It's Day 11 of #100DaysofLC. Today, we're talking about reported CVE-2023-22527 post-exploitation activity. With D&R rules, let's hunt the post-exploit cURL activity, as the folks at @TheDFIRReport reported.
This LimaCharlie detection rule looks for suspicious cURL calls to .me & .fun domains. This is likely already a great network artifact but can be found via EDR via process execution and command-line parameters. #limacharlie #dfir #DetectionEngineering #ThreatHunting
It's Day 1 of the new #100DaysofLC. We'll start simple, detecting the use of bitsadmin.exe (MITRE Technique T1197). Within @limacharlieio, I'm pivoting against a NEW_PROCESS event, looking for "bitsadmin" in the command line. Start simple, and work in increments. Looking for a more detailed explanation, or "What is this thing?" Link to it - add value easily.
It's Day 11 of #100DaysofLC, and today's detection draws from some threat intelligence from Proofpoint, found here: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week They report on a multi-step attack from TA422; I focused on the LNK and DOCX files created on disk. We can utilize LimaCharlie's NEW_DOCUMENT to monitor these files and pivot on a common keyword.
I used the keyword "SEDE-PV-2023". This might be legitimate, but the extensions should help with the rule fidelity.
Today is Day 10 of #100DaysofLC! Today's detection rule looks for suspicious mshta.exe usage, mainly focused on whether mshta was executed by an Administrator OR with an HTTP in the command line. This rule also shows nesting operators to build complex rules, allowing for more granularity.
More information on this LOLBAS technique is here: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
Matt Bromiley