Conti NTDS Exfiltration Command

 1title: Conti NTDS Exfiltration Command
 2id: aa92fd02-09f2-48b0-8a93-864813fb8f41
 3status: test
 4description: Detects a command used by conti to exfiltrate NTDS
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
 7    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
 8author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
 9date: 2021/08/09
10modified: 2022/10/09
11tags:
12    - attack.collection
13    - attack.t1560
14    - detection.emerging_threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|all:
21            - '7za.exe'
22            - '\\C$\\temp\\log.zip'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity
• APT31 Judgement Panda Activity
• Blue Mockingbird
• COLDSTEEL Persistence Service Creation