security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Inveigh Rules

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-24 22:57:48 +02:00
parent 87e8e7fa33
commit 34e9f0530b
2 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml
+34
View File
@@ -0,0 +1,34 @@
title: Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: experimental
description: Detects the presence and execution of Inveigh via dropped artefacts
author: Nasreddine Bencherchali
references:
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
date: 2022/10/24
tags:
- attack.command_and_control
- attack.t1219
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Inveigh-Log.txt'
- '\Inveigh-Cleartext.txt'
- '\Inveigh-NTLMv1Users.txt'
- '\Inveigh-NTLMv2Users.txt'
- '\Inveigh-NTLMv1.txt'
- '\Inveigh-NTLMv2.txt'
- '\Inveigh-FormInput.txt'
- '\Inveigh.dll'
- '\Inveigh.exe'
- '\Inveigh.ps1'
- '\Inveigh-Relay.ps1'
condition: selection
falsepositives:
- Unlikely
level: critical
rules/windows/process_creation/proc_creation_win_hack_inveigh.yml
+32
View File
@@ -0,0 +1,32 @@
title: Inveigh Hack Tool
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: experimental
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
author: Nasreddine Bencherchali
references:
- https://github.com/Kevin-Robertson/Inveigh
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
date: 2022/10/24
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Inveigh.exe'
- OriginalFileName:
- '\Inveigh.exe'
- '\Inveigh.dll'
- Description: 'Inveigh'
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
condition: selection
falsepositives:
- Very unlikely
level: critical