security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0bad54dbda170d5369f54ccede5f11f999da4de
blue-team-tools/rules/windows/process_creation/win_susp_bginfo.yml
T

28 lines
787 B
YAML
Raw Normal View History

Update win_susp_bginfo.yml
2019-11-04 18:14:44 +03:00
title: Application whitelisting bypass via bginfo
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: aaf46cdc-934e-4284-b329-34aa701e3771
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
status: experimental
description: Execute VBscript code that is referenced within the *.bgi file.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Update win_susp_bginfo.yml
2019-11-04 18:14:44 +03:00
author: Beyu Denis, oscd.community
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
date: 2019/10/26
Update win_susp_bginfo.yml
2019-11-04 18:14:44 +03:00
modified: 2019/11/04
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
tags:
Update win_susp_bginfo.yml
2019-11-04 18:14:44 +03:00
- attack.defense_evasion
- attack.execution
- attack.t1218
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
level: medium
logsource:
category: process_creation
product: windows
detection:
selection:
add modifiers
2019-11-08 01:34:30 +03:00
Image|endswith: '\bginfo.exe'
Update win_susp_bginfo.yml
2019-11-04 18:14:44 +03:00
CommandLine|contains|all:
- '/popup'
- '/nolicprompt'
add win_susp_bginfo.yml
2019-10-26 08:16:08 +02:00
condition: selection
falsepositives:
- Unknown
Reference in New Issue Copy Permalink