From fba54b8d6921ec26d85b688e4e98f0134291730e Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 17:47:56 +0530 Subject: [PATCH 1/5] First Rule commit --- .../sysmon_detect_powerup_dllhijacking.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml new file mode 100644 index 000000000..de9640df3 --- /dev/null +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -0,0 +1,24 @@ +title: Powerup Write Hijack DLL detection +id: 602a1f13-c640-4d73-b053-be9a2fa58b96 +status: experimental +description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference: https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +author: pbssubhash +date: 2021/08/21 +modified: 2021/08/21 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.001 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + File.path|endswith: '.bat' + condition: selection +falsepositives: + - Pentest + - Any powershell script that creates bat files # highly unlikely (untested) +level: high From a415463f5b71d9ce8378eb8ef1e3802b08d3ea4a Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 19:37:28 +0530 Subject: [PATCH 2/5] Modified rule --- .../file_event/sysmon_detect_powerup_dllhijacking.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index de9640df3..326fb189d 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,10 +1,9 @@ title: Powerup Write Hijack DLL detection id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference: https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: pbssubhash date: 2021/08/21 -modified: 2021/08/21 tags: - attack.persistence - attack.privilege_escalation @@ -16,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - File.path|endswith: '.bat' + TargetFilename|endswith: '.bat' condition: selection falsepositives: - Pentest From 73c953d633b1433ba3e19f3512543098acdb7037 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 21 Aug 2021 16:18:16 +0200 Subject: [PATCH 3/5] Fix title --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 326fb189d..8006f0023 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,4 +1,4 @@ -title: Powerup Write Hijack DLL detection +title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ From eee497f656bc470c45363a99fe5fa9404e584dc2 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Sat, 21 Aug 2021 20:04:03 +0530 Subject: [PATCH 4/5] Title modification --- rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 326fb189d..8006f0023 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,4 +1,4 @@ -title: Powerup Write Hijack DLL detection +title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ From a44206bfa04a0357d5c223eee63bffd6e86725bb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 21 Aug 2021 17:33:39 +0200 Subject: [PATCH 5/5] Some cleanup --- .../file_event/sysmon_detect_powerup_dllhijacking.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml index 8006f0023..702dcf29c 100644 --- a/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/windows/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -1,7 +1,12 @@ title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). Reference - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ +description: | + Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. + In it's default mode, it builds a self deleting .bat file which executes malicious command. + The detection rule relies on creation of the malicious bat file (debug.bat by default). +references: + - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: pbssubhash date: 2021/08/21 tags: