Agent Tesla Spearphishing

More .NET malware analysis. In this post, we'll be analyzing another spearphishing email, this time masquerading as a mathematics paper exploiting CVE-2017-11882. And we'll generate some Yara rules for detecting it.

Sysmon Custom Templates for Event Tracing

A few days ago I learned it's possible to modify Window's Sysmon to enable tailored Windows Event Tracing. By simply providing Sysmon with an XML ruleset, we can generate custom alerts and automatically filter for and tag particular events. For example, the following rule would alert us of proxy code execution using .NET's C# compiler, csc.exe:

<!-- MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery -->
<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
<Image condition="image">csc.exe</Image>
<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>

The above is a snippet from the default template published by @SwiftOnSecurity. But various orgs have made their own forks. And it can be further modified per use-case. A super useful customization for malware analysis, forensics, and anything involving Windows.