The hypothesis is that the detection of Inveigh execution artefacts indicates an adversary is leveraging this tool to perform network discovery and lateral movement within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats that use Inveigh as part of their reconnaissance and persistence strategies.
Detection Rule
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Inveigh-Log.txt'
- '\Inveigh-Cleartext.txt'
- '\Inveigh-NTLMv1Users.txt'
- '\Inveigh-NTLMv2Users.txt'
- '\Inveigh-NTLMv1.txt'
- '\Inveigh-NTLMv2.txt'
- '\Inveigh-FormInput.txt'
- '\Inveigh.dll'
- '\Inveigh.exe'
- '\Inveigh.ps1'
- '\Inveigh-Relay.ps1'
condition: selection
falsepositives:
- Unlikely
level: critical
imFileEvent
| where TargetFileName endswith "\\Inveigh-Log.txt" or TargetFileName endswith "\\Inveigh-Cleartext.txt" or TargetFileName endswith "\\Inveigh-NTLMv1Users.txt" or TargetFileName endswith "\\Inveigh-NTLMv2Users.txt" or TargetFileName endswith "\\Inveigh-NTLMv1.txt" or TargetFileName endswith "\\Inveigh-NTLMv2.txt" or TargetFileName endswith "\\Inveigh-FormInput.txt" or TargetFileName endswith "\\Inveigh.dll" or TargetFileName endswith "\\Inveigh.exe" or TargetFileName endswith "\\Inveigh.ps1" or TargetFileName endswith "\\Inveigh-Relay.ps1"Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses inveigh as part of a network discovery tool for internal inventory purposes.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or processes with CommandLine containing --inventory or --network-discovery.
Scenario: Admin PowerShell Script for Network Enumeration
Description: An administrator uses a custom PowerShell script that includes inveigh to enumerate internal network devices during a security audit.
Filter/Exclusion: Exclude processes with User field matching domain admin accounts or CommandLine containing --audit or --enum.
Scenario: Deployment of a Network Monitoring Tool
Description: A network monitoring tool (e.g., Wireshark, tcpdump, or Microsoft Network Monitor) is being deployed, and its installation includes a file named inveigh.exe as part of a third-party dependency.
Filter/Exclusion: Exclude processes with File path containing known legitimate tools or ParentProcessName matching the deployment tool (e.g., msiexec, setup.exe).
Scenario: System File Integrity Check (SFIC) Job
Description: A system integrity check job uses a tool that includes inveigh to verify the integrity of system files.
Filter/Exclusion: Exclude processes with ProcessName matching sfic.exe or File path containing system_integrity_check.
Scenario: Internal Security Tool for Red Team Exercises
Description: A red team exercise uses a legitimate security tool (e.g., Metasploit, Cobalt Strike) that includes inveigh for simulation purposes.
Filter/Exclusion: Exclude processes with User field matching red team or security testing accounts,