QUERY 1: index=sysmon EventCode IN ("11", "12", "13", "14") TERM("*rvlkl*") (TargetObject="*CurrentVersion\\Run*" OR TargetFilename="*Microsoft\\Windows\\Start Menu\\Programs\\Startup*")
The methods I am looking for is activity that modified the CurrentVersion\Run registry key OR placed itself in the Startup folder of the machine. The goal of this hunt was to use a query that would discover if the keylogger used a common method of gaining persistence. I used Sysmon logs as my log source and Splunk as my SIEM exclusively during this investigation. There must be a way to find the traffic through network logs that may provide details about where it is going or what protocol is being used. My third and final hypothesis focused on the network logs.
Next, since the tool is generating screen shots and a log file, there must be some files being created, but the main question is: Where? (See Appendix A for evidence and Appendix B for capabilities) Hypotheses on this Keyloggerīefore I really started investigating, I wanted to put some hypotheses together on how I think a keylogger would operate.įirst, if an adversary would want continued monitoring, then there would have to be some form of persistence. What I found was SO interesting that I went ahead and bought the pro version, which included the screenshots and the capability to deliver the logs and screenshots via email, cloud storage, ftp, or locally. I downloaded the free version, launched it in a lab environment and started searching for logs. Upon visiting the website I was immediately presented with this: Since I have never really analyzed a keylogger from a log analysis perspective, I was very eager to get my hands on it. The report highlighted that the tool could capture not only keystrokes but screenshots of active sessions. There was a section in the report that mentioned the tools that were being used and within the list was the Revealer Keylogger from Logixoft. It is a lengthy report but very much worth the time I took.
Recently I was reading an article by the famed Group-IB security team title “OPERA1ER: Playing God Without Permission” about an advanced persistent threat (APT) they dubbed OPERA1ER.
0 kommentar(er)
