eric-forte-elastic
54 lines
1.7 KiB
Python
54 lines
1.7 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="c4eefb59-2c59-4904-a04e-5e3a75f54a46",
|
|
platforms=["windows"],
|
|
endpoint=[
|
|
{
|
|
"rule_name": "Shadow Copy Service Disabled via Registry Modification",
|
|
"rule_id": "b2409cd4-3b23-4b2d-82e4-bbb25594999a",
|
|
},
|
|
{
|
|
"rule_name": "VSS Service Disabled Followed by a Suspicious File Rename",
|
|
"rule_id": "d6cde651-adc9-4074-b167-65e6b82116b4",
|
|
},
|
|
{
|
|
"rule_name": "Suspicious File Rename by an Unusual Process",
|
|
"rule_id": "df874d7e-6639-44ce-b47d-96254022ccd5",
|
|
},
|
|
],
|
|
siem=[],
|
|
techniques=["T1218", "T1112", "T1486", "T1490", "T1059"],
|
|
)
|
|
|
|
HIGHENTROPY = common.get_path("bin", "highentropy.txt")
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main():
|
|
key = "SYSTEM\\CurrentControlSet\\Services\\VSS"
|
|
value = "Start"
|
|
data = 4
|
|
|
|
with common.temporary_reg(common.HKLM, key, value, data, data_type="dword"):
|
|
pass
|
|
|
|
powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
|
|
jpg = "C:\\Users\\Public\\jpg.jpg"
|
|
jpgenc = "C:\\Users\\Public\\jpg.enc"
|
|
# Creating a high entropy file, and executing the rename operation
|
|
common.copy_file(HIGHENTROPY, jpg)
|
|
common.execute([powershell, "/c", f"Rename-Item {jpg} {jpgenc}"], timeout=10)
|
|
common.execute([powershell, "/c", "Remove-Item 'C:\\Users\\Public\\*jpg*' -Force"], timeout=10)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|