed so far, but the tunnel feature could be used for legitimate purposes.
Score:
85
This technique was recently seen in a set of 'fileless' attacks conducted primarily within financial institutions. It allows attackers to set up remote access to compromised hosts by using legitimate Windows utilities that already exist on the system, instead of downloading their own tools.
None observed so far, but the tunnel feature could be used for legitimate purposes.
85
3
Ramnit Persistence and Security Setting Changes
Ramnit is a banking trojan. This query looks for typical Ramnit behavior, such as disabling various security settings. - Submitted to the Cb Detection eXchange by the Carbon Black Threat Research team
Threat:
Ramnit captures data from web sessions, allowing attackers to commit financial fraud, as well as steal credentials.
False Positives:
Some legitimate administrative activity, such as turning firewalls and AV on and off, may trigger this alert.
Score:
95
Ramnit captures data from web sessions, allowing attackers to commit financial fraud, as well as steal credentials.
Some legitimate administrative activity, such as turning firewalls and AV on and off, may trigger this alert.
95
3
T1140 - Deobfuscate/Decode Files or Information - certutil
This query detects Dridex decoding a binary from PFX via the command line. - Submitted to the CB Detection eXchange by John Lockie, @thedefensedude.
Threat:
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
False Positives:
This behavior has been observed from Foglight Network Management System applications.
Score:
90
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
This behavior has been observed from Foglight Network Management System applications.
90
9
Debugger Changes to Image File Execution Options
Using the registry, an attacker can attach a binary as a false debugger to a legitimate program. The binary will launch whenever the legitimate program launches. - Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
Attackers might use this capability to execute malicious code, break a security application, or determine if their malware is under analysis.
False Positives:
Some developers or analysts may enable debuggers on their systems for legitimate purposes. Software made by the company LogMeIn frequently enables debuggers as well.
Score:
75
Attackers might use this capability to execute malicious code, break a security application, or determine if their malware is under analysis.
Some developers or analysts may enable debuggers on their systems for legitimate purposes. Software made by the company LogMeIn frequently enables debuggers as well.
75
7
Dridex Firewall Change
Dridex frequently injects a thread into explorer.exe to use for C2; this query alerts on a process changing firewall settings to allow explorer.exe to communicate out. - Submitted to the Cb Detection eXchange by a community member
Threat:
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
False Positives:
None observed so far.
Score:
95
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
None observed so far.
95
9
Word Executing WScript
Wscript spawned by Word may indicate a malicious macro executing. This is a common delivery vector for lots of different malware, including ransomware strains like Cryptolocker. - Submitted to the Cb Detection eXchange by a community member.
Threat:
Malicious macros can be used to establish a foothold on a compromised system and download further malware.
False Positives:
None observed so far.
Score:
90
Malicious macros can be used to establish a foothold on a compromised system and download further malware.
None observed so far.
90
5
WinZip Executing WScript
Wscript spawned by Winzip may indicate a malicious script executing. This is a common delivery vector for lots of different malware, including ransomware strains like Cryptolocker. - Submitted to the Cb Detection eXchange by a community member
Threat:
This could indicate attackers gaining a foothold on a system in order to download further malware.
False Positives:
None observed so far.
Score:
90
This could indicate attackers gaining a foothold on a system in order to download further malware.
None observed so far.
90
5
Powershell Executing Hidden, Encoded Commands
This query looks for powershell executing encoded commands while hidden from the user. This behavior is frequently seen in malicious scripts. - Submitted to the Cb Detection eXchange by a community member
Threat:
Attackers frequently use powershell and other native tools in order to avoid detection.
False Positives:
Powershell is frequently used for administrative and automation tasks; however, it is very unlikely that a legitimate script would run under these parameters.
Score:
90
Attackers frequently use powershell and other native tools in order to avoid detection.
Powershell is frequently used for administrative and automation tasks; however, it is very unlikely that a legitimate script would run under these parameters.
90
2
Powershell With NetConns Launched by Wmiprvse
This query alerts on a powershell process launched by wmiprvse that makes netconns. This behavior has been observed in popular powershell exploit frameworks such as Powershell Empire. - Submitted to the Cb Detection eXchange by a Carbon Black Services Consultant
Threat:
This may indicate powershell being used maliciously.
False Positives:
None observed so far.
Score:
80
This may indicate powershell being used maliciously.
None observed so far.
