Potentially Suspicious JWT Token Search Via CLI

    Monday, October 7, 2024 In: Threat Research Print

    Date: 10/07/2024

    Severity: Medium 

    Summary

    Identifies potential searches for JWT tokens in the CLI by scanning for the strings "eyJ0eX" or "eyJhbG." These strings serve as markers to locate the beginning of JWT tokens used by Microsoft Office and similar applications.

    Indicators of Compromise (IOC) List

    CommandLine : 

    'eyJ0eXAiOi'

    'eyJhbGciOi' 

    ' eyJ0eX'

    ' "eyJ0eX"'

    " 'eyJ0eX'"

    ' eyJhbG'

    ' "eyJhbG"'

    " 'eyJhbG'"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND winmessage In ("eyJ0eXAiOi","eyJhbGciOi"," eyJ0eX","eyJ0eX"," 'eyJ0eX'"," eyJhbG","eyJhbG"," 'eyJhbG'")

    Detection Query 2 :

    technologygroup = "EDR" AND winmessage In ("eyJ0eXAiOi","eyJhbGciOi"," eyJ0eX","eyJ0eX"," 'eyJ0eX'"," eyJhbG","eyJhbG"," 'eyJhbG'")

    Detection Query 3 :

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND commandline In ("eyJ0eXAiOi","eyJhbGciOi"," eyJ0eX","eyJ0eX"," 'eyJ0eX'"," eyJhbG","eyJhbG"," 'eyJhbG'")

    Detection Query 4 :

    technologygroup = "EDR"  AND commandline In ("eyJ0eXAiOi","eyJhbGciOi"," eyJ0eX","eyJ0eX"," 'eyJ0eX'"," eyJhbG","eyJhbG"," 'eyJhbG'")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml


    Tags

    MalwareSigmaCredential Harvesting

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.