From 30aebbb65c4a5ec2d6c0dc5fee5f3d7623d16689 Mon Sep 17 00:00:00 2001 From: Matt Anderson <75185144+MATTANDERS0N@users.noreply.github.com> Date: Sat, 24 Jan 2026 05:36:29 -0600 Subject: [PATCH] Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules new: PUA - Kernel Driver Utility (KDU) Execution new: Devcon Execution Disabling VMware VMCI Device --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- .../85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx | Bin 0 -> 69632 bytes .../85f520e7-6f5e-43ca-874c-222e5bf9c0de.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../e76ca062-4de0-4d79-8d90-160a0d335eca.evtx | Bin 0 -> 69632 bytes .../e76ca062-4de0-4d79-8d90-160a0d335eca.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ ...reation_win_devcon_disable_vmci_driver.yml | 39 +++++++++++ .../proc_creation_win_pua_kdu_driver_tool.yml | 36 ++++++++++ 8 files changed, 233 insertions(+) create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml create mode 100644 rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml create mode 100644 rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx new file mode 100644 index 0000000000000000000000000000000000000000..85321d3f0121db7cd37c5632144b6b8f14fa4148 GIT binary patch literal 69632 zcmeI0U2I%O8HT@ecK3L__U_tk-SU%!OXGh6#N? zLxAf%{`xQKo5gkqW|_3v-%@6ON^b5k8$|m!{ta=x&uiBh^CZ^fvm0yj`9~!GgQ%Tt z&!TN{i$0&k_dlb5l6+vx8cWe!9Q%A!pM`80bH1`=9?HDi=Z|eo$&bYUplLS!SGC?= z*feh&_J8iKzqjxD`tQ8F=UJ!s)}go+bw-~GL(uoFs6blaCv zU=eyvU9d%HFP%6k@AM^G{jczjNNJb@zb!AXjy>F zJnH>;SJAR!%lKNhMM(DJdl~Kf?J@M#@gB4R{2WAWz>4_2u(5oj<;(Zh*WZAxV!JKh z7udaa9y71H72)6$>+7F^Ua>_lT}az;xB6MERe{tBdPh*ou`}NDt)zVl$}XYPESEDc zcqsCReLYFL%hudTbmc9dm`KUwfN95Q$YmiXrCbIxLw)%QQr=#8~GbS1v~p zp1G8<3Cy?(#px}p*l9R#uFdiRlLE~?{IhQ3(&0?p(+-2ObeHw@C9DxAk(Ynijt!i1 zim$naLh~M>9I#TaTp;M;D$XYAk8XI5`Y=?F0Dgvb-I^yC<{P%@Uu6b}`P2U+pw|6_eimSvLq7 zER;!c=~?L9nymWlLA2FjOZcwa!^JZX_Wtzur611(?^M5e`8U@)e!q)5 zqF{W4Udc=mChspET`k5(2J0Os4?XPN{p8R8eg6wLy#<3&3O4*Dsyuc1Og&Bqi<9@1 zn|2=U%!^}q^Ax6^eQi03T*XD%`+k&w`7q_B;oED_U|}OC`dOHShW>Cg{+6b68%((h zVsY5|S!hJrzDU-YKAgE@i&Mvm)zA8t=a_xbm=8ARzcLUi=4TU@ru^PWp4N}FPr;>l z@SKAFeim-Dqb_C8<}OM z6#MYAx$r28J^f=%4Z7i@j5A(GLSoEQOs-+nh2!&~XAMO=;F{46a_}tfdja~znXP&D z`dQ{vXn9*SvZpyRKtkeGh?k-UbnFf#x7G1DBxAy%=fp=qlgAAqkKt$~cbtY1mPdr` zG(Ozljp6=wh|cEN%~5pIyVQ3lpXv$6(-!oK-Ayu?7JcJG!Oz}|5lLg3@sY~=qqNSH z{}k#oD7#RY=6g|~A99vwUqHDXg+~C73(CXStQT35ZTud=_u)vc&s{qQ(bk7+=K=g4 zv>_{?K7_06Fs`HgJ%aU%=pC^=w|(2|y0lUqzZr^QuF8JHae1fBMR|>W!CPcuBNiK| z-+|M*+9<$tU3n|UB*vsqop6M{m^Q}^|MZ?bND`pH*acZ5q~^~ z`cdbtg7aKCY6SZzVhptjb(lmfGyhc}&AoB|EF4=z8GydbcDx4B0}JkAz$-uXTiE8D zdaE zbOM?j1K&C1`&sD8-z7x!5wzZm_9+~i4?ymJY0sVRShP6r47xeS@h+m2@xxdd#ONXPl<}T)JyVdKauTdfyHO>qGK$);8*>o8HHMX0 zCZQ2~sNn?04`J*m+7F_A5^ZI)(sw!g5WdEs&r$5{xYLQ6jYDDp^HRTQCq=zRP@ixs zaQ;!WOyc(dWCrji5o$MxQg%dt^!7@%7)A9nU2#;mdh=Y1-*WGBh>Rr{L1FC0-gEuq z3h>tL@7J4c4-@n6d_5u{0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F h0{_PZ=B;L(UhtESnPce|3=i4Mo>|`NhS!eIe*l9xg9QKp literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json new file mode 100644 index 000000000..17eecfa22 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-01-23T03:54:56.824925Z" + } + }, + "EventRecordID": 23370, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-01-23 03:54:56.816", + "ProcessGuid": "0197231E-F110-6972-3D16-000000000800", + "ProcessId": 12132, + "Image": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\devcon.exe", + "FileVersion": "10.0.26100.6584 (WinBuild.160101.0800)", + "Description": "Device Console", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "DevCon.exe", + "CommandLine": "devcon.exe disable \"ROOT\\VMWVMCIHOSTDEV\"", + "CurrentDirectory": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=36A56121DBE964347C859F95E996B26F,SHA256=282FF232C35FCB82DAD2FDAE56C775523409494B175A5A83D7441B5FA65CB3F9,IMPHASH=A0225EB3236EA941773B705076ADA2AF", + "ParentProcessGuid": "0197231E-F0B6-6972-3816-000000000800", + "ParentProcessId": 4244, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml new file mode 100644 index 000000000..de4094479 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml @@ -0,0 +1,13 @@ +id: 00d836cd-522f-41c8-b6a5-e1bf5d1d388d +description: N/A +date: 2026-01-23 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de + title: Devcon Execution Disabling VMware VMCI Device +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5529e233cb6be16e030609d242a309872fa0d0c8 GIT binary patch literal 69632 zcmeI0TWnlc6^7S2Gjlv1duHsmZVM!-la@;ic6`Y=_tNoYnh?8$k`OMIA}hX4V~;Ig za+Od7RL}|)`cNU!2M{mxCf<-xRS5}!ct9!=RN^93fp`H4A+=BeiYoK}`|RVfjh!as z^*^ICXJ6J{Ywd5Zz4nxXD4m*75awjc!riTYY8@s+;P49pBoR~u@Wf|0TB=Z z5fA|p5CIVo0TB=Z5fA|pcuxYuvr~gJwF{Q~y5H`3otpTkK&#o+vk#B4dM6j{G{5_| zU$57(GcwC%&Hj-w`%8L#k6AC;kKu2K+r3_Yk1TtYpR-Rv#W;{vG5xA@f#?cpi^4+6 zqIA$?d(ex7I#q3u9rhmX_Y zYiT>}*5ZN_3288}c2u|pc>Q2kWS_(Wa#@Io<^pQU*h8o!JLidCX6+=puVCHg!EplI zDVnjiG_apSad^0k7*j{D%5;x=c@E@?jxoIr{P>1|SZ|@hiV>3nm%a3}R-@@y6X&$epghB6b#)Flk|gq@A2wnFm!0D)&QQF($LR-F z)96d?H;q1K&qHttAMZuhvJq1&m-fj+SrDG_Y!d*5M$4vx78g!T#=O3a5FLc%I0C8W z{N|#ySdb1@SC2w~S&a*Kq?UD{<`4>WF5W9)CTNBWmoT0in|G{h0xe`c02N6R{%%(m z%gJR~foCy7vj-p%CHZ)2B(gJ5NbP=J&31PxU1+u4X}b%e2t9WrQgL9#v&dSTWqEYr zN~6R(YdI%};jX7F;SV3fid{t88&y1a(I!~jc@_mERNj&|n7LwNEO zW}H1epGK~tQTDzMcf@>{39^Xo6?ibYmJ`D~mV^uaK|lV!x^x4Uav8*uZ5!s{5oJ5Q ztXuk6bJM1vP7-UF53R^Cd;ORX)b;=GMwqZLpRz3FcYArRzV|+ZkmA8J4gbSD!f0Dx zDxl3-ZcMacK68^XLy+h3#>ie+Tdy!5-Gonk_)LH)6HAzHxQQ&Y6gMAt>J`XlW7z|K zp5)`_*@C#C7t^?Fke{_=KFLWI<{NJ^lh_hTF|tRT781jTBC#zk4!S+f9Lo2CA&g;} zvtkOSzfJLIt~uk3yVd)fUfc3