80
4
RunHTMLApplication parameter invoked
Detect poweliks (and similar variants) execution by looking for keywords relating to execution of javascript. - Submitted to the Cb Detection eXchange by Red Canary - https://www.redcanary.co/
Threat:
Fileless malware such as Poweliks may use this to execute malicious Javascript files.
False Positives:
Printer installers and interfaces that use JavaScript, HTA and other questionable methods of presenting a native UI may trigger this query from time to time.
Score:
80
Fileless malware such as Poweliks may use this to execute malicious Javascript files.
Printer installers and interfaces that use JavaScript, HTA and other questionable methods of presenting a native UI may trigger this query from time to time.
80
3
RunDLL32 run with javascript parameter
Detect poweliks (and similar variants) execution by looking for keywords relating to execution of javascript. - Submitted to the Cb Detection eXchange by Red Canary - https://www.redcanary.co/
Threat:
Fileless malware such as Poweliks may use this to execute malicious Javascript files.
False Positives:
Printer installers and interfaces that use JavaScript, HTA and other questionable methods of presenting a native UI may trigger this query from time to time.
Score:
80
Fileless malware such as Poweliks may use this to execute malicious Javascript files.
Printer installers and interfaces that use JavaScript, HTA and other questionable methods of presenting a native UI may trigger this query from time to time.
80
3
Office Test Special Perf Regmod for Persistence
Attackers may modify this registry key as a novel persistence mechanism. -- Submitted to the Cb Detection eXchange by a member of the Carbon Black Security Operations team
Threat:
DLLs specified under this registry key will be loaded whenever an office application is started up, and has been used in Sofacy campaigns.
False Positives:
None observed so far. This registry key seems to be related to debug work, so unlikely to rise in normal deployments.
Score:
100
DLLs specified under this registry key will be loaded whenever an office application is started up, and has been used in Sofacy campaigns.
None observed so far. This registry key seems to be related to debug work, so unlikely to rise in normal deployments.
100
6
MSCFile Regmod for UAC bypass
This query looks for registry modifications associated with a UAC bypass mechanism. -- submitted to the Cb Detection eXchange by a Carbon Black Services Consultant.
Threat:
Attacker can spawn a High integrity process (bypassing UAC) without having to drop a DLL or any other binary to disk by modifying the listed registry key to an arbitrary command (such as powershell.exe) and running eventvwr.exe.
False Positives:
None observed so far.
Score:
100
Attacker can spawn a High integrity process (bypassing UAC) without having to drop a DLL or any other binary to disk by modifying the listed registry key to an arbitrary command (such as powershell.exe) and running eventvwr.exe.
None observed so far.
100
1
Hancitor Suspicious Process Name
This query looks for binaries with a known malware name.
Threat:
The Hancitor Trojan downloader has been observed as a malicious payload embedded within Word documents being dropped and executed from the path %SYSTEMROOT% system32 WinHost32.exe or %USERPROFILE% WinHost32.exe. This downloader can deliver multiple different types of malware, primarily banking trojans like Pony -- submitted to the Cb Detection eXchange by eSentire, https://www.esentire.com/
False Positives:
None observed so far.
Score:
100
The Hancitor Trojan downloader has been observed as a malicious payload embedded within Word documents being dropped and executed from the path %SYSTEMROOT% system32 WinHost32.exe or %USERPROFILE% WinHost32.exe. This downloader can deliver multiple different types of malware, primarily banking trojans like Pony -- submitted to the Cb Detection eXchange by eSentire, https://www.esentire.com/
None observed so far.
100
3
Malware Delivered Via MS Publisher
MS Publisher is an older Office application. This query looks for unusual behavior from MS Publisher, such as spawning a shell or running a process out of AppData. -- Submitted to the Detection eXchange by Cody Raue and Michael Haag.
Threat:
Like Word or Excel, publisher files can come embedded with malicious macros. Since this is a less common attack vector, users and tools may not be well equipped to detect it.
False Positives:
None observed so far.
Score:
95
Like Word or Excel, publisher files can come embedded with malicious macros. Since this is a less common attack vector, users and tools may not be well equipped to detect it.
None observed so far.
95
6
Binary Copy and Append
This query looks for cmd.exe reassembling a binary from fragments using copy and append. -- submitted to the Cb Detection eXchange by a Carbon Black Services Consultant
Threat:
Attackers may fragment a malicious file in order to evade IDS and sandbox detection, then re-assemble it on the host. This technique has been observed recently in adware and previously in Operation Aurora.
