← Back to Explore
sigmacriticalHunting
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Detection Query
selection:
TargetFilename|endswith:
- \Inveigh-Log.txt
- \Inveigh-Cleartext.txt
- \Inveigh-NTLMv1Users.txt
- \Inveigh-NTLMv2Users.txt
- \Inveigh-NTLMv1.txt
- \Inveigh-NTLMv2.txt
- \Inveigh-FormInput.txt
- \Inveigh.dll
- \Inveigh.exe
- \Inveigh.ps1
- \Inveigh-Relay.ps1
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-10-24
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1219.002
Raw Content
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Inveigh-Log.txt'
- '\Inveigh-Cleartext.txt'
- '\Inveigh-NTLMv1Users.txt'
- '\Inveigh-NTLMv2Users.txt'
- '\Inveigh-NTLMv1.txt'
- '\Inveigh-NTLMv2.txt'
- '\Inveigh-FormInput.txt'
- '\Inveigh.dll'
- '\Inveigh.exe'
- '\Inveigh.ps1'
- '\Inveigh-Relay.ps1'
condition: selection
falsepositives:
- Unlikely
level: critical