==================================================
>> Welcome to the Vault, fellow hunter! This log aims to outline a number of the most common ransomware behaviours, key things to look for on a hunt, cool stuff I’ve found, and handy query syntaxes for different vendor tools. Happy hunting!
>> To access the information, please select a subject from the list below:
The following options will provide valuable insight into potential security threats and vulnerabilities within a network. Please select an option from the list to view the content.
>> CONSIDER THIS
Remote Monitoring & Management (RMM) software enables IT professionals to remotely monitor, manage, and maintain IT systems and networks. Threat hunters should focus on detecting misuse of RMM tools by adversaries who exploit these tools for unauthorized access, persistence, and lateral movement. ATT&CK Category: Initial Access Persistence Privilege Escalation Defense Evasion ATT&CK Tags: Valid Accounts, T1078: Valid Accounts Account Manipulation, T1098: Account Manipulation Obfuscated Files or Information, T1027: Obfuscated Files or Information>> POSSIBLE QUERIES
Please find below an exhaustive list of RMM software, and their corresponding domains and executables. Use these for your rules. This list was taken from https://github.com/0x706972686f/RMM-Catalogue/blob/main/rmm.csv- Access Remote PC: - Executables: rpcgrab.exe, rpcsetup.exe - Action1: - Domain: action1.com - Executables: action1_agent.exe - AeroAdmin: - Domain: aeroadmin.com - Executables: aeroadmin.exe - AliWangWang-remote-control: - Domain: wangwang.taobao.com - Executables: alitask.exe - Alpemix: - Domain: alpemix.com - Executables: alpemix.exe - AmmyyAdmin: - Domain: ammyy.com - Executables: AMMYY_Admin.exe - AnyDesk: - Domain: anydesk.com - Executables: anydesk.exe - Anyplace Control: - Domain: anyplace-control.com - Executables: apc_host.exe - Atera RMM: - Domain: atera.com - Executables: ateraagent.exe, syncrosetup.exe - Auvik: - Domain: auvik.com - Executables: auvik.agent.exe, auvik.engine.exe - Barracuda: - Domain: barracudamsp.com - Basecamp: - Domain: basecamp.com - BeamYourScreen: - Domain: beamyourscreen.com - Executables: beamyourscreen.exe, beamyourscreen-host.exe - BeAnywhere: - Domain: beanywhere.en.uptodown.com/windows - Executables: basupsrvc.exe, basupsrvcupdate.exe, basuptshelper.exe - Bomgar: - Domain: beyondtrust.com/brand/bomgar - Executables: bomgar-scc.exe - CentraStage (Now Datto): - Domain: datto.com/au/products/rmm/ - Executables: CagService.exe - Centurion: - Executables: ctiserv.exe - Chrome Remote Desktop: - Domain: remotedesktop.google.com - Executables: remote_host.exe - CloudFlare Tunnel: - Domain: cloudflare.com/products/tunnel/ - Executables: cloudflared.exe - ConnectWise Control: - Domain: control.connectwise.com - Executables: connectwisechat-customer.exe, connectwisecontrol.client.exe - Comodo RMM: - Domain: one.comodo.com - Executables: itsmagent.exe, rviewer.exe - CrossLoop: - Domain: crossloop.en.softonic.com - Executables: crossloopservice.exe - CrossTec Remote Control: - Domain: crosstecsoftware.com/remotecontrol - Executables: PCIVIDEO.EXE, supporttool.exe - Cruz: - Domain: resources.doradosoftware.com/cruz-rmm - Dameware-mini remote control Protocol: - Domain: dameware.com - Executables: dntus*.exe, dwrcs.exe - Datto: - Domain: datto.com - DeskDay: - Domain: deskday.ai - Dev Tunnels (aka Visual Studio Dev Tunnel): - Domain: learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview - Domotz: - Domain: domotz.com - Executables: domotz_bash.exe - dwservice: - Domain: dwservice.net - Echoware: - Executables: echoserver*.exe, echoware.dll - eHorus: - Domain: ehorus.com - Executables: ehorus standalone.exe - Electric: - Domain: electric.ai - EMCO Remote Console: - Domain: emcosoftware.com - Executables: remoteconsole.exe - Encapto: - Domain: encapto.com - Ericom AccessNow: - Domain: ericom.com - Executables: accessserver.exe - Ericom Connect: - Domain: ericom.com - Executables: ericomconnnectconfigurationtool.exe - ESET Remote Administrator: - Domain: eset.com/me/business/remote-management/remote-administrator/ - Executables: era.exe, ezhelp*.exe, eratool.exe - ezHelp: - Domain: ezhelp.co.kr - Executables: ezhelpclient.exe, ezhelpclientmanager.exe - FastViewer: - Domain: fastviewer.com - Executables: fastclient.exe, fastmaster.exe - FixMe.it: - Domain: fixme.it - Executables: fixmeitclient.exe - FleetDeck: - Domain: fleetdeck.io - Executables: fleetdeck_agent_svc.exe - Fortra: - Domain: fortra.com - GatherPlace-desktop sharing: - Domain: gatherplace.com - Executables: gp3.exe, gp4.exe, gp5.exe - GetScreen: - Domain: getscreen.me - Executables: getscreen.exe - GoToAssist: - Domain: goto.com - Executables: g2a*.exe, gotoassist.exe - GotoHTTP: - Domain: gotohttp.com - Executables: gotohttp.exe - GoToMyPC: - Domain: get.gotomypc.com - Executables: g2file*.exe, g2quick.exe, g2svc.exe, g2tray.exe - Goverlan: - Domain: goverlan.com - Executables: goverrmc.exe, govsrv*.exe - Guacamole: - Domain: guacamole.apache.org - Executables: guacd.exe - HelpBeam: - Domain: helpbeam.software.informer.com - Executables: helpbeam*.exe - I'm InTouch: - Domain: 01com.com/imintouch-remote-pc-desktop - Executables: iit.exe, intouch.exe - Instant Housecall: - Domain: instanthousecall.com - Executables: hsloader.exe, ihcserver.exe, instanthousecall.exe - IntelliAdmin Remote Control: - Domain: intelliadmin.com/remote-control - Executables: iadmin.exe, intelliadmin.exe - Iperius Remote: - Domain: iperiusremote.com - Executables: iperius.exe, iperiusremote.exe - Itarian: - Executables: ITSMAgent.exe, ItsmRsp.exe, ITSMService.exe, RDesktop.exe, RHost.exe, RmmService.exe - ISL Light: - Domain: islonline.com - Executables: islalwaysonmonitor.exe, isllight.exe, isllightservice.exe - Jump Desktop: - Domain: jumpdesktop.com - Executables: jumpclient.exe, jumpdesktop.exe, jumpservice.exe - Kabuto: - Domain: repairtechsolutions.com/kabuto/ - Kaseya (aka Unigma): - Domain: kaseya.com - Executables: agentmon.exe - KickIdler: - Domain: kickidler.com - LabTech RMM (Now ConnectWise Automate): - Domain: connectwise.com - Executables: ltsvc.exe, ltsvcmon.exe, lttray.exe - LANDesk: - Domain: ivanti.com - Executables: issuser.exe, landeskagentbootstrap.exe, ldinv32.exe, ldsensors.exe - Laplink Everywhere: - Domain: everywhere.laplink.com - Executables: laplink.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe - Laplink Gold: - Domain: wen.laplink.com/product/laplink-gold - Executables: laplink.exe, tsircusr.exe - Level: - Domain: level.io - LiteManager: - Domain: litemanager.com - Executables: romfusclient.exe, romserver.exe, romviewer.exe - LogMeIn: - Domain: logmein.com/central - Executables: lmiguardiansvc.exe, lmiignition.exe, logmein.exe, logmeinsystray.exe - LogMeIn rescue: - Domain: logmeinrescue.com - Executables: support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe - ManageEngine RMM Central: - Domain: manageengine.com/remote-monitoring-management/ - MeshCentral: - Domain: meshcentral.com - Executables: mesh*.exe - Mikogo: - Domain: mikogo.com - Executables: mikogo.exe, mikogolauncher.exe, mikogo-service.exe, mikogo-starter.exe - MioNet (Also known as WD Anywhere Access): - Executables: mionet.exe, mionetmanager.exe - mRemoteNG: - Domain: mremoteng.org - MSP360: - Domain: msp360.com - MyIVO: - Domain: myivo-server.software.informer.com - Executables: myivomanager.exe, myivomgr.exe - Naverisk: - Domain: naverisk.com - N-ABLE Remote Access Software: - Domain: n-able.com - Netop Remote Control (aka Impero Connect): - Domain: imperosoftware.com/impero-connect/ - Executables: nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe - NetSupport Manager: - Domain: netsupportmanager.com - Executables: client32.exe, pcictlui.exe - Netreo: - Domain: netreo.com - Neturo: - Executables: neturo.exe, ntrntservice.exe - Netviewer: - Domain: download.cnet.com/Net-Viewer/3000-2370_4-10034828.html - Executables: netviewer*.exe, netviewer.exe - ngrok: - Domain: ngrok.com - Executables: ngrok.exe - NinjaRMM: - Domain: ninjaone.com - Executables: ninjarmmagent.exe - NoMachine: - Domain: nomachine.com - Executables: nomachine*.exe, nxd.exe - NoteOn-desktop sharing: - Executables: nateon*.exe, nateon.exe, nateonmain.exe - OCS inventory: - Domain: ocsinventory-ng.org - Executables: ocsinventory.exe, ocsservice.exe - Panorama9: - Domain: panorama9.com - Parallels Access: - Domain: parallels.com/products/ras/try - Executables: prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe - pcAnywhere: - Executables: awhost32.exe, pcaquickconnect.exe, winaw32.exe - Pcnow: - Domain: au.pcmag.com/utilities/21470/webex-pcnow - Executables: mwcliun.exe, pcnmgr.exe, webexpcnow.exe - Pcvisit: - Domain: pcvisit.de - Executables: pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe - Pocket Controller: - Domain: soti.net/products/soti-pocket-controller - Executables: pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe - PulseWay: - Domain: pulseway.com - QQ IM-remote assistance: - Domain: qq-messenger.en.softonic.com - Executables: qq.exe, qqpcmgr.exe - Quest KACE Agent (formerly Dell KACE): - Domain: www.quest.com/kace/ - Executables: konea.exe - Quick Assist: - Executables: quickassist.exe - Radmin: - Domain: radmin.com - Executables: radmin.exe - rdp2tcp: - Domain: github.com/V-E-O/rdp2tcp - Executables: tdp2tcp.exe, rdp2tcp.py - RDPView: - Domain: systemmanager.ru/dntu.en/rdp_view.htm - rdpwrap: - Domain: github.com/stascorp/rdpwrap - Remobo: - Domain: remobo.en.softonic.com - Executables: remobo.exe, remobo_client.exe, remobo_tracker.exe - Remote Desktop Plus: - Domain: donkz.nl - Remote.it: - Domain: remote.it - Remote Manipulator System: - Domain: rmansys.ru - Executables: rfusclient.exe, rutserv.exe - Remote Utilities: - Executables: rutserv.exe, rutview.exe - RemoteCall: - Domain: remotecall.com - Executables: rcengmgru.exe, rcmgrsvc.exe, remotesupportplayeru.exe, rxstartsupport.exe - RemotePass: - Domain: remotepass.com - Executables: remotepass-access.exe, rpaccess.exe, rpwhostscr.exe - RemotePC: - Domain: remotepc.com - Executables: remotepcservice.exe, rpcsuite.exe - RemoteView: - Domain: content.rview.com - Executables: remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe - RES Automation Manager: - Domain: ivanti.com - Executables: wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe - Royal Server: - Domain: royalapps.com - Royal TS: - Domain: royalapps.com - Executables: royaltc.exe - rport: - Domain: rport.io - RuDesktop: - Domain: rudesktop.ru - Executables: rd.exe, rudesktop*.exe - RunSmart: - Domain: runsmart.io - RustDesk: - Domain: rustdesk.com - Executables: rustdesk.exe - ScreenConnect (aka ConnectWise/Continuum): - Domain: control.connectwise.com - Executables: screenconnect*.exe, screenconnect.windowsclient.exe - Seetrol: - Domain: seetrol.co.kr - Executables: seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe - Senso.cloud: - Domain: senso.cloud - SkyFex: - Domain: skyfex.com - ShowMyPC: - Domain: showmypc.com - Executables: showmypc*.exe, showmypc.exe - SimpleHelp: - Domain: simple-help.com - Executables: simplehelpcustomer.exe, simpleservice.exe, windowslauncher.exe, remote_access.exe, simplegatewayservice.exe - Site24x7: - Domain: site24x7.com/msp - Sophos-Remote Management System: - Domain: community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system - Executables: clientmrinit.exe, mgntsvc.exe, routernt.exe - Splashtop Remote: - Domain: splashtop.com - Executables: sragent.exe, srmanager.exe, srserver.exe, srservice.exe - SpyAnywhere: - Domain: spyanywhere.com - SuperOps: - Domain: superops.ai - Supremo: - Domain: supremocontrol.com - Executables: supremo.exe, supremohelper.exe, supremoservice.exe, supremosystem.exe - Syncro: - Domain: syncromsp.com - Tailscale: - Domain: tailscale.com - Tactical RMM: - Domain: docs.tacticalrmm.com - Executables: tacticalrmm.exe - Tanium Deploy: - Domain: tanium.com/products/tanium-deploy - TeamViewer: - Domain: teamviewer.com - Executables: teamviewer*.exe, teamviewer_service.exe, teamviewerqs.exe, tv_w32.exe, tv_w64.exe - TeleDesktop: - Domain: tele-desk.com - Executables: pstlaunch.exe, ptdskclient.exe, ptdskhost.exe - ToDesk: - Domain: todesktop.com - Executables: todesk.exe - TurboMeeting: - Domain: acceo.com/turbomeeting/ - Executables: pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe - Ultraviewer: - Domain: ultraviewer.net - Executables: ultraviewer.exe, ultraviewer_desktop.exe, ultraviewer_service.exe - VNC: - Domain: realvnc.com/en/connect/download/vnc - Executables: vncserver.exe, vncserverui.exe, vncviewer.exe, winvnc*.exe - WebRDP: - Domain: github.com/Mikej81/WebRDP - Executables: webrdp.exe - Weezo: - Domain: weezo.en.softonic.com - Executables: weezo.exe, weezohttpd.exe - XEOX: - Domain: xeox.com - Executables: xeox-agent_x64.exe - Zabbix Agent: - Domain: zabbix.com - ZeroTier: - Domain: zerotier.com - Zoho Assist: - Domain: zoho.com/assist/ - Executables: za_connect.exe, zaservice.exe, zohotray.exeThe following SIGMA rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.logsource: category: process_creation product: windows detection: selection: Image: - '*\\teamviewer.exe' - '*\\anydesk.exe' - '*\\winvnc.exe' - '*\\vncviewer.exe' - '*\\remotedesktophost.exe' - '*\\logmein.exe' - '*\\g2tray.exe' - '*\\dwrcc.exe' - '*\\dwrcs.exe' - '*\\aa_v3.exe' - '*\\srserver.exe' - '*\\msra.exe' - '*\\pcideply.exe' - '*\\rutserv.exe' - '*\\rutview.exe' - '*\\screenconnect.client.exe' - '*\\vncserver.exe' - '*\\tvnserver.exe' - '*\\tvnviewer.exe' - '*\\mikogo.exe' - '*\\bomgar-scc.exe' condition: selection falsepositives: - UnlikelyThe following FALCON rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.DeviceProcessEvents | where ProcessCommandLine contains "teamviewer" or ProcessCommandLine contains "anydesk" or ProcessCommandLine contains "screenconnect" or ProcessCommandLine contains "logmein" or ProcessCommandLine contains "connectwise" or ProcessCommandLine contains "splashtop" | summarize count() by DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, TimestampThe following HARMONY rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.Process Name IS teamviewer.exe, anydesk.exe, winvnc.exe, vncviewer.exe, remotedesktophost.exe, logmein.exe, g2tray.exe, dwrcc.exe, dwrcs.exe, aa_v3.exe, srserver.exe, msra.exe, pcideply.exe, rutserv.exe, rutview.exe, screenconnect.client.exe, vncserver.exe, tvnserver.exe, tvnviewer.exe, mikogo.exe, bomgar-scc.exeThe following ELASTIC rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.GET /logs-*/_search { "query": { "bool": { "should": [ { "match": { "process.command_line": "teamviewer" } }, { "match": { "process.command_line": "anydesk" } }, { "match": { "process.command_line": "screenconnect" } }, { "match": { "process.command_line": "logmein" } }, { "match": { "process.command_line": "connectwise" } }, { "match": { "process.command_line": "splashtop" } } ] } } }The following SPLUNK rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.index=your_index_name sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System OR sourcetype=Sysmon ("teamviewer.exe" OR "anydesk.exe" OR "winvnc.exe" OR "vncviewer.exe" OR "remotedesktophost.exe" OR "logmein.exe" OR "g2tray.exe" OR "dwrcc.exe" OR "dwrcs.exe" OR "aa_v3.exe" OR "srserver.exe" OR "msra.exe" OR "pcideply.exe" OR "rutserv.exe" OR "rutview.exe" OR "screenconnect.client.exe" OR "vncserver.exe" OR "tvnserver.exe" OR "tvnviewer.exe" OR "mikogo.exe" OR "bomgar-scc.exe") | stats count by host, process_name, Image | where count > 0The following SENTINEL rule has been created with the help of online tooling and has not been tested within a corporate or sandboxed environment. Please use as a general framework.DeviceProcessEvents | where ProcessCommandLine contains "teamviewer" or ProcessCommandLine contains "anydesk" or ProcessCommandLine contains "screenconnect" or ProcessCommandLine contains "logmein" or ProcessCommandLine contains "connectwise" or ProcessCommandLine contains "splashtop" | project DeviceName, ProcessCommandLine, Timestamp, InitiatingProcessCommandLine
>> CONSIDER THIS
Filesharing software facilitates the transfer and sharing of files across different systems and users. Within the MITRE ATT&CK framework, this software can be exploited by adversaries for a range of malicious activities including initial access, persistence, data exfiltration, and defense evasion. Threat hunters should be vigilant in monitoring the use of filesharing tools for signs of unauthorized access, unusual file transfer sizes, and patterns indicative of data exfiltration. ATT&CK Category: Initial Access Persistence Exfiltration Defense Evasion ATT&CK Tags and IDs: T1078: Valid Accounts T1030: Data Transfer Size Limits T1567: Exfiltration Over Web ServicePlease find below an exhaustive list of File Sharing software, and their corresponding domains and executables. Use these for your rules.- BitTorrent: - Domain: hxxps://www[.]bittorrent[.]com/ - Executable: BitTorrent.exe - uTorrent: - Domain: hxxps://www[.]utorrent[.]com/ - Executable: uTorrent.exe - qBittorrent: - Domain: hxxps://www[.]qbittorrent[.]org/ - Executable: qbittorrent.exe - Vuze: - Domain: hxxps://www[.]vuze[.]com/ - Executable: vuze.exe - Deluge: - Domain: hxxps://deluge-torrent[.]org/ - Executable: deluge.exe - eMule: - Domain: hxxp://www[.]emule-project[.]net/ - Executable: emule.exe - Shareaza: - Domain: hxxps://shareaza[.]sourceforge[.]net/ - Executable: shareaza.exe - FrostWire: - Domain: hxxps://www[.]frostwire[.]com/ - Executable: frostwire.exe - Ares Galaxy: - Domain: hxxp://aresgalaxy[.]io/ - Executable: Ares.exe - Tixati: - Domain: hxxps://www[.]tixati[.]com/ - Executable: tixati.exe - BitComet: - Domain: hxxps://www[.]bitcomet[.]com/ - Executable: BitComet.exe - Transmission-Qt: - Domain: hxxps://transmissionbt[.]com/ - Executable: transmission-qt.exe - Tribler: - Domain: hxxps://www[.]tribler[.]org/ - Executable: tribler.exe - Lphant: - Domain: hxxp://www[.]lphant[.]com/ (Note: Might be defunct) - Executable: lphant.exe - Kazaa Lite: - Domain: None (discontinued) - Executable: kazaa_lite.exe - BitLord: - Domain: hxxps://www[.]bitlord[.]com/ - Executable: bitlord.exe - BitSpirit: - Domain: hxxp://www[.]bitspirit[.]cc/ (Note: Might be defunct) - Executable: bitspirit.exe - MLDonkey: - Domain: hxxps://mldonkey[.]sourceforge[.]net/Main_Page - Executable: mldonkey.exe - KTorrent: - Domain: hxxps://kde[.]org/applications/internet/org[.]kde[.]ktorrent - Executable: ktorrent.exe Cloud-Based File Sharing Services - Dropbox: - Domain: hxxps://www[.]dropbox[.]com/ - Executable: Dropbox.exe - Google Drive: - Domain: hxxps://drive[.]google[.]com/ - Executable: googledrivesync.exe - Microsoft OneDrive: - Domain: hxxps://www[.]onedrive[.]com/ - Executable: OneDrive.exe - Box: - Domain: hxxps://www[.]box[.]com/ - Executable: BoxSync.exe - Amazon Drive: - Domain: hxxps://www[.]amazon[.]com/clouddrive - Executable: AmazonPhotos.exe - iCloud: - Domain: hxxps://www[.]icloud[.]com/ - Executable: iCloudDrive.exe - pCloud: - Domain: hxxps://www[.]pcloud[.]com/ - Executable: pCloud.exe - MEGA: - Domain: hxxps://mega[.]nz/ - Executable: MEGAsync.exe - Sync.com: - Domain: hxxps://www[.]sync[.]com/ - Executable: Sync.exe - Tresorit: - Domain: hxxps://www[.]tresorit[.]com/ - Executable: Tresorit.exe - SpiderOak: - Domain: hxxps://spideroak[.]com/ - Executable: SpiderOak.exe - MediaFire: - Domain: hxxps://www[.]mediafire[.]com/ - Executable: MediaFireDesktop.exe - Zoolz: - Domain: hxxps://www[.]zoolz[.]com/ - Executable: Zoolz.exe - IDrive: - Domain: hxxps://www[.]idrive[.]com/ - Executable: IDrive.exe - Backblaze B2: - Domain: hxxps://www[.]backblaze[.]com/b2/ - Executable: Backblaze.exe - Yandex Disk: - Domain: hxxps://disk[.]yandex[.]com/ - Executable: YandexDisk.exe - Degoo: - Domain: hxxps://www[.]degoo[.]com/ - Executable: Degoo.exe Direct File Transfer Software - WeTransfer: - Domain: hxxps://www[.]wetransfer[.]com/ - Executable: Web-based - Send Anywhere: - Domain: hxxps://send-anywhere[.]com/ - Executable: SendAnywhere.exe - FileZilla: - Domain: hxxps://filezilla-project[.]org/ - Executable: filezilla.exe - WinSCP: - Domain: hxxps://winscp[.]net/ - Executable: WinSCP.exe - Cyberduck: - Domain: hxxps://cyberduck[.]io/ - Executable: Cyberduck.exe - Resilio Sync: - Domain: hxxps://www[.]resilio[.]com/ - Executable: ResilioSync.exe - Hightail (formerly YouSendIt): - Domain: hxxps://www[.]hightail[.]com/ - Executable: Hightail.exe - Smash: - Domain: hxxps://fromsmash[.]com/ - Executable: Web-based - SurgeFTP: - Domain: hxxp://www[.]netwinsite[.]com/surgeftp/ - Executable: SurgeFTP.exe - SmartFTP: - Domain: hxxps://www[.]smartftp[.]com/ - Executable: SmartFTP.exe - Core FTP: - Domain: hxxp://www[.]coreftp[.]com/ - Executable: coreftp.exe - CuteFTP: - Domain: hxxps://www[.]globalscape[.]com/cuteftp - Executable: cuteftp.exe - Transmit: - Domain: hxxps://panic[.]com/transmit/ - Executable: transmit.exe - Swarmify: - Domain: hxxps://swarmify[.]com/ - Executable: Web-based Network File Sharing (LAN) - Syncthing: - Domain: hxxps://syncthing[.]net/ - Executable: syncthing.exe - Dukto: - Domain: hxxp://www[.]msec[.]it/dukto/ - Executable: dukto.exe - NitroShare: - Domain: hxxps://nitroshare[.]net/ - Executable: nitroshare.exe - LAN Messenger: - Domain: hxxps://lanmessenger[.]sourceforge[.]net/ - Executable: lanmessenger.exe - FileZilla Server: - Domain: hxxps://filezilla-project[.]org/ - Executable: filezillaserver.exe - TeamViewer: - Domain: hxxps://www[.]teamviewer[.]com/ - Executable: TeamViewer.exe - AnyDesk: - Domain: hxxps://anydesk[.]com/ - Executable: AnyDesk.exe - SFTP: - Domain: hxxps://winscp[.]net/ - Executable: sftp.exe - AirDroid: - Domain: hxxps://www[.]airdroid[.]com/ - Executable: AirDroid.exe - Feem: - Domain: hxxps://feem[.]io/ - Executable: Feem.exe - Snapdrop: - Domain: hxxps://snapdrop[.]net/ - Executable: Web-based - LanXchange: - Domain: hxxps://github[.]com/LanXchange/lanxchange - Executable: lanxchange.exe - Warpinator: - Domain: hxxps://github[.]com/linuxmint/warpinator - Executable: warpinator.exe - RealVNC: - Domain: hxxps://www[.]realvnc[.]com/ - Executable: vncviewer.exe Collaboration and Enterprise File Sharing - Slack: - Domain: hxxps://slack[.]com/ - Executable: slack.exe - Microsoft Teams: - Domain: hxxps://www[.]microsoft[.]com/microsoft-teams/ - Executable: Teams.exe - SharePoint: - Domain: hxxps://www[.]sharepoint[.]com/ - Executable: Web-based - Google Workspace: - Domain: hxxps://workspace[.]google[.]com/ - Executable: