toolsmith: Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Hypervisor - T1062 Powershell - T1086 Scripting - T1064 Scripting
Show in Graph
Common Information
Type Value
UUID d5f187f3-94fb-4bc6-81a3-ff879a12ef6c
Fingerprint 3cd589ca09af2fae
Analysis status IN_PROGRESS
Considered CTI value 0
Text language
Published May 1, 2015, 8:50 a.m.
Added to db Jan. 18, 2023, 9:47 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline UNKNOWN
Title toolsmith: Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem
Detected Hints/Tags/Attributes 82/2/14
Source URLs
Redirection Url
Details Source https://holisticinfosec.blogspot.com/2015/05/toolsmith-attack-detection-hunting-in.html
URL Provider
Details Provider Source level domain
Details blogspot.com holisticinfosec.blogspot.com
Attributes
Details Type #Events CTI Value
Details Domain 43 
setup.sh
Details File 1 
toolsmith.bat
Details File 1 
meterpreter_output.txt
Details File 1208 
powershell.exe
Details File 27 
invoke-mimikatz.ps1
Details File 1 
winpmem.exe
Details File 59 
2.exe
Details File 1 
compromised.raw
Details File 1 
d:\forensics\memoryimages\toolsmith\compromised.raw
Details File 2125 
cmd.exe
Details File 1 
_2396.dmp
Details Github username 5 
mattifestation
Details IPv4 1 
192.168.177.130
Details Url 3 
https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1