security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #581 from david-burkett/master

Browse Source 
Trickbot behavioral recon activity / svchost spawned without CLI
This commit is contained in:
Florian Roth
2019-12-28 18:11:34 +01:00
committed by GitHub
parent 5e59bbb3c3 4a65a25070
commit 042c58dfc1
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+27
View File
@@ -0,0 +1,27 @@
title: Trickbot Malware Recon Activity
id: 410ad193-a728-4107-bc79-4419789fcbf8
status: experimental
description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
date: 12/28/2019
tags:
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\nltest.exe'
CommandLine:
- '/domain_trusts /all_trusts'
- '/domain_trusts'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Rare System Admin Activity
level: critical
rules/windows/process_creation/win_susp_svchost_no_cli.yml
+29
View File
@@ -0,0 +1,29 @@
title: Suspect svchost Activity
id: 16c37b52-b141-42a5-a3ea-bbe098444397
status: experimental
description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
date: 12/28/2019
tags:
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine: null
selection2:
Image: '*\svchost.exe'
filter:
ParentImage:
- '*\rpcnet.exe'
- '*\rpcnetp.exe'
condition: (selection1 and selection2) and not filter
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
level: critical