False Positives:
A number of legitimate applications have been observed with this behavior, including: Symantec DLP, Symantec Endpoint Protection, MS SQL Server ETL routines, DIVx, and PDFtk Pro.
Score:
55
Attackers may fragment a malicious file in order to evade IDS and sandbox detection, then re-assemble it on the host. This technique has been observed recently in adware and previously in Operation Aurora.
A number of legitimate applications have been observed with this behavior, including: Symantec DLP, Symantec Endpoint Protection, MS SQL Server ETL routines, DIVx, and PDFtk Pro.
55
7
CryptXXX using RegSvr32
CryptXXX is a ransomware variant discovered in spring 2016. It has been seen launching a fake svchost process (actually rundll32) from regsvr32. -- Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
Ransomware encrypts files and then demands money in exchange for the decryption key.
False Positives:
None observed so far.
Score:
100
Ransomware encrypts files and then demands money in exchange for the decryption key.
None observed so far.
100
4
Code execution with RouteTheCall or RegisterOCX
This query looks for suspicious methods of executing code using RunDLL32 --- Submitted to the Carbon Black Detection eXchange by members of the community.
Threat:
RegisterOCX (advpack.dll) or RouteTheCall (zipfldr.dll) can be used to invoke exe's and (reflective) DLL's.
False Positives:
None observed so far.
Score:
95
RegisterOCX (advpack.dll) or RouteTheCall (zipfldr.dll) can be used to invoke exe's and (reflective) DLL's.
None observed so far.
95
2
Possible CVE 2017-0199
This query looks for mshta.exe launched by svchost.exe
Threat:
CVE 2017-0199 was a vulnerability in Microsoft's HTA handler, which allowed a malicious RTF document to download and run a remote .hta script without the user explicitly allowing the script to run.
False Positives:
In rare customer environments, there may be legitimate mshta.exe launched by svchost.exe
Score:
90
CVE 2017-0199 was a vulnerability in Microsoft's HTA handler, which allowed a malicious RTF document to download and run a remote .hta script without the user explicitly allowing the script to run.
In rare customer environments, there may be legitimate mshta.exe launched by svchost.exe
90
0
Word Launching MSIExec With Netconn
This query looks for word launching msiexec, which has been associated with Hancitor campaigns.
Threat:
Malicious word docs from the Hancitor campaign will typically inject into a legitimate, common process as part of their exploit phase, and then launch the compromised process. Previous targets have included verclsid and svchost.
False Positives:
None observed so far.
Score:
85
Malicious word docs from the Hancitor campaign will typically inject into a legitimate, common process as part of their exploit phase, and then launch the compromised process. Previous targets have included verclsid and svchost.
None observed so far.
85
6
Hidden Powershell with Unusual Parent
This query looks for hidden powershell launched by a process that attackers may use to deliver or execute malicious scripts.
Threat:
Attackers may use Powershell in place of traditional malware.
False Positives:
Powershell may be used by administrators for legitimate reasons.
Score:
70
Attackers may use Powershell in place of traditional malware.
Powershell may be used by administrators for legitimate reasons.
70
6
Telnneru Config File
Telnneru is a trojan used by APT3(also known as Gothic Panda, UPS.) This query looks for a configuration file written to disk by some versions of this trojan.
Threat:
Telnneru is a Trojan used by advanced, persistent actors.
False Positives:
None observed so far
Score:
100
Telnneru is a Trojan used by advanced, persistent actors.
None observed so far
100
5
Bitsadmin Download or Create
This query looks for bitsadmin downloading files. -- Submitted to the Carbon Black Detection eXchange by members of the community.
Threat:
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
False Positives:
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
Score:
80
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
80
9
Bitsadmin Commands
This query looks for bitsadmin usage.
Threat:
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
False Positives:
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
Score:
80
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
80
2
Symbolic Link Creation
This query looks for cmd.exe creating a symbolic link by executing mklink.exe. This can be used by attackers to access locked files stored in volume shadow copies.
Threat:
Nefarious users hide malware in volume shadow copies by using symbolic links via mklink.exe. Since files stored in volume shadow copies are locked, AV cannot delete.
False Positives:
None observed so far.
Score:
95
Nefarious users hide malware in volume shadow copies by using symbolic links via mklink.exe. Since files stored in volume shadow copies are locked, AV cannot delete.
