-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkestrel-cross-host-campaign-discovery.hf
54 lines (36 loc) · 2.2 KB
/
kestrel-cross-host-campaign-discovery.hf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# TTP: a process spawns a process invoking another binary/image
# example 1 on Windows: reading email results in executing something
phishing_candidates = GET process
FROM stixshifter://bh22-win-111
WHERE parent_ref.name = 'WinMail.exe' AND binary_ref.name != 'WinMail.exe'
START 2022-07-01T00:00:00Z STOP 2022-08-01T00:00:00Z
cmd = phishing_candidates WHERE pid = 7220
cmd_activities = FIND process CREATED BY cmd
psh_activities = FIND process CREATED BY cmd_activities
START 2022-07-01T00:00:00Z STOP 2022-08-01T00:00:00Z
splunkd_activities = FIND process CREATED BY psh_activities
lateral_mov_win = splunkd_activities WHERE pid = 7028
lateral_mov_win_nt = FIND network-traffic CREATED BY lateral_mov_win
lateral_mov_112_nt = GET network-traffic FROM stixshifter://bh22-win-112
WHERE src_port = lateral_mov_win_nt.src_port
# DISP lateral_mov_112_nt ATTR src_ref.value, src_port, dst_ref.value, dst_port
lateral_mov_112_proc = FIND process CREATED lateral_mov_112_nt
lateral_mov_112_receiver = lateral_mov_112_proc WHERE x_unique_id != lateral_mov_win.x_unique_id
splunkd_on_112 = GET process
FROM stixshifter://bh22-win-111
WHERE name = 'splunkd.exe'
START 2022-07-01T00:00:00Z STOP 2022-08-01T00:00:00Z
splunkd_activities_on_112 = FIND process CREATED BY splunkd_on_112
lateral_mov_linux = splunkd_activities WHERE pid = 7880
lateral_mov_linux_nt = FIND network-traffic CREATED BY lateral_mov_linux
DISP lateral_mov_linux_nt ATTR src_ref.value, src_port, dst_ref.value, dst_port
lateral_mov_91_nt = GET network-traffic
FROM stixshifter://bh22-linux
WHERE dst_port = lateral_mov_linux_nt.dst_port
# DISP lateral_mov_linux_nt ATTR src_ref.value, src_port, dst_ref.value, dst_port
linux_proc = FIND process CREATED lateral_mov_91_nt
DISP linux_proc ATTR pid, name, command_line
node_children = FIND process CREATED BY linux_proc
START 2022-07-01T00:00:00Z STOP 2022-08-01T00:00:00Z
node_grand_children = FIND process CREATED BY node_children
c2_traffic = FIND network-traffic CREATED BY node_grand_children