Hunting for Stuxbot

tasks:

Hunt 1: Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public. Enter the content of the user.name field in the document that is related to a transferred tool that starts with "r" as your answer.

Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

Hunt 3: Create a KQL query to hunt for "PowerShell Remoting for Lateral Movement". Enter the content of the winlog.user.name field in the document that is related to PowerShell remoting-based lateral movement towards DC1.


hunt 1

event.code : 11 and "C:\Users\Public*"

Event code 11 is for file creation, and the path. So it searches for created files in C:\Users\Public

Add file.name : "r*" if you want, but there are 7 logs, you can manually search for a file name that starts with "r". and enter the user.name as answer.

Answer: svc-sql1


hunt 2

event code 13 is for registry modification and we can specify a registry path that is asocciated with autostart execution when booted or logged on, in the above MITTRE link are mentioned default run keys path folders, we will just type /* Run* in registry path since it searches for the few that are registry related paths.

event.code:13 AND registry.path: *Run*

Answer: LgvHsviAUVTsIN


hunt 3

Hint: laverage event code 4104 and powershell.file.script_block_text

Event code 4104 is for Remote PowerShell script execution

powershell.file.script_block_text field captures the content of executed PowerShell scripts. We have about 5 options to enter in this field and they are:

  • Enter-PSSession (Interactive PowerShell Remoting)

  • Invoke-Command (Execute commands on remote machines)

  • New-PSSession (Establish a session)

  • -ComputerName (Specifies a remote machine)

  • -Credential (Possible privilege escalation attempt)

  • -EncodedCommand (Obfuscation technique)

event.code:4104 AND powershell.file.script_block_text: "Enter-PSSession"

Search the documents that lateral move tovards the DC1

Answer: svc-sql1

Last updated