Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Sigma rule (View on GitHub)
1title: Inveigh Execution Artefacts
2id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
3status: test
4description: Detects the presence and execution of Inveigh via dropped artefacts
5references:
6 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
7 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
8 - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/10/24
11tags:
12 - attack.command_and_control
13 - attack.t1219
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith:
20 - '\Inveigh-Log.txt'
21 - '\Inveigh-Cleartext.txt'
22 - '\Inveigh-NTLMv1Users.txt'
23 - '\Inveigh-NTLMv2Users.txt'
24 - '\Inveigh-NTLMv1.txt'
25 - '\Inveigh-NTLMv2.txt'
26 - '\Inveigh-FormInput.txt'
27 - '\Inveigh.dll'
28 - '\Inveigh.exe'
29 - '\Inveigh.ps1'
30 - '\Inveigh-Relay.ps1'
31 condition: selection
32falsepositives:
33 - Unlikely
34level: critical
References
Related rules
- Mesh Agent Service Installation
- Suspicious Binary Writes Via AnyDesk
- Suspicious TSCON Start as SYSTEM
- TacticalRMM Service Installation
- Use of UltraVNC Remote Access Software