Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Sigma rule (View on GitHub)
1title: Inveigh Execution Artefacts
2id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
3status: test
4description: Detects the presence and execution of Inveigh via dropped artefacts
5references:
6 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
7 - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
8 - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/10/24
11tags:
12 - attack.command_and_control
13 - attack.t1219
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith:
20 - '\Inveigh-Log.txt'
21 - '\Inveigh-Cleartext.txt'
22 - '\Inveigh-NTLMv1Users.txt'
23 - '\Inveigh-NTLMv2Users.txt'
24 - '\Inveigh-NTLMv1.txt'
25 - '\Inveigh-NTLMv2.txt'
26 - '\Inveigh-FormInput.txt'
27 - '\Inveigh.dll'
28 - '\Inveigh.exe'
29 - '\Inveigh.ps1'
30 - '\Inveigh-Relay.ps1'
31 condition: selection
32falsepositives:
33 - Unlikely
34level: critical
References
-
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers - Kevin-Robertson/Inveigh
Read More -
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers - Kevin-Robertson/Inveigh
Read More -
Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many systems as possible on the way to their objective. The threat actors took their time, looking for files and reviewing the backup server before executing ransomware on all systems.
Read More
Related rules
- Mesh Agent Service Installation
- Suspicious Binary Writes Via AnyDesk
- Suspicious TSCON Start as SYSTEM
- TacticalRMM Service Installation
- Use of UltraVNC Remote Access Software