Embracing offensive tooling: Building detections against Koadic using EQL — Elastic Security Labs
Tags
attack-pattern: Data Direct Component Object Model - T1559.001 Data From Local System - T1533 Malware - T1587.001 Malware - T1588.001 Mmc - T1218.014 Mshta - T1218.005 Powershell - T1059.001 Regsvr32 - T1218.010 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Account Discovery - T1087 Bypass User Account Control - T1088 Connection Proxy - T1090 Data From Local System - T1005 Mshta - T1170 Ntfs File Attributes - T1096 Powershell - T1086 Regsvr32 - T1117 Remote System Discovery - T1018 Rundll32 - T1085 Spearphishing Attachment - T1193 Remote System Discovery Spearphishing Attachment
Show in Graph
Common Information
Type Value
UUID 0c0e2326-e56d-441c-82f8-32fbcaf8a0c4
Fingerprint 77178e7f39e4ecc1
Analysis status DONE
Considered CTI value 2
Text language
Published June 1, 2022, midnight
Added to db Nov. 20, 2023, 12:59 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Embracing offensive tooling: Building detections against Koadic using EQL
Title Embracing offensive tooling: Building detections against Koadic using EQL — Elastic Security Labs
Detected Hints/Tags/Attributes 90/1/32
Source URLs
Redirection Url
Details Source https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
URL Provider
Details Provider Source level domain
Details elastic.co www.elastic.co
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 306 Elastic Security Labs https://www.elastic.co/security-labs/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details File 173 
outlook.exe
Details File 456 
mshta.exe
Details File 459 
regsvr32.exe
Details File 1018 
rundll32.exe
Details File 240 
wmic.exe
Details File 24 
arp.exe
Details File 25 
findstr.exe
Details File 9 
hostname.exe
Details File 51 
ipconfig.exe
Details File 10 
nbtstat.exe
Details File 256 
net.exe
Details File 48 
net1.exe
Details File 76 
netsh.exe
Details File 49 
nltest.exe
Details File 76 
ping.exe
Details File 61 
systeminfo.exe
Details File 56 
tasklist.exe
Details File 19 
tracert.exe
Details File 62 
whoami.exe
Details File 142 
wmiprvse.exe
Details File 18 
compmgmtlauncher.exe
Details File 3 
c:\\windows\\system32\\compmgmtlauncher.exe
Details File 2126 
cmd.exe
Details MITRE ATT&CK Techniques 49 
T1193
Details MITRE ATT&CK Techniques 12 
T1170
Details MITRE ATT&CK Techniques 27 
T1085
Details MITRE ATT&CK Techniques 179 
T1087
Details MITRE ATT&CK Techniques 6 
T1096
Details MITRE ATT&CK Techniques 29 
T1088
Details MITRE ATT&CK Techniques 534 
T1005
Details Threat Actor Identifier - APT 783 
APT28
Details Windows Registry Key 16 
HKCU\Software\Classes\mscfile\shell\open\command