Web-based - Dropbox Business: - Domain: hxxps://www[.]dropbox[.]com/business - Executable: Dropbox.exe - Box Enterprise: - Domain: hxxps://www[.]box[.]com/enterprise - Executable: BoxSync.exe - Citrix ShareFile: - Domain: hxxps://www[.]sharefile[.]com/ - Executable: ShareFileSync.exe - Egnyte: - Domain: hxxps://www[.]egnyte[.]com/ - Executable: EgnyteDrive.exe - Nextcloud: - Domain: hxxps://nextcloud[.]com/ - Executable: Nextcloud.exe - OwnCloud: - Domain: hxxps://owncloud[.]com/ - Executable: owncloud.exe - Alfresco: - Domain: hxxps://www[.]alfresco[.]com/ - Executable: alfresco.exe - Zoho WorkDrive: - Domain: hxxps://www[.]zoho[.]com/workdrive/ - Executable: ZohoWorkDrive.exe - Workplace by Facebook: - Domain: hxxps://www[.]workplace[.]com/ - Executable: Web-based - Huddle: - Domain: hxxps://www[.]huddle[.]com/ - Executable: Web-based - ProofHub: - Domain: hxxps://www[.]proofhub[.]com/ - Executable: Web-based - HighQ: - Domain: hxxps://highq[.]com/ - Executable: Web-based Others - Peerio: - Domain: hxxps://peerio[.]com/ (Note: Might be defunct) - Executable: peerio.exe - OnionShare: - Domain: hxxps://onionshare[.]org/ - Executable: onionshare.exe - RetroShare: - Domain: hxxps://retroshare[.]cc/ - Executable: retroshare.exe - SparkleShare: - Domain: hxxps://sparkleshare[.]org/ - Executable: sparkleshare.exe - BTsync: - Domain: hxxps://www[.]resilio[.]com/ (formerly BitTorrent Sync) - Executable: ResilioSync.exe - Kazaa: - Domain: None (discontinued) - Executable: Kazaa.exe - Soulseek: - Domain: hxxp://www[.]slsknet[.]org/ - Executable: soulseek.exe - Bitport.io: - Domain: hxxps://bitport[.]io/ - Executable: Web-based - Jumpshare: - Domain: hxxps://www[.]jumpshare[.]com/ - Executable: Jumpshare.exe - Filemail: - Domain: hxxps://www[.]filemail[.]com/ - Executable: Filemail.exe - OpenDrive: - Domain: hxxps://www[.]opendrive[.]com/ - Executable: OpenDrive.exe - FileTransfer.io: - Domain: hxxps://filetransfer[.]io/ - Executable: Web-based - SendGB: - Domain: hxxps://www[.]sendgb[.]com/ - Executable: Web-based - TransferXL: - Domain: hxxps://transferxl[.]com/ - Executable: Web-basedTo activate this alert, update the KNOWN_COUNTRY list with the countries where login is denied.title: Detection of Popular File Sharing Software id: 123e4567-e89b-12d3-a456-426614174000 status: experimental description: Detects the execution of popular file sharing software on a Windows host. author: Your Name date: 2024/08/07 logsource: category: process_creation product: windows detection: selection: Image|endswith: - '\BitTorrent.exe - '\uTorrent.exe' - '\eMule.exe' - '\qBittorrent.exe' - '\Vuze.exe' - '\Transmission.exe' - '\Shareaza.exe' - '\FrostWire.exe' condition: selection fields: - Image - CommandLine falsepositives: - Legitimate use of file sharing software by authorized personnel level: medium tags: - attack.persistence - attack.t1071.001
>> CONSIDER THIS
Remote Login & External Addresses are critical areas for threat hunters to monitor due to their potential for enabling unauthorized access and facilitating cyber attacks. Remote login services allow users to access internal systems from outside the corporate network, making them attractive targets for attackers seeking to gain a foothold. Threat actors often exploit weak or compromised credentials to perform brute force or phishing attacks, allowing them to infiltrate networks undetected. ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense Evasion ATT&CK Tag: Valid Accounts ATT&CK ID: T1078 Minimum Log Source Requirement: WindowsTo activate this alert, update the KNOWN_COUNTRY list with the countries where login is denied.label=User label=Login source_address=* | process geoip(source_address) as country | search -country IN KNOWN_COUNTRYPossible Falcon Search,event_simpleName="Logon" | filter Origin="Remote" and EventType="Successful" and not (RemoteIpAddress matches "10.