From 1ac42b1a23402aaf326663e15214845a6d94baac Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Wed, 27 Apr 2022 17:18:04 +0200 Subject: [PATCH 1/5] Added rule windows suspicious rundll32 spawning explorer --- ...ation_win_susp_rundll32_spawn_explorer.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml new file mode 100644 index 000000000..0b782ebf9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -0,0 +1,23 @@ +title: RunDLL32 spawming explorer +id: caa06de8-fdef-4c91-826a-7f9e163eef4b +description: RunDLL32.exe spawming explorer.exe as child +author: elhoim +status: experimental +date: 2022/04/27 +references: + - https://redcanary.com/blog/intelligence-insights-november-2021/ +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\rundll32.exe' + Image|endswith: + - '\explorer.exe' +falsepositives: + - Unknown +level: high \ No newline at end of file From 53fc5581a2cf19c1e873b88722f2a757ffc87892 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Wed, 27 Apr 2022 17:21:36 +0200 Subject: [PATCH 2/5] Changed title --- .../proc_creation_win_susp_rundll32_spawn_explorer.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 0b782ebf9..5fc7aff54 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -1,6 +1,6 @@ -title: RunDLL32 spawming explorer +title: RunDLL32 Spawmning Explorer id: caa06de8-fdef-4c91-826a-7f9e163eef4b -description: RunDLL32.exe spawming explorer.exe as child +description: RunDLL32.exe spawmning explorer.exe as child author: elhoim status: experimental date: 2022/04/27 From 8f059c254542db8abceedc406651fd925c523bf4 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Wed, 27 Apr 2022 21:47:58 +0200 Subject: [PATCH 3/5] Added condition and corrected spaces --- ...ation_win_susp_rundll32_spawn_explorer.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 5fc7aff54..5e4432ffd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -5,19 +5,20 @@ author: elhoim status: experimental date: 2022/04/27 references: - - https://redcanary.com/blog/intelligence-insights-november-2021/ + - https://redcanary.com/blog/intelligence-insights-november-2021/ tags: - - attack.defense_evasion - - attack.t1218.011 + - attack.defense_evasion + - attack.t1218.011 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\rundll32.exe' - Image|endswith: - - '\explorer.exe' + selection: + ParentImage|endswith: + - '\rundll32.exe' + Image|endswith: + - '\explorer.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high \ No newline at end of file From ab59018d267e43016dd3b3f3ebed7071e18c5d9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Thu, 28 Apr 2022 11:37:38 +0200 Subject: [PATCH 4/5] Added newline at end of file --- .../proc_creation_win_susp_rundll32_spawn_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 5e4432ffd..9a6c3a36b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high From aee70235f6bc4416a2e045c4d9de95798cee8f05 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 28 Apr 2022 14:09:53 +0200 Subject: [PATCH 5/5] Update proc_creation_win_susp_rundll32_spawn_explorer.yml --- .../proc_creation_win_susp_rundll32_spawn_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 9a6c3a36b..768001c2a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -1,6 +1,6 @@ title: RunDLL32 Spawmning Explorer id: caa06de8-fdef-4c91-826a-7f9e163eef4b -description: RunDLL32.exe spawmning explorer.exe as child +description: Detects RunDLL32.exe spawmning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way author: elhoim status: experimental date: 2022/04/27