From fd2a31b43be485227d9d7c61b0ec38079bc5c964 Mon Sep 17 00:00:00 2001 From: eral4m <92914012+eral4m@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:00:47 +0100 Subject: [PATCH 1/5] Create Stordiag.yml --- yml/OSBinaries/Stordiag.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 yml/OSBinaries/Stordiag.yml diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml new file mode 100644 index 0000000..a2b9912 --- /dev/null +++ b/yml/OSBinaries/Stordiag.yml @@ -0,0 +1,26 @@ +--- +Name: Stordiag.exe +Description: Storage diagnostic tool +Author: 'Eral4m' +Created: '2021-10-21' +Commands: + - Command: stordiag.exe + Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. + Usecase: Possible defence evasion purposes. + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\windows\system32\stordiag.exe + - Path: c:\windows\syswow64\stordiag.exe +Detection: + - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ + +Resources: + - Link: https://twitter.com/eral4m/status/1451110158428512256 +Acknowledgement: + - Person: Eral4m + Handle: @eral4m +--- From 6da5480936b74b1636c7fa51da65d3af4599e7a4 Mon Sep 17 00:00:00 2001 From: eral4m <92914012+eral4m@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:14:04 +0100 Subject: [PATCH 2/5] Update Stordiag.yml --- yml/OSBinaries/Stordiag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index a2b9912..abb904b 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -19,7 +19,7 @@ Detection: - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ Resources: - - Link: https://twitter.com/eral4m/status/1451110158428512256 + - Link: https://twitter.com/eral4m/status/1451112385041911809 Acknowledgement: - Person: Eral4m Handle: @eral4m From b723258dbf9a3e4ecae2924c233d6bb81229d674 Mon Sep 17 00:00:00 2001 From: eral4m <92914012+eral4m@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:30:31 +0100 Subject: [PATCH 3/5] Update Stordiag.yml --- yml/OSBinaries/Stordiag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index abb904b..576d021 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -16,7 +16,7 @@ Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe Detection: - - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ + - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64 Resources: - Link: https://twitter.com/eral4m/status/1451112385041911809 From 8b49ca20544629b88bd819314b690cad1b82b2ac Mon Sep 17 00:00:00 2001 From: eral4m <92914012+eral4m@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:30:54 +0100 Subject: [PATCH 4/5] Update Stordiag.yml --- yml/OSBinaries/Stordiag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 576d021..23830b9 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -16,7 +16,7 @@ Full_Path: - Path: c:\windows\system32\stordiag.exe - Path: c:\windows\syswow64\stordiag.exe Detection: - - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64 + - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ Resources: - Link: https://twitter.com/eral4m/status/1451112385041911809 From 30a9f90f5fb5f9ed07ed9ffd776ba934dec48794 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Fri, 22 Oct 2021 15:56:52 +0200 Subject: [PATCH 5/5] Update Stordiag.yml --- yml/OSBinaries/Stordiag.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 23830b9..6da9539 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -17,10 +17,9 @@ Full_Path: - Path: c:\windows\syswow64\stordiag.exe Detection: - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ - Resources: - Link: https://twitter.com/eral4m/status/1451112385041911809 Acknowledgement: - Person: Eral4m - Handle: @eral4m + Handle: '@eral4m' ---