None observed so far.
95
0
Office File Write and WMI Use
This query watches for MS Office applications which write an executable file to disk and load wmiutils.dll in order to launch the dropped malware through WMI (wmiprvse.exe).
Threat:
A VBA macro is used to download malware, which is then launched using wmiprvse.
False Positives:
We have observed some false positives for Powerpoint when certain third party extensions have been added.
Score:
85
A VBA macro is used to download malware, which is then launched using wmiprvse.
We have observed some false positives for Powerpoint when certain third party extensions have been added.
85
1
Pony Downloader 2.0
This query identifies activity consistent with the Pony 2.0 downloader/stealer -Submitted to the Cb Detection eXchange by a community member
Threat:
Pony Downloader. Commonly used by script kiddies since the source code leak. Also commonly used in deploying Vawtrak and as a general credential stealer.
False Positives:
None observed in original environment.
Score:
95
Pony Downloader. Commonly used by script kiddies since the source code leak. Also commonly used in deploying Vawtrak and as a general credential stealer.
None observed in original environment.
95
0
DarkComet RAT
This query identifies activity consistent with the DarkComet RAT -- Submitted to the Cb Detection eXchange by a community member
Threat:
The DarkComet RAT is a remote adminstration tool used by various threat actors
False Positives:
None observed in original environment.
Score:
95
The DarkComet RAT is a remote adminstration tool used by various threat actors
None observed in original environment.
95
6
Powershell Downloading File From URL
Powershell is a powerful built in utility that is frequently abused by attackers. This query looks for powershell downloading files from a remote server. - Submitted to the Cb Detection eXchange by a Carbon Black Services Consultant
Threat:
Attackers will frequently use the Net.Webclient class to download further malware onto a system.
False Positives:
Powershell may be used for legitimate admin purposes, but it is very rare for this capability to be used.
Score:
95
Attackers will frequently use the Net.Webclient class to download further malware onto a system.
Powershell may be used for legitimate admin purposes, but it is very rare for this capability to be used.
95
0
Browser Running Suspicious Scripts
This query alerts on a browser spawning child processes such as cmd, wscript and cscript. - Submitted to the Cb Detection eXchange by Cody Raue.
Threat:
This behavior has been observed in CryptXXX malware, mostly dropped through browser exploit kits.
False Positives:
None observed so far.
Score:
98
This behavior has been observed in CryptXXX malware, mostly dropped through browser exploit kits.
None observed so far.
98
3
CMD run with Echo and & Parameters
This query searches for cmd run with the parameters 'echo' and '&'. This can be used to run complex sets of commands. - Submitted to the Cb Detection eXchange by Cody Raue
Threat:
Ransomware has been observed running this command in order to create a jscript file that wscript then calls. Other malware has used this technique to change its zone identifier from untrusted to trusted.
False Positives:
Some legitimate software may also run similar commands during the installation process, or as part of ongoing data collection. Examples include Spiceworks Network Monitor and certain monitoring scripts used by MSSPs
Score:
55
Ransomware has been observed running this command in order to create a jscript file that wscript then calls. Other malware has used this technique to change its zone identifier from untrusted to trusted.
Some legitimate software may also run similar commands during the installation process, or as part of ongoing data collection. Examples include Spiceworks Network Monitor and certain monitoring scripts used by MSSPs
55
3
Wscript Spawning CMD and Filemods to Appdata/Temp
This looks for a wscript process that spawns cmd and also creates a file in appdata/local/temp/. - Submitted to the Cb Detection eXchange by Jeannette at Pacific Coast Producers
Threat:
This behavior has been observed in CryptXXX ransomware and the Pony downloader.
False Positives:
Some IT administrators may run legitimate scripts that follow this behavior.
Score:
85
This behavior has been observed in CryptXXX ransomware and the Pony downloader.
Some IT administrators may run legitimate scripts that follow this behavior.
85
1
Regmods to VSS
This query looks for modifications to the registry keys that manage the Volume Shadow Copy Service. Ransomware frequently deletes or disables volume shadow copies in order to ensure a lack of backups. - Submitted to the Cb Threat Intel group by a community member
Threat:
Recent Javascript-based ransomware has been seen using these regmods to delete volume shadow copies, instead of the more typical VSSAdmin or WMI.
False Positives:
IT Administrators may modify these registry keys; however, that should be a rare occurrence.
