Partial Ttps

Date: 2023-06-15 ID: 82ce58ec-f2cb-4570-9a7c-b666362c5ebb Author: Steven Dick Environment: attack_range Directory: partial_ttps

Description

Detection of gootloader common behaviors sourced from manual malware testing in Q1 2023

No MITRE techniques specified for this dataset.

The following datasets were collected during this attack simulation:

Path: /datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Suspicious Process Executed From Container File	`TTP`	Endpoint	T1204.002, T1036.008	APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Unusual Processes, Amadey, Remcos, Snake Keylogger, Water Gamayun
Windows Registry Payload Injection	`TTP`	Endpoint	T1027.011	Unusual Processes
Windows Scheduled Task Service Spawned Shell	`TTP`	Endpoint	T1053.005, T1059	Windows Persistence Techniques
PowerShell WebRequest Using Memory Stream	`TTP`	Endpoint	T1059.001, T1105, T1027.011	MoonPeak, Medusa Ransomware, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations
PowerShell Script Block With URL Chain	`TTP`	Endpoint	T1059.001, T1105	Malicious PowerShell, Hellcat Ransomware

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0