From 2a62b35fd6fb4e7b440af2011ca4a85894c40457 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 2 Jun 2022 01:30:48 -0400 Subject: [PATCH 1/4] Create proc_creation_win_lolbin_fsianycpu.yml --- .../proc_creation_win_lolbin_fsianycpu.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml new file mode 100644 index 000000000..3549e6a7a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml @@ -0,0 +1,24 @@ +title: Use of FsiAnyCpu.exe +id: b96b2031-7c17-4473-afe7-a30ce714db29 +status: experimental +description: The FSharp Interpreter, FsiAnyCpu.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules. +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ +date: 2022/06/02 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: fsianycpu.exe + - OriginalFileName: fsianycpu.exe + condition: selection +falsepositives: + - Legitimate use by a software developer. +level: medium +tags: + - attack.execution + - attack.t1059 From 18482601f3d3b0a94d4633be7e6ccde3440e9003 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 2 Jun 2022 01:35:41 -0400 Subject: [PATCH 2/4] Update and rename proc_creation_win_lolbin_fsianycpu.yml to proc_creation_win_lolbin_fsharp_interpreters.yml --- ...ml => proc_creation_win_lolbin_fsharp_interpreters.yml} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{proc_creation_win_lolbin_fsianycpu.yml => proc_creation_win_lolbin_fsharp_interpreters.yml} (71%) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml similarity index 71% rename from rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index 3549e6a7a..361a55dd2 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -1,12 +1,13 @@ -title: Use of FsiAnyCpu.exe +title: Use of FSharp Interpreters id: b96b2031-7c17-4473-afe7-a30ce714db29 status: experimental -description: The FSharp Interpreter, FsiAnyCpu.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules. +description: The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules. author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ date: 2022/06/02 logsource: category: process_creation @@ -15,6 +16,8 @@ detection: selection: - Image|endswith: fsianycpu.exe - OriginalFileName: fsianycpu.exe + - Image|endswith: fsi.exe + - OriginalFileName: fsi.exe condition: selection falsepositives: - Legitimate use by a software developer. From 7811a798336142b964bc1c8c7f78ecb07cab4609 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 2 Jun 2022 09:01:07 -0400 Subject: [PATCH 3/4] Update proc_creation_win_lolbin_fsharp_interpreters.yml --- .../proc_creation_win_lolbin_fsharp_interpreters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index 361a55dd2..ad2b5a6f6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - - Image|endswith: fsianycpu.exe + - Image|endswith: \fsianycpu.exe - OriginalFileName: fsianycpu.exe - Image|endswith: fsi.exe - OriginalFileName: fsi.exe From 294c71ebde51eafdb2e56b03ac389b7a34b96bfd Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Jun 2022 17:15:15 +0200 Subject: [PATCH 4/4] Update proc_creation_win_lolbin_fsharp_interpreters.yml --- .../proc_creation_win_lolbin_fsharp_interpreters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index ad2b5a6f6..e70af9399 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -16,7 +16,7 @@ detection: selection: - Image|endswith: \fsianycpu.exe - OriginalFileName: fsianycpu.exe - - Image|endswith: fsi.exe + - Image|endswith: \fsi.exe - OriginalFileName: fsi.exe condition: selection falsepositives: