security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rule: several lolbins

Browse Source
This commit is contained in:
Florian Roth
2022-01-11 10:46:39 +01:00
parent de6a153e81
commit 2d50f8d28a
3 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_devinit_lolbin.yml
+24
View File
@@ -0,0 +1,24 @@
title: DevInit Lolbin Download
id: 90d50722-0483-4065-8e35-57efaadd354d
status: experimental
description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
references:
- https://twitter.com/mrd0x/status/1460815932402679809
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
author: Florian Roth
date: 2022/01/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' -t msi-install '
- ' -i http'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/win_susp_mpiexec_lolbin.yml
+28
View File
@@ -0,0 +1,28 @@
title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: experimental
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1465058133303246867
- https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
author: Florian Roth
date: 2022/01/11
logsource:
category: process_creation
product: windows
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
condition: all of selection*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/win_susp_pressynkey_lolbin.yml
+28
View File
@@ -0,0 +1,28 @@
title: NodejsTools PressAnyKey Lolbin
id: a20391f8-76fb-437b-abc0-dba2df1952c6
status: experimental
description: Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1463526834918854661
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
author: Florian Roth
date: 2022/01/11
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'Microsoft.NodejsTools.PressAnyKey.exe normal '
selection2:
CommandLine|contains: '.exe normal '
CommandLine|endswith: '.exe'
filter:
Image|contains: '\Microsoft\NodeJsTools\NodeJsTools'
condition: 1 of selection* and not 1 of filter*
falsepositives:
- Other tools with the same command line flag combination
- Legitimate uses as part of Visual Studio development
level: high