The Block 64 toolset uses various methods to gather inventory of endpoints that could cause security alerts in your environment. Below is a list of possible processes that can be expected and attributed to our toolset should an alert appear.
Expected Processes
The WMI command to collect swid tags. (Note: __1695832906.1722667
is a random file name starting with double underscores)
C:\Windows\System32\cmd.exe /Q /c cmd.exe /c powershell Get-ChildItem -Recurse -File -Filter *.swidtag c:\programdata ^| select FullName 1> \\127.0.0.1\ADMIN$\__1695832906.1722667 2>&1
The WMI command to collect Hyper-V VM (Note: __1691075263.208616
is a random file name starting with double underscores)
C:\Windows\System32\cmd.exe /Q /c cmd.exe /c echo . | powershell.exe Import-Module Hyper-V; get-vm ^| fl 1> \\127.0.0.1\ADMIN$\__1691075263.208616 2>&1
The WMI command to collect Windows Event Log.
C:\Windows\System32\cmd.exe /Q /c cmd.exe /c mode con: cols=4096 | echo . | powershell.exe -EncodedCommand IAA7ACAACgBHAGUAdAAtAFcAaQBuAEUAdgBlAG4AdAAgAC0ATABvAGcATgBhAG0AZQAgAE0AaQBjAHIAbwBzAG8AZgB0AC0AVwBpAG4AZABvAHcAcwAtAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAtAFAAZQByAGYAbwByAG0AYQBuAGMAZQAvAE8AcABlAHIAYQB0AGkAbwBuAGEAbAAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ASQBkACAALQBlAHEAIAAxADAAMAAgAC0AYQBuAGQAIAAkAF8ALgBUAGkAbQBlAEMAcgBlAGEAdABlAGQAIAAtAGcAZQAgACgAKABHAGUAdAAtAEQAYQB0AGUAKQAgAC0AIAAo
Expected Files
Some security suites may remove the process below, preventing the collection of network traffic from the inventoried endpoint:
Block64TrafficMonitor.exe
C:\Program Files (x86)\Block 64 Corporation\Block 64 Discovery\Python\Bitstream\pcap_payload\Block64TrafficMonitor.exe