security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2978 from frack113/lolbin_20220502

Browse Source 
Lolbin windows rules
This commit is contained in:
Florian Roth
2022-05-05 17:06:24 +02:00
committed by GitHub
parent 9dc261baa4 4f1c6b619f
commit 10fb5b5bbf
3 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
+25
View File
@@ -0,0 +1,25 @@
title: Gpscript Execution
id: 1e59c230-6670-45bf-83b0-98903780607e
status: experimental
description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
references:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
- https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
author: frack113
date: 2022/05/02
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\gpscript.exe'
CommandLine|contains:
- ' /logon'
- ' /startup'
condition: selection
falsepositives:
- Legitimate uses of logon scripts distributed via group policy
level: medium
tags:
- attack.defense_evasion
- attack.t1218
rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
+22
View File
@@ -0,0 +1,22 @@
title: JSC Convert Javascript To Executable
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: experimental
description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format
references:
- https://lolbas-project.github.io/lolbas/Binaries/Jsc/
author: frack113
date: 2022/05/02
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\jsc.exe'
CommandLine|contains: '.js'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.defense_evasion
- attack.t1127
rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
+26
View File
@@ -0,0 +1,26 @@
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: experimental
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022/05/02
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.command_and_control
- attack.t1105
- attack.defense_evasion
- attack.t1564.004