Score:
100
Recent Javascript-based ransomware has been seen using these regmods to delete volume shadow copies, instead of the more typical VSSAdmin or WMI.
IT Administrators may modify these registry keys; however, that should be a rare occurrence.
100
1
Bitsadmin Powershell Cmdlets
This query looks for bitsadmin downloading files. -- Submitted to the Carbon Black Detection eXchange by members of the community.
Threat:
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
False Positives:
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
Score:
80
Bitsadmin is a legitimate tool often abused by red teams and attackers to download malware onto a system.
None observed so far. However, since bitsadmin is a legitimate tool, some IT teams or sysadmins may use it in your environment.
80
9
Dll Load with Control_RunDll
This query looks for unusual DLLs being executed with RunDLL32 --- Submitted to the Carbon Black Detection eXchange by members of the community.
Threat:
Control_RunDll can be used for enumeration of a locked-down Windows environment, as well as leveraging command prompts via rundll32.
False Positives:
None observed so far.
Score:
90
Control_RunDll can be used for enumeration of a locked-down Windows environment, as well as leveraging command prompts via rundll32.
None observed so far.
90
2
TaskEng Launching Javascript or VBScript
This query looks for TaskEng launching a javascript or vbscript. -- Submitted to the Carbon Black Detection eXchange by members of the community.
Threat:
Malware may use taskeng as a persistence mechanism for a malicious script
False Positives:
This behavior may be expected from some legitimate applications, such as LogMeIn.
Score:
95
Malware may use taskeng as a persistence mechanism for a malicious script
This behavior may be expected from some legitimate applications, such as LogMeIn.
95
4
Enabling or Deleting Admin Shares
This searches for a process enabling or deleting admin shares. Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. -- submitted to the Detection eXchange by Todd Beebe.
Threat:
Attackers may use network shares in a number of ways, mostly copying malware to other computers for lateral movement
False Positives:
IT Administrators may, for legitimate reasons, enable or disable admin shares.
Score:
70
Attackers may use network shares in a number of ways, mostly copying malware to other computers for lateral movement
IT Administrators may, for legitimate reasons, enable or disable admin shares.
70
9
Posssible DLL Hijacking for Keylogger
This query looks for processes that load linkinfo.dll from the C windows directory, which is a known dll used by the Alman keylogger - Submitted to the Cb Detection eXchange by Todd Beebe.
Threat:
A malicious linkinfo.dll will try to terminate certain security and system processes, inject into legitimate executables, and spread via network shares.
False Positives:
None observed so far. The legitimate Windows dll linkinfo.dll is in the directory system32.
Score:
90
A malicious linkinfo.dll will try to terminate certain security and system processes, inject into legitimate executables, and spread via network shares.
None observed so far. The legitimate Windows dll linkinfo.dll is in the directory system32.
90
0
Suspicious Utility Manager Process
This query looks for instances of utilman.exe that do not have the normal internal file description.
Threat:
An attacker may replace utilman.exe with another executable as a persistence mechanism. - Submitted to the Cb Detection eXchange by Todd Beebe
False Positives:
None observed so far.
Score:
90
An attacker may replace utilman.exe with another executable as a persistence mechanism. - Submitted to the Cb Detection eXchange by Todd Beebe
None observed so far.
90
4
Suspicious Sticky Keys Process
This query looks for instances of sethc.exe that do not have the normal internal file description.
Threat:
An attacker may replace sethc.exe with another executable as a persistence mechanism. - Submitted to the Cb Detection eXchange by Todd Beebe
False Positives:
None observed so far.
Score:
90
An attacker may replace sethc.exe with another executable as a persistence mechanism. - Submitted to the Cb Detection eXchange by Todd Beebe
None observed so far.
90
5
Suspicious On-Screen Keyboard Process
This query looks for instances of osk.exe that do not have the normal internal file description. - Submitted to the Cb Detection eXchange by Todd Beebe
Threat:
An attacker may replace osk.exe with another executable as a persistence mechanism.
False Positives:
None observed so far.
Score:
90
An attacker may replace osk.exe with another executable as a persistence mechanism.
None observed so far.
90
6
Suspicious Screen Narrator Process
This query looks for instances of narrator.exe that do not have the normal internal file description. - Submitted to the Cb Detection eXchange by Todd Beebe
Threat:
An attacker may replace narrator.exe with another executable as a persistence mechanism.
False Positives:
None observed so far.
Score:
90
An attacker may replace narrator.exe with another executable as a persistence mechanism.
None observed so far.
90
7
Suspicious Screen Magnifier Process
This query looks for instances of magnify.exe that do not have the normal internal file description. - Submitted to the Cb Detection eXchange by Todd Beebe
Threat:
An attacker may replace magnify.exe with another executable as a persistence mechanism.
False Positives:
None observed so far.
Score:
90
An attacker may replace magnify.exe with another executable as a persistence mechanism.
None observed so far.
90
8
Suspicious Renamed cmd process
This query looks for cmd.exe executables that are not named cmd.exe -- Submitted to the Cb Detection eXchange by Todd Beebe.
Threat:
Some attackers will rename legitimate Windows executables in order to evade name-based detection.
False Positives:
Some anti-malware tools, such as Combofix, may run a renamed cmd.exe as part of their malware cleanup process.
Score:
85
Some attackers will rename legitimate Windows executables in order to evade name-based detection.
Some anti-malware tools, such as Combofix, may run a renamed cmd.exe as part of their malware cleanup process.
85
9
Execution of cmd from non-standard path
This query looks for cmd.exe being run out of a non-standard path -- submitted to the Detection eXchange by Todd Beebe.
Threat:
Attackers may store cmd.exe in a non-standard directory in order to evade detection.
False Positives:
Some anti-malware tools, such as Combofix, may run cmd.exe from an unusual path as part of their malware cleanup process. In addition, some IT applications such as Sentillion Vergence, or FootPrints Service Core, will also create a local version of cmd.exe within the application directory.
Score:
70
Attackers may store cmd.exe in a non-standard directory in order to evade detection.
Some anti-malware tools, such as Combofix, may run cmd.exe from an unusual path as part of their malware cleanup process. In addition, some IT applications such as Sentillion Vergence, or FootPrints Service Core, will also create a local version of cmd.exe within the application directory.
70
0
Rundll32 Child Clearing Event Logs
This query looks for cmd.exe spawned by rundll32.exe manipulating wevtutil or fsutil logs. -- submitted to the Cb Community by Thomas Bouve
Threat:
NotPetya and other malware families may erase Windows Event logs in order to make forensics more difficult.
False Positives:
None observed so far.
Score:
90
NotPetya and other malware families may erase Windows Event logs in order to make forensics more difficult.
None observed so far.
90
4
Unusual Rundll32 Network And Filemod Activity
This query looks for rundll32.exe making unusual network connections and large numbers of file modifications -- submitted to the Cb Community by Thomas Bouve
Threat:
NotPetya uses a malicious dll to encrypt files and scan other hosts in preparation for SMB lateral movement.
False Positives:
None observed so far.
Score:
100
NotPetya uses a malicious dll to encrypt files and scan other hosts in preparation for SMB lateral movement.
None observed so far.
100
4
Vawtrak Banking Trojan
Activity associated with Vawtrak Banking Trojan -- Submitted to the Cb Detection eXchange by a community member.
Threat:
Vawtrak is a banking trojan with the ability to bypass 2FA, steal financial information, execute transactions, capture screenshots and launch MITM attacks. Query specifically looks for regsvr32.exe with cross proc into other services. Note that the binaries in question are always named differently.
False Positives:
No known false positives.
Score:
100
Vawtrak is a banking trojan with the ability to bypass 2FA, steal financial information, execute transactions, capture screenshots and launch MITM attacks. Query specifically looks for regsvr32.exe with cross proc into other services. Note that the binaries in question are always named differently.
No known false positives.
100
8
GootKit Malware Registry Modification
Activity associated with Gootkit malware -- Submitted to the Cb Detection eXchange by a community member.
Threat:
This JavaScript-based malware combines web-injects (a la Zeus) and a clever persistence technique to create a robust tool for stealing online banking logins and other credentials from users of infected systems. This query detects a registry modification where this malware stores its data.
False Positives:
No known false positives.
Score:
95
This JavaScript-based malware combines web-injects (a la Zeus) and a clever persistence technique to create a robust tool for stealing online banking logins and other credentials from users of infected systems. This query detects a registry modification where this malware stores its data.
No known false positives.
95
2
Possible MS Office Exploit
This query will identify MS Office processes that spawns a process to executes a script via cscript.exe. MS Office has the ability to run macros and/or other executables to perform advanced operations. These advanced use cases are not common and would be considered suspicious. -- Submitted to the Cb Detection eXchange by a Cb Employee.
Threat:
Attackers execute macros or other executables with an MS Office document to obtain persistence or further exploit a system. The execution of cscript.exe allows for the execution of commands found in a non-executable file (script) to possibly perform malicious activity.
False Positives:
It is not uncommon for a MS Office application to use macros or execute other applications like printer drivers updates. While the use of cscript.exe may be rare, some environments could be using these operations for non-malicious intent and by itself is not always indicative of malicious activity.
Score:
80
Attackers execute macros or other executables with an MS Office document to obtain persistence or further exploit a system. The execution of cscript.exe allows for the execution of commands found in a non-executable file (script) to possibly perform malicious activity.
It is not uncommon for a MS Office application to use macros or execute other applications like printer drivers updates. While the use of cscript.exe may be rare, some environments could be using these operations for non-malicious intent and by itself is not always indicative of malicious activity.
80
9
NetworkSpreader
NetworkSpreader may use PSExec for lateral movement, or a worm component -- Submitted to the Cb Detection eXchange by Red Canary - https://www.redcanary.co/
Threat:
This event may indicate an attempt at lateral movement.
False Positives:
No known false positives.
Score:
100
This event may indicate an attempt at lateral movement.
No known false positives.
100
3
Ransomware Help Files
This query looks for files typically dropped by various ransomware infection, such as help_your_files.png, help_your_files.txt, help_your_files.html, help_decrypt.html, and help_decrypt.txt. Ransomware comes in different forms and can range from individual computers to network wide infections. While smaller individual infections can affect anyone at random, usually through spam email or through adware, larger targeted ransomware attacks will usually focus on healthcare companies or hospitals. -- Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
Ransomware runs on a targets host and will encrypt all files on that machine so they are inaccessible, in an effort to make the host owner pay a ransom for the decryption key.
False Positives:
Low – May pick up files that were not deleted after an infection has been cleaned.
Score:
100
Ransomware runs on a targets host and will encrypt all files on that machine so they are inaccessible, in an effort to make the host owner pay a ransom for the decryption key.
Low – May pick up files that were not deleted after an infection has been cleaned.
100
2
T1107 - File Deletion - Shadow Copy Deletion by WMIC or VSSAdmin
This query alerts on shadow volume copies being deleted via the commandline. Ransomware is known to delete shadow copies in order to make backups and restoration even more difficult. -- Submitted to the Cb Detection eXchange by a Research Analyst at unnamed UARC.
Threat:
Ransomware encrypts all files and demands payment in exchange for the encryption key.
False Positives:
None observed so far.
Score:
98
Ransomware encrypts all files and demands payment in exchange for the encryption key.
None observed so far.
98
6
Locky Registration Modification
This registry modification indicates the presence of a ransomware variant called Locky. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
Basic ransomware, looks like a spawn from Cryptolocker (pre-cryptowall code change) with some of its own improvements.
False Positives:
None observed so far
Score:
95
Basic ransomware, looks like a spawn from Cryptolocker (pre-cryptowall code change) with some of its own improvements.
None observed so far
95
3
KeRanger Kernel Time or Kernel PID Activity
The creation of these two files may indicate the recently discovered KeRanger malware. -- -- Submitted to the Cb Detection eXchange by the Carbon Black Threat Research team.
Threat:
Ransomware encrypts all files on a computer and demands money in exchange for the ransom key.
False Positives:
None observed so far.
Score:
90
Ransomware encrypts all files on a computer and demands money in exchange for the ransom key.
None observed so far.
90
0
Keranger Kernel Service Activity
This activity may indicate the presence of KeRanger malware. -- Submitted to the Cb Detection eXchange by the Carbon Black Threat Research team.
Threat:
Ransomware encrypts all the files on a computer, and demands payment in exchange for the encryption key.
False Positives:
None observed so far.
Score:
90
Ransomware encrypts all the files on a computer, and demands payment in exchange for the encryption key.
None observed so far.
90
0
Tranwos Backdoor
Wow.dll activity is frequently associated with the TRANWOS backdoor. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
The TRANWOS Backdoor is a trojan that allows remote attackers to collect confidential and personal data (e.g. usernames, passwords, credit card information).
False Positives:
The free VOIP software Mumble may trigger this alert.
