HackTool - Inveigh Execution

 1title: HackTool - Inveigh Execution
 2id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
 3status: test
 4description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
 5references:
 6    - https://github.com/Kevin-Robertson/Inveigh
 7    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-10-24
10modified: 2023-02-04
11tags:
12    - attack.credential-access
13    - attack.t1003.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\Inveigh.exe'
20        - OriginalFileName:
21              - '\Inveigh.exe'
22              - '\Inveigh.dll'
23        - Description: 'Inveigh'
24        - CommandLine|contains:
25              - ' -SpooferIP'
26              - ' -ReplyToIPs '
27              - ' -ReplyToDomains '
28              - ' -ReplyToMACs '
29              - ' -SnifferIP'
30    condition: selection
31falsepositives:
32    - Very unlikely
33level: critical

References

• GitHub - Kevin-Robertson/Inveigh: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

  

  .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers - Kevin-Robertson/Inveigh

  
  Read More

• PYSA/Mespinoza Ransomware

  

  Intro Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many systems as po…

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• Cred Dump Tools Dropped Files
• Credential Dumping Activity By Python Based Tool
• Credential Dumping Attempt Via WerFault
• Credential Dumping Tools Service Execution - Security