Cobalt Strike payload discovery and data manipulation in VQL :: Velociraptor - Digging deeper!
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 9f7b7676-fb9d-4b1d-8edb-a4835f8b9666 |
| Fingerprint | 3d20bb726ef94a92 |
| Analysis status | DONE |
| Considered CTI value | 1 |
| Text language | |
| Published | Nov. 9, 2021, midnight |
| Added to db | Aug. 31, 2024, 2:05 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Cobalt Strike payload discovery and data manipulation in VQL |
| Title | Cobalt Strike payload discovery and data manipulation in VQL :: Velociraptor - Digging deeper! |
| Detected Hints/Tags/Attributes | 40/2/9 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://docs.velociraptor.app/blog/2021/2021-11-09-vql-data-manipulation/ |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 104 | ✔ | Velociraptor Blog | https://docs.velociraptor.app/blog/index.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 5 | artifact.windows |
|
| Details | Domain | 1 | artifact.custom.windows |
|
| Details | Domain | 37 | googlegroups.com |
|
| Details | Domain | 35 | www.velocidex.com |
|
| Details | 31 | velociraptor-discuss@googlegroups.com |
||
| Details | File | 149 | msbuild.exe |
|
| Details | MITRE ATT&CK Techniques | 23 | T1127 |
|
| Details | Url | 7 | https://www.velocidex.com/discord. |
|
| Details | Yara rule | 1 | rule MSBuild_buff {
meta:
description = "Detect unique variable setup MSBuild inline task project file"
author = "Matt Green - @mgreen27"
date = "2021-10-22"
strings:
$buff = { 62 79 74 65 5B 5D 20 62 75 66 66 20 3D 20 6E 65 77 20 62 79 74 65 5B 5D }
$key_code = { 62 79 74 65 5B 5D 20 6B 65 79 5F 63 6F 64 65 20 3D 20 6E 65 77 20 62 79 74 65 5B 5D }
condition:
any of them
} |