From 2d50f8d28ac93201693dbca80ca68e02bf7483af Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 11 Jan 2022 10:46:39 +0100 Subject: [PATCH] rule: several lolbins --- .../win_susp_devinit_lolbin.yml | 24 ++++++++++++++++ .../win_susp_mpiexec_lolbin.yml | 28 +++++++++++++++++++ .../win_susp_pressynkey_lolbin.yml | 28 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_devinit_lolbin.yml create mode 100644 rules/windows/process_creation/win_susp_mpiexec_lolbin.yml create mode 100644 rules/windows/process_creation/win_susp_pressynkey_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_devinit_lolbin.yml b/rules/windows/process_creation/win_susp_devinit_lolbin.yml new file mode 100644 index 000000000..75afd1572 --- /dev/null +++ b/rules/windows/process_creation/win_susp_devinit_lolbin.yml @@ -0,0 +1,24 @@ +title: DevInit Lolbin Download +id: 90d50722-0483-4065-8e35-57efaadd354d +status: experimental +description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system +references: + - https://twitter.com/mrd0x/status/1460815932402679809 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 +author: Florian Roth +date: 2022/01/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - ' -t msi-install ' + - ' -i http' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_mpiexec_lolbin.yml b/rules/windows/process_creation/win_susp_mpiexec_lolbin.yml new file mode 100644 index 000000000..65e386145 --- /dev/null +++ b/rules/windows/process_creation/win_susp_mpiexec_lolbin.yml @@ -0,0 +1,28 @@ +title: MpiExec Lolbin +id: 729ce0ea-5d8f-4769-9762-e35de441586d +status: experimental +description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary +references: + - https://twitter.com/mrd0x/status/1465058133303246867 + - https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 +author: Florian Roth +date: 2022/01/11 +logsource: + category: process_creation + product: windows +detection: + selection_binary: + - Image|endswith: '\mpiexec.exe' + - Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217' + selection_flags: + CommandLine|contains: + - ' /n 1 ' + - ' -n 1 ' + condition: all of selection* +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_pressynkey_lolbin.yml b/rules/windows/process_creation/win_susp_pressynkey_lolbin.yml new file mode 100644 index 000000000..13baad93e --- /dev/null +++ b/rules/windows/process_creation/win_susp_pressynkey_lolbin.yml @@ -0,0 +1,28 @@ +title: NodejsTools PressAnyKey Lolbin +id: a20391f8-76fb-437b-abc0-dba2df1952c6 +status: experimental +description: Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary +references: + - https://twitter.com/mrd0x/status/1463526834918854661 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 +author: Florian Roth +date: 2022/01/11 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: 'Microsoft.NodejsTools.PressAnyKey.exe normal ' + selection2: + CommandLine|contains: '.exe normal ' + CommandLine|endswith: '.exe' + filter: + Image|contains: '\Microsoft\NodeJsTools\NodeJsTools' + condition: 1 of selection* and not 1 of filter* +falsepositives: + - Other tools with the same command line flag combination + - Legitimate uses as part of Visual Studio development +level: high \ No newline at end of file