Score:
95
The TRANWOS Backdoor is a trojan that allows remote attackers to collect confidential and personal data (e.g. usernames, passwords, credit card information).
The free VOIP software Mumble may trigger this alert.
95
2
Tor File or Process Detected
While Tor certainly has legimate uses, most of the time it will be unwanted/unacceptable in an enterprise environment. It is also sometimes used by malware for c2. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
Acceptable use policy violations; covert channel; trojans frequently make use of Tor for C2
False Positives:
Depending on your company policies, some users may legitimately use Tor.
Score:
80
Acceptable use policy violations; covert channel; trojans frequently make use of Tor for C2
Depending on your company policies, some users may legitimately use Tor.
80
2
Net Creation of Local User
This query looks for account creation using net.exe as well as addition of accounts to local users/administrators group. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
Scripts can be used to create local accounts or add a new account to local groups. Attackers might use this capability to escalate privileges or avoid auditing and policy applied to known usernames.
False Positives:
In some environments it may be normal for IT teams to create local accounts; anomalous account creation/addition should be investigated. Some applications may also add local users.
Score:
45
Scripts can be used to create local accounts or add a new account to local groups. Attackers might use this capability to escalate privileges or avoid auditing and policy applied to known usernames.
In some environments it may be normal for IT teams to create local accounts; anomalous account creation/addition should be investigated. Some applications may also add local users.
45
9
Hawkeye Keylogger File Modification
This query detects a static file name for a securityxploded module output, as well as a file name for behavior specific to this keylogger. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
This keylogger has been used to steal sensitive corporate information, as well as hijack ongoing business transactions to divert payments into the attackers' accounts.
False Positives:
In rare cases, legitimate users might choose to create files with these names.
Score:
90
This keylogger has been used to steal sensitive corporate information, as well as hijack ongoing business transactions to divert payments into the attackers' accounts.
In rare cases, legitimate users might choose to create files with these names.
90
0
Memory Grab using ProcDump
This query looks for procdump.exe or procdump64.exe being invoked with lsass.exe in the command line, or performing a cross-process event on lsass.exe. -- Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com.
Threat:
The sysinternals tool 'procdump' can be used to dump the memory space of lsass.exe, which can then be used by a tool like mimikatz harvest credentials. Procdump is typically not flagged by A/V or whitelisting since it is a 'known good' administrative tool.
False Positives:
If procdump is used by an administrator to dump all processes for troubleshooting purposes (but not targeting lsass.exe specifically), this may fire.
Score:
90
The sysinternals tool 'procdump' can be used to dump the memory space of lsass.exe, which can then be used by a tool like mimikatz harvest credentials. Procdump is typically not flagged by A/V or whitelisting since it is a 'known good' administrative tool.
If procdump is used by an administrator to dump all processes for troubleshooting purposes (but not targeting lsass.exe specifically), this may fire.
90
5
Administrator Enumeration
This query may indicate attackers performing local reconnaissance, enumerating accounts and identifying high-privilege targets. -- Submitted to the Cb Detection eXchange by a community member.
Threat:
Attackers will frequently try to identify administrative accounts as a means of escalating privilege and moving laterally.
False Positives:
Very rarely a legit user will list domain admins, but typically anyone who needs this information will already know. This query may also flag on applications which add an account to the Administrators local group (eg, NoMachine.)
Score:
70
Attackers will frequently try to identify administrative accounts as a means of escalating privilege and moving laterally.
Very rarely a legit user will list domain admins, but typically anyone who needs this information will already know. This query may also flag on applications which add an account to the Administrators local group (eg, NoMachine.)
70
5
AD/Credential Theft Using NTDSUtil
Actors may use NTDSUTIL.exe to dump a copy of Active Directory ntds.dit, facilitating theft of credential and other ad data stored in this ESE database. -- Submitted to the Cb Detection eXchange by Kroll, krollcybersecurity.com
Threat:
We have seen actors use variations of this technique to attempt collection of AD database on a domain controller.
False Positives:
In rare cases, this tool might be used to replicate domain controllers. NTDSUtil.exe is not commonly used in most environments, so it is often feasible to monitor all use of NTDSUtil.exe.
Score:
100
We have seen actors use variations of this technique to attempt collection of AD database on a domain controller.
In rare cases, this tool might be used to replicate domain controllers. NTDSUtil.exe is not commonly used in most environments, so it is often feasible to monitor all use of NTDSUtil.exe.
100
4