==================================================
==================================================
>> Welcome to the Vault, fellow hunter! This log outlines common ransomware behaviors, key hunt indicators, cool discoveries, and handy query syntaxes.
>> Please select an option from below:
==================================================
The following options will provide valuable insight into potential security threats and vulnerabilities within a network. Please select an option from the list to view the content.
>> CONSIDER THIS
Remote Monitoring & Management (RMM) software enables IT professionals to remotely monitor, manage, and maintain IT systems and networks. Threat hunters should focus on detecting misuse of RMM tools by adversaries who exploit these tools for unauthorized access, persistence, and lateral movement. ATT&CK Category: Initial Access Persistence Privilege Escalation Defense Evasion ATT&CK Tags: Valid Accounts, T1078: Valid Accounts Account Manipulation, T1098: Account Manipulation Obfuscated Files or Information, T1027: Obfuscated Files or Information
- Access Remote PC:
- Executables: rpcgrab.exe, rpcsetup.exe
- Action1:
- Domain: action1.com
- Executables: action1_agent.exe
[... rest of the RMM software list ...]
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\\teamviewer.exe'
- '*\\anydesk.exe'
[... rest of the SIGMA rule ...]
DeviceProcessEvents
| where ProcessCommandLine contains "teamviewer" or ProcessCommandLine contains "anydesk" [...]
>> CONSIDER THIS
Filesharing software facilitates the transfer and sharing of files across different systems and users. Within the MITRE ATT&CK framework, this software can be exploited by adversaries for a range of malicious activities including initial access, persistence, data exfiltration, and defense evasion. Threat hunters should be vigilant in monitoring the use of filesharing tools for signs of unauthorized access, unusual file transfer sizes, and patterns indicative of data exfiltration. ATT&CK Category: Initial Access Persistence Exfiltration Defense Evasion ATT&CK Tags and IDs: T1078: Valid Accounts T1030: Data Transfer Size Limits T1567: Exfiltration Over Web Service
>> CONSIDER THIS
Remote Login & External Addresses are critical areas for threat hunters to monitor due to their potential for enabling unauthorized access and facilitating cyber attacks. Remote login services allow users to access internal systems from outside the corporate network, making them attractive targets for attackers seeking to gain a foothold. Threat actors often exploit weak or compromised credentials to perform brute force or phishing attacks, allowing them to infiltrate networks undetected. ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense Evasion ATT&CK Tag: Valid Accounts ATT&CK ID: T1078 Minimum Log Source Requirement: Windows
Exploitation of NET.EXE is a critical concern for threat hunters, especially when it involves the creation of user accounts. The NET.EXE command is a versatile and powerful utility in Windows environments, used for a variety of administrative tasks, including managing user accounts,
services, and network resources. However, this same power makes it an attractive target for cyber attackers. If compromised, attackers can use NET.EXE to create unauthorized user accounts, often with administrative privileges, to gain persistent access to the network.
Monitoring for unusual or suspicious use of NET.EXE, particularly for account creation, can help threat hunters identify and respond to unauthorized activities, preventing privilege escalation and maintaining the security of the network.
Outbound SSH, SFTP, and FTP to External Addresses are critical areas of focus for threat hunters due to their potential use in data exfiltration and unauthorized access. These protocols facilitate secure file transfer and remote access,
but when used to connect to external addresses, they can be exploited by attackers to transfer sensitive data out of the organization or to establish remote control over compromised systems.
Monitoring outbound SSH, SFTP, and FTP traffic helps threat hunters detect unusual or unauthorized connections, identify potential data breaches, and prevent malicious actors from maintaining external communication channels.
Large Outbound Bytes are a significant concern for threat hunters as they can indicate data exfiltration or other unauthorized transfers of sensitive information. When unusually large amounts of data are being sent out of the network, it may suggest that an attacker
is stealing valuable data, whether intellectual property, personal information, or proprietary business information.
Monitoring for large outbound data transfers helps threat hunters detect and respond to potential breaches in real-time, mitigating the risk of data loss and maintaining the security of the organization's information assets.