Merge pull request #3115 from nasbench/master

New/Update LOLBIN Rules

rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml

@@ -0,0 +1,37 @@
+title: Use of Adplus.exe
+id: 2f869d59-7f6a-4931-992c-cce556ff2d53
+status: experimental
+description: The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
+    - https://twitter.com/nas_bench/status/1534916659676422152
+    - https://twitter.com/nas_bench/status/1534915321856917506
+date: 2022/06/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\adplus.exe'
+        - OriginalFileName: 'Adplus.exe'
+    selection_cli:
+        CommandLine|contains:
+            # Dump process memory
+            - ' -hang '
+            - ' -pn '
+            - ' -pmn '
+            - ' -p '
+            - ' -po '
+            # Using a config file
+            - ' -c '
+            # Execute commands inline
+            - ' -sc '
+    condition: all of selection*
+falsepositives:
+  - Legitimate usage of Adplus
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1003.001

rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml

@@ -0,0 +1,28 @@
+title: Use of Mftrace.exe
+id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
+status: experimental
+description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
+date: 2022/06/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\mftrace.exe'
+        - OriginalFileName: 'mftrace.exe'
+    selection_cli:
+        # This assumes that when someone use mftrace to launch an ".exe" he will add a space and the binary launched will end with ".exe"
+        CommandLine|contains: '.exe '
+        CommandLine|endswith: '.exe'
+    parent:
+        ParentImage|endswith: '\mftrace.exe'
+    condition: all of selection* or parent
+falsepositives:
+  - Legitimate use for tracing purposes
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1127

rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml

@@ -0,0 +1,31 @@
+title: Use of Squirrel.exe
+id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
+status: experimental
+description: The "Squirrel.exe" binary that is part of multiple softwares (Slack, Teams, Discord...etc) can be used as a LOLBIN
+author: Nasreddine Bencherchali
+related:
+    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
+      type: derived
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
+date: 2022/06/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\squirrel.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' --download '
+            - ' --update '
+            - ' --updateRollback='
+    selection_http:
+        CommandLine|contains: 'http'
+    condition: all of selection*
+falsepositives:
+  - See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.execution

rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml

@@ -0,0 +1,26 @@
+title: Use of VSIISExeLauncher.exe
+id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8
+status: experimental
+description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
+date: 2022/06/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\VSIISExeLauncher.exe'
+        - OriginalFileName: 'VSIISExeLauncher.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' -p '
+            - ' -a '
+    condition: all of selection*
+falsepositives:
+  - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1127

rules/windows/process_creation/proc_creation_win_susp_cdb.yml

@@ -2,26 +2,31 @@ title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
 id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
 status: test
 description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
-author: Beyu Denis, oscd.community
+author: Beyu Denis, oscd.community, Nasreddine Bencherchali
 references:
-  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
-  - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
+    - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+    - https://twitter.com/nas_bench/status/1534957360032120833
 date: 2019/10/26
-modified: 2021/11/27
+modified: 2022/06/09
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection:
-    Image|endswith: '\cdb.exe'
-    CommandLine|contains: '-cf'
-  condition: selection
+    selection_img:
+        - Image|endswith: '\cdb.exe'
+        - OriginalFileName: 'CDB.Exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' -c ' # Using a debugger script
+            - ' -cf '
+    condition: all of selection*
 falsepositives:
-  - Legitimate use of debugging tools
+    - Legitimate use of debugging tools
 level: medium
 tags:
-  - attack.execution
-  - attack.t1106
-  - attack.defense_evasion
-  - attack.t1218
-  - attack.t1127
+    - attack.execution
+    - attack.t1106
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1127

rules/windows/process_creation/proc_creation_win_susp_dxcap.yml

@@ -2,25 +2,25 @@ title: Application Whitelisting Bypass via Dxcap.exe
 id: 60f16a96-db70-42eb-8f76-16763e333590
 status: test
 description: Detects execution of of Dxcap.exe
-author: Beyu Denis, oscd.community
+author: Beyu Denis, oscd.community, Nasreddine Bencherchali (update)
 references:
-  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
-  - https://twitter.com/harr0ey/status/992008180904419328
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
+    - https://twitter.com/harr0ey/status/992008180904419328
 date: 2019/10/26
-modified: 2021/11/27
+modified: 2022/06/09
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\dxcap.exe'
-    CommandLine|contains|all:
-      - '-c'
-      - '.exe'
-  condition: selection
+    selection_img:
+        - Image|endswith: '\DXCap.exe'
+        - OriginalFilename: 'DXCap.exe'
+    selection_cli:
+        CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
+    condition: all of selection*
 falsepositives:
-  - Legitimate execution of dxcap.exe by legitimate user
+    - Legitimate execution of dxcap.exe by legitimate user
 level: medium
 tags:
-  - attack.defense_evasion
-  - attack.t1218
+    - attack.defense_evasion
+    - attack.t1218