From 706a83868cc6312d712bb363e1f35eaba3bb4266 Mon Sep 17 00:00:00 2001 From: Yaxxine7 <110096329+Yaxxine7@users.noreply.github.com> Date: Wed, 27 Jul 2022 14:37:58 +0200 Subject: [PATCH 1/3] Replace commandline by parentcommandline and add fp --- ...c_creation_win_run_executable_invalid_extension.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 8dcb779cc..abaf7ff68 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -4,9 +4,9 @@ status: experimental description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 -author: Tim Shelton, Florian Roth +author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2022/06/30 +modified: 2022/07/27 logsource: category: process_creation product: windows @@ -23,13 +23,15 @@ detection: CommandLine|contains: '.cpl' filter_msiexec_syswow64: ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' - CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + ParentCommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' filter_msiexec_system32: ParentImage|endswith: ':\Windows\System32\msiexec.exe' - CommandLine|startswith: 'C:\Windows\system32\MsiExec.exe -Embedding' + ParentCommandLine|startswith: 'C:\Windows\system32\MsiExec.exe -Embedding' filter_splunk_ufw: ParentImage|endswith: ':\Windows\System32\cmd.exe' ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' + filter_localserver_fp: + CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' condition: selection and not 1 of filter* fields: - Image From 9da0386119debdf953aadfdd6f51e775e3c2f244 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Jul 2022 14:58:02 +0200 Subject: [PATCH 2/3] make filter more generic --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index abaf7ff68..41e23f95b 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -31,7 +31,7 @@ detection: ParentImage|endswith: ':\Windows\System32\cmd.exe' ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' filter_localserver_fp: - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' + CommandLine|endswith: ' -localserver ' condition: selection and not 1 of filter* fields: - Image From 1b824982ed4ac84aee56633c682e0c6736ab1419 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Jul 2022 14:58:27 +0200 Subject: [PATCH 3/3] fix: wrong modifier --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 41e23f95b..7009302df 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -31,7 +31,7 @@ detection: ParentImage|endswith: ':\Windows\System32\cmd.exe' ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' filter_localserver_fp: - CommandLine|endswith: ' -localserver ' + CommandLine|contains: ' -localserver ' condition: selection and not 1 of filter* fields: - Image