HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Sigma rule (View on GitHub)
1title: HackTool - Inveigh Execution Artefacts
2id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
3status: test
4description: Detects the presence and execution of Inveigh via dropped artefacts
5references:
6 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
7 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
8 - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-10-24
11modified: 2024-06-27
12tags:
13 - attack.command-and-control
14 - attack.t1219
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '\Inveigh-Log.txt'
22 - '\Inveigh-Cleartext.txt'
23 - '\Inveigh-NTLMv1Users.txt'
24 - '\Inveigh-NTLMv2Users.txt'
25 - '\Inveigh-NTLMv1.txt'
26 - '\Inveigh-NTLMv2.txt'
27 - '\Inveigh-FormInput.txt'
28 - '\Inveigh.dll'
29 - '\Inveigh.exe'
30 - '\Inveigh.ps1'
31 - '\Inveigh-Relay.ps1'
32 condition: selection
33falsepositives:
34 - Unlikely
35level: critical
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators