HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Sigma rule (View on GitHub)
1title: HackTool - Inveigh Execution
2id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
3status: test
4description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
5references:
6 - https://github.com/Kevin-Robertson/Inveigh
7 - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/10/24
10modified: 2023/02/04
11tags:
12 - attack.credential_access
13 - attack.t1003.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\Inveigh.exe'
20 - OriginalFileName:
21 - '\Inveigh.exe'
22 - '\Inveigh.dll'
23 - Description: 'Inveigh'
24 - CommandLine|contains:
25 - ' -SpooferIP'
26 - ' -ReplyToIPs '
27 - ' -ReplyToDomains '
28 - ' -ReplyToMACs '
29 - ' -SnifferIP'
30 condition: selection
31falsepositives:
32 - Very unlikely
33level: critical
References
-
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers - Kevin-Robertson/Inveigh
Read More -
Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many systems as possible on the way to their objective. The threat actors took their time, looking for files and reviewing the backup server before executing ransomware on all systems.
Read More
Related rules
- HackTool - SafetyKatz Execution
- NotPetya Ransomware Activity
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files