*" or RemoteIpAddress matches "192.168.*" or RemoteIpAddress matches "172.16.*" or RemoteIpAddress matches "172.17.*" or RemoteIpAddress matches "172.18.*" or RemoteIpAddress matches "172.19.*" or RemoteIpAddress matches "172.20.*" or RemoteIpAddress matches "172.21.*" or RemoteIpAddress matches "172.22.*" or RemoteIpAddress matches "172.23.*" or RemoteIpAddress matches "172.24.*" or RemoteIpAddress matches "172.25.*" or RemoteIpAddress matches "172.26.*" or RemoteIpAddress matches "172.27.*" or RemoteIpAddress matches "172.28.*" or RemoteIpAddress matches "172.29.*" or RemoteIpAddress matches "172.30.*" or RemoteIpAddress matches "172.31.*") | fields LogonEvent, LogonOrigin, RemoteIpAddressHarmony Endpoint uses REGEX for its searches, folowing the below syntax to search.Logon Event IS Successful Logon Logon Origin IS Remote Remote Ip Address DOES NOT CONTAIN \b10\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|\b192\.168\.\d{1,3}\.\d{1,3}\b|\b172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}\bPossible Splunk searchlogsource: category: authentication product: windows detection: selection: LogonEvent: "Successful Logon" LogonOrigin: "Remote" filter: RemoteIpAddress: - '10.*' - '192.168.*' - '172.16.*' - '172.17.*' - '172.18.*' - '172.19.*' - '172.20.*' - '172.21.*' - '172.22.*' - '172.23.*' - '172.24.*' - '172.25.*' - '172.26.*' - '172.27.*' - '172.28.*' - '172.29.*' - '172.30.*' - '172.31.*' condition: selection and not filter fields: - LogonEvent - LogonOrigin - RemoteIpAddress falsepositives: - Expected remote logons from trusted external IPs level: medium
Exploitation of NET.EXE is a critical concern for threat hunters, especially when it involves the creation of user accounts. The NET.EXE command is a versatile and powerful utility in Windows environments, used for a variety of administrative tasks, including managing user accounts,
services, and network resources. However, this same power makes it an attractive target for cyber attackers. If compromised, attackers can use NET.EXE to create unauthorized user accounts, often with administrative privileges, to gain persistent access to the network.
Monitoring for unusual or suspicious use of NET.EXE, particularly for account creation, can help threat hunters identify and respond to unauthorized activities, preventing privilege escalation and maintaining the security of the network.
Outbound SSH, SFTP, and FTP to External Addresses are critical areas of focus for threat hunters due to their potential use in data exfiltration and unauthorized access. These protocols facilitate secure file transfer and remote access,
but when used to connect to external addresses, they can be exploited by attackers to transfer sensitive data out of the organization or to establish remote control over compromised systems.
Monitoring outbound SSH, SFTP, and FTP traffic helps threat hunters detect unusual or unauthorized connections, identify potential data breaches, and prevent malicious actors from maintaining external communication channels.
Large Outbound Bytes are a significant concern for threat hunters as they can indicate data exfiltration or other unauthorized transfers of sensitive information. When unusually large amounts of data are being sent out of the network, it may suggest that an attacker
is stealing valuable data, whether intellectual property, personal information, or proprietary business information.
Monitoring for large outbound data transfers helps threat hunters detect and respond to potential breaches in real-time, mitigating the risk of data loss and maintaining the security of the organization's information assets.