curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

chore(lolbin-detection): rawcopy.exe

This commit is contained in:
Ming Di Leom 2025-07-27 02:21:54 +00:00
parent e310dd61d1
commit a4068a880a
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-07-11
updated: 2025-07-27
---
Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@ -356,11 +356,11 @@ SPL:
## LoLBin execution
References: [bitsadmin.exe](https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/), [cdb.exe](https://www.elastic.co/security-labs/fragile-web-ref7707), [cdb.exe](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/), [winsw.exe](https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/), [winsw.exe](https://github.com/winsw/winsw), [winrs.exe](https://www.elastic.co/security-labs/fragile-web-ref7707), [winrs.exe](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs), [cipher.exe](https://blog.talosintelligence.com/fake-ai-tool-installers/#cyberlock-the-powershell-ransomware), [nltest.exe](https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/), [setspn.exe](https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/)
References: [bitsadmin.exe](https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/), [cdb.exe](https://www.elastic.co/security-labs/fragile-web-ref7707), [cdb.exe](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/), [winsw.exe](https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/), [winsw.exe](https://github.com/winsw/winsw), [winrs.exe](https://www.elastic.co/security-labs/fragile-web-ref7707), [winrs.exe](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs), [cipher.exe](https://blog.talosintelligence.com/fake-ai-tool-installers/#cyberlock-the-powershell-ransomware), [nltest.exe](https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/), [setspn.exe](https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/), [rawcopy.exe](https://securelist.com/apt41-in-africa/116986/#rawcopy)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name IN ("bitsadmin.exe", "cdb.exe", "cipher.exe", "nltest.exe", "setspn.exe", "winsw.exe", "winrs.exe", "winrshost.exe") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name IN ("bitsadmin.exe", "cdb.exe", "cipher.exe", "nltest.exe", "rawcopy.exe", "setspn.exe", "winsw.exe", "winrs.exe", "winrshost.exe") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email