cbecks2

CS_Installer, VT Similarity
similar-to:5c07178b0c44ae71310571b78dde5bbc7dc8ff4675c20d44d5b386dfb4725558

42afb7100d3924915fde289716def039cd14d8116757061df503874217d9b047
5c07178b0c44ae71310571b78dde5bbc7dc8ff4675c20d44d5b386dfb4725558

CS_Installer. Main Icon Hash
main_icon_dhash:30d0f0a4ccccd430

1dbe5c2feca1706fafc6f767cc16427a2237ab05d95f94b84c287421ec97c224

cbecks2

This search is designed to work with Crowdstrike FDR data ingested into Splunk. I will leave the exercise to you to translate this into your own SIEM.

``` Identied PatternIds via |  inputlookup detect_patterns.csv where description="mything ```

```Join AssociateIndicator events to the process and command that did them. We sub-search for our suspect aid + TargetProcessId combination and use them to look for the associated ProcessRollup2 events.```

``` Process rollup events ```
    ( `Your FDR Index` 
    event_platform="Win"
    event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2) 

cbecks2

index=your_index event_platform=Win event_simpleName=ProcessRollup2 LinkName=*
```Begin binary inclusion list```
(ImageFileName="*\\cmd.exe" OR ImageFileName="*\\wscript.exe" OR ImageFileName="*\\cscript.exe" OR ImageFileName="*\\powershell.exe" OR ImageFileName="*\\pwsh.exe" OR ImageFileName="*\\rundll32.exe" OR ImageFileName="*\\regsvr32.exe" OR ImageFileName="*\\msiexec.exe" OR ImageFileName="*\\certutil.exe" OR ImageFileName="*\\bitsadmin.exe" OR ImageFileName="*\\curl.exe" OR ImageFileName="*\\msdt.exe" OR ImageFileName="*\\odbcconf.exe" OR ImageFileName="*\\WindowsTerminal.exe" OR ImageFileName="*\\wt.exe" OR ImageFileName="*\\expand.exe" OR ImageFileName="*\\mshta.exe" OR ImageFileName="*\\forfiles.exe" OR ImageFileName="*\\xcopy.exe" OR ImageFileName="*\\attrib.exe" OR ImageFileName="*\\explorer.exe" OR ImageFileName="*\\msbuild.exe" OR ImageFileName="*\\scriptrunner.exe" OR ImageFileName="*\\java.exe" OR ImageFileName="*\\javaw.exe" OR ImageFileName="*\\python.exe" OR ImageFileName="*\\pythonw.exe" O

cbecks2

index=app_mso365_index sourcetype="o365:management:activity" ApplicationId=*
```Export of Apps in your tenant(s)```
| lookup EnterpriseAppsList.csv appId AS ApplicationId OUTPUT displayName applicationType assignmentRequired

```The following apps appear to be common amongst most all of our user base. Therefore we are removing them to not inflate counts```
| search NOT displayName IN ("app1", "app2") 

```Put your potentailly sensitive apps here. Onboarding system, EDR, service desk related, confluence, etc.```
| eval sensitiveApps=if(match(displayName,"(?i)app3|app4"),"True", "False")

cbecks2

```This search looks at an archive embedded .lnk file being launched directly from the Browser Tray. This happens if a user opens something from a drive by or HTML Smuggle```
```Create a similar search for other common initial access filetypes like js, cmd, bat, vbs, msi, exe, scr, xll, etc. You will need to remove LinkName below.```

index=your_fdr_index event_platform=Win (event_simpleName=ProcessRollup2)
(LinkName="*\\AppData\\Local\\Temp\\Temp1_*.zip\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.rar\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Rar$*\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.iso\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhd\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhdx\\*.lnk" OR

cbecks2

index=your_index  event_simpleName=ProcessRollup2 
(CommandLine="*remote-debugging-port*" OR CommandLine="*remote-debug-port*" )

```Use "NOT ParentBaseFileName=foo" instead of "ParentBaseFileName!=foo" here because ParentBaseFileName may not be recorded in every event and those would get thrown out using !=```
NOT ParentBaseFileName IN ("tuning","goes","here") 
| fillnull ParentBaseFileName value="na" 
~ identity enrichment here ~
~ asset enrichment here ~

```Rex magic to pull the flags from the CommandLine argument field. We then can count the number of flags and do additional filtering```