From 74cdc43549e042cbec0ec1dd9de158e1cc661c59 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 2 May 2022 19:19:12 +0200 Subject: [PATCH 1/5] Lolbin rules --- .../proc_creation_win_lolbin_gpscript.yml | 24 +++++++++++++++++ .../proc_creation_win_lolbin_jsc.yml | 22 ++++++++++++++++ .../proc_creation_win_lolbin_printbrm.yml | 26 +++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml new file mode 100644 index 000000000..4fdfe4a9d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -0,0 +1,24 @@ +title: Suspicious Gpscript execution +id: 1e59c230-6670-45bf-83b0-98903780607e +status: experimental +description: LOLBIN gpscript Executes logon or startup scripts configured in Group Policy +references: + - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ +author: frack113 +date: 2022/05/02 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\gpscript.exe' + CommandLine|contains: + - '/logon' + - '/startup' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml new file mode 100644 index 000000000..ed8498d6c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml @@ -0,0 +1,22 @@ +title: Convert Javascript To Executable +id: 1e59c230-6670-45bf-83b0-98903780607e +status: experimental +description: LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format +references: + - https://lolbas-project.github.io/lolbas/Binaries/Jsc/ +author: frack113 +date: 2022/05/02 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\jsc.exe' + CommandLine|contains: '.js' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1127 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml new file mode 100644 index 000000000..350cf3dff --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -0,0 +1,26 @@ +title: Suspicious PrintBrm execution +id: 1e59c230-6670-45bf-83b0-98903780607e +status: experimental +description: LOLBIN PrintBrm.exe Create or extract a ZIP +references: + - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ +author: frack113 +date: 2022/05/02 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\PrintBrm.exe' + CommandLine|contains|all: + - '-f' + - '.zip' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1105 + - attack.defense_evasion + - attack.t1564.004 \ No newline at end of file From 2ec87f045959453c050b5f99b7d26a2670390c70 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 2 May 2022 20:05:30 +0200 Subject: [PATCH 2/5] Fix errors --- .../process_creation/proc_creation_win_lolbin_gpscript.yml | 2 +- .../windows/process_creation/proc_creation_win_lolbin_jsc.yml | 2 +- .../process_creation/proc_creation_win_lolbin_printbrm.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 4fdfe4a9d..30dcefeee 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,4 +1,4 @@ -title: Suspicious Gpscript execution +title: Suspicious Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e status: experimental description: LOLBIN gpscript Executes logon or startup scripts configured in Group Policy diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml index ed8498d6c..775626d58 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml @@ -1,5 +1,5 @@ title: Convert Javascript To Executable -id: 1e59c230-6670-45bf-83b0-98903780607e +id: 52788a70-f1da-40dd-8fbd-73b5865d6568 status: experimental description: LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format references: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index 350cf3dff..7bb38ee8c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -1,5 +1,5 @@ -title: Suspicious PrintBrm execution -id: 1e59c230-6670-45bf-83b0-98903780607e +title: Suspicious PrintBrm Execution +id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 status: experimental description: LOLBIN PrintBrm.exe Create or extract a ZIP references: From f21961f36690ecad5dbfe2971ed16d9a80b1631b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 5 May 2022 07:57:31 +0200 Subject: [PATCH 3/5] Update proc_creation_win_lolbin_gpscript.yml --- .../proc_creation_win_lolbin_gpscript.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 30dcefeee..bd18b7548 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,8 +1,9 @@ -title: Suspicious Gpscript Execution +title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e status: experimental -description: LOLBIN gpscript Executes logon or startup scripts configured in Group Policy +description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: + - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ author: frack113 date: 2022/05/02 @@ -13,12 +14,12 @@ detection: selection: Image|endswith: '\gpscript.exe' CommandLine|contains: - - '/logon' - - '/startup' + - ' /logon' + - ' /startup' condition: selection falsepositives: - - Unknown + - Legitimate uses of logon scripts distributed via group policy level: medium tags: - attack.defense_evasion - - attack.t1218 \ No newline at end of file + - attack.t1218 From 1da043e7275f0668022585e439812f57b73d8e4f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 5 May 2022 07:58:25 +0200 Subject: [PATCH 4/5] Update proc_creation_win_lolbin_jsc.yml --- .../process_creation/proc_creation_win_lolbin_jsc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml index 775626d58..2a0444ef5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml @@ -1,7 +1,7 @@ -title: Convert Javascript To Executable +title: JSC Convert Javascript To Executable id: 52788a70-f1da-40dd-8fbd-73b5865d6568 status: experimental -description: LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format +description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format references: - https://lolbas-project.github.io/lolbas/Binaries/Jsc/ author: frack113 @@ -19,4 +19,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1127 \ No newline at end of file + - attack.t1127 From 4f1c6b619f9610d6929ae5a701b60c02de33a2c2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 5 May 2022 08:00:22 +0200 Subject: [PATCH 5/5] Update proc_creation_win_lolbin_printbrm.yml --- .../proc_creation_win_lolbin_printbrm.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index 7bb38ee8c..a9e8bce20 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -1,7 +1,7 @@ -title: Suspicious PrintBrm Execution +title: PrintBrm ZIP Creation of Extraction id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 status: experimental -description: LOLBIN PrintBrm.exe Create or extract a ZIP +description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. references: - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ author: frack113 @@ -13,14 +13,14 @@ detection: selection: Image|endswith: '\PrintBrm.exe' CommandLine|contains|all: - - '-f' + - ' -f' - '.zip' condition: selection falsepositives: - Unknown -level: medium +level: high tags: - attack.command_and_control - attack.t1105 - attack.defense_evasion - - attack.t1564.004 \ No newline at end of file + - attack.t1564.004