From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements
Tags
| attack-pattern: | Data Code Repositories - T1213.003 Code Repositories - T1593.003 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 54ee8235-0c41-4618-bfe8-ebd98f014534 |
| Fingerprint | f5553c4c51137681 |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Aug. 2, 2024, 11 a.m. |
| Added to db | Aug. 31, 2024, 1:11 a.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements |
| Title | From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements |
| Detected Hints/Tags/Attributes | 70/1/34 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 43 | ✔ | NVISO Labs | https://blog.nviso.eu/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 62 | nvlpubs.nist.gov |
|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 207 | learn.microsoft.com |
|
| Details | File | 6 | 800-61r2.pdf |
|
| Details | File | 193 | ntuser.dat |
|
| Details | File | 1 | knockoutx64.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 229 | advapi32.dll |
|
| Details | File | 185 | shell32.dll |
|
| Details | File | 748 | kernel32.dll |
|
| Details | Github username | 6 | nvisosecurity |
|
| Details | md5 | 1 | 58B142287E47B5605363639F5C4ABB45 |
|
| Details | sha1 | 1 | 86c0199b6a9305621b011daaf999a4fe0f266ba9 |
|
| Details | sha256 | 1 | 3b248c3e8b64719d5991a762330a0b2bb58e116247da89e781ec1a53f4ed1d00 |
|
| Details | Url | 5 | https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf |
|
| Details | Url | 1 | https://github.com/nvisosecurity/knockout |
|
| Details | Url | 1 | https://github.com/nvisosecurity/knockout/blob/main/knockout.yar |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumkeyexa |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumvaluea |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexa |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shgetknownfolderpath |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle |
|
| Details | Windows Registry Key | 4 | HKEY_CURRENT_USER\Software\Classes\Local |
|
| Details | Windows Registry Key | 2 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU |
|
| Details | Windows Registry Key | 18 | HKEY_CURRENT_USER\Software\Microsoft\Office |
|
| Details | Windows Registry Key | 4 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
|
| Details | Windows Registry Key | 3 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths |
|
| Details | Windows Registry Key | 2 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR |
|
| Details | Windows Registry Key | 2 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist |