Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):
((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))
Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):
netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com
References:
- https://tdm.socprime.com/tdm/info/SQewQsNtCsP6/#sigma
- https://tdm.socprime.com/tdm/info/vzmHh2p4UtjC/uY7yxHsBeuDgr7zG3EyE/?p=1#sigma
- https://www.joesandbox.com/analysis/476188/1/html
- https://otx.alienvault.com/pulse/613914361364535ed5d60bc4
IOCs:
- hidusi.com
- dodefoh.com
- joxinu.com
- pawevi.com
- macuwuf.com
- 23.106.160.25
- 6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B – championship.inf
- 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 – A Letter before court 4.docx