diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml b/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml new file mode 100644 index 000000000..cf4747938 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml @@ -0,0 +1,37 @@ +title: Use of Adplus.exe +id: 2f869d59-7f6a-4931-992c-cce556ff2d53 +status: experimental +description: The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands +author: Nasreddine Bencherchali +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ + - https://twitter.com/nas_bench/status/1534916659676422152 + - https://twitter.com/nas_bench/status/1534915321856917506 +date: 2022/06/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\adplus.exe' + - OriginalFileName: 'Adplus.exe' + selection_cli: + CommandLine|contains: + # Dump process memory + - ' -hang ' + - ' -pn ' + - ' -pmn ' + - ' -p ' + - ' -po ' + # Using a config file + - ' -c ' + # Execute commands inline + - ' -sc ' + condition: all of selection* +falsepositives: + - Legitimate usage of Adplus +level: medium +tags: + - attack.defense_evasion + - attack.execution + - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml new file mode 100644 index 000000000..51aee143d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml @@ -0,0 +1,28 @@ +title: Use of Mftrace.exe +id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e +status: experimental +description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries +author: Nasreddine Bencherchali +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ +date: 2022/06/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\mftrace.exe' + - OriginalFileName: 'mftrace.exe' + selection_cli: + # This assumes that when someone use mftrace to launch an ".exe" he will add a space and the binary launched will end with ".exe" + CommandLine|contains: '.exe ' + CommandLine|endswith: '.exe' + parent: + ParentImage|endswith: '\mftrace.exe' + condition: all of selection* or parent +falsepositives: + - Legitimate use for tracing purposes +level: medium +tags: + - attack.defense_evasion + - attack.t1127 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml new file mode 100644 index 000000000..3e9581cad --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml @@ -0,0 +1,31 @@ +title: Use of Squirrel.exe +id: 45239e6a-b035-4aaf-b339-8ad379fcb67e +status: experimental +description: The "Squirrel.exe" binary that is part of multiple softwares (Slack, Teams, Discord...etc) can be used as a LOLBIN +author: Nasreddine Bencherchali +related: + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: derived +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ +date: 2022/06/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\squirrel.exe' + selection_cli: + CommandLine|contains: + - ' --download ' + - ' --update ' + - ' --updateRollback=' + selection_http: + CommandLine|contains: 'http' + condition: all of selection* +falsepositives: + - See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs +level: medium +tags: + - attack.defense_evasion + - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml new file mode 100644 index 000000000..d91b19014 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -0,0 +1,26 @@ +title: Use of VSIISExeLauncher.exe +id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8 +status: experimental +description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries +author: Nasreddine Bencherchali +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ +date: 2022/06/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\VSIISExeLauncher.exe' + - OriginalFileName: 'VSIISExeLauncher.exe' + selection_cli: + CommandLine|contains: + - ' -p ' + - ' -a ' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1127 diff --git a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml b/rules/windows/process_creation/proc_creation_win_susp_cdb.yml index 270070bc0..f277e2d40 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cdb.yml @@ -2,26 +2,31 @@ title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: test description: Launch 64-bit shellcode from a debugger script file using cdb.exe. -author: Beyu Denis, oscd.community +author: Beyu Denis, oscd.community, Nasreddine Bencherchali references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml - - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml + - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + - https://twitter.com/nas_bench/status/1534957360032120833 date: 2019/10/26 -modified: 2021/11/27 +modified: 2022/06/09 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cdb.exe' - CommandLine|contains: '-cf' - condition: selection + selection_img: + - Image|endswith: '\cdb.exe' + - OriginalFileName: 'CDB.Exe' + selection_cli: + CommandLine|contains: + - ' -c ' # Using a debugger script + - ' -cf ' + condition: all of selection* falsepositives: - - Legitimate use of debugging tools + - Legitimate use of debugging tools level: medium tags: - - attack.execution - - attack.t1106 - - attack.defense_evasion - - attack.t1218 - - attack.t1127 + - attack.execution + - attack.t1106 + - attack.defense_evasion + - attack.t1218 + - attack.t1127 diff --git a/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml index 31a2e2bef..0cbf9fb2f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml @@ -2,25 +2,25 @@ title: Application Whitelisting Bypass via Dxcap.exe id: 60f16a96-db70-42eb-8f76-16763e333590 status: test description: Detects execution of of Dxcap.exe -author: Beyu Denis, oscd.community +author: Beyu Denis, oscd.community, Nasreddine Bencherchali (update) references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml - - https://twitter.com/harr0ey/status/992008180904419328 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ + - https://twitter.com/harr0ey/status/992008180904419328 date: 2019/10/26 -modified: 2021/11/27 +modified: 2022/06/09 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\dxcap.exe' - CommandLine|contains|all: - - '-c' - - '.exe' - condition: selection + selection_img: + - Image|endswith: '\DXCap.exe' + - OriginalFilename: 'DXCap.exe' + selection_cli: + CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary + condition: all of selection* falsepositives: - - Legitimate execution of dxcap.exe by legitimate user + - Legitimate execution of dxcap.exe by legitimate user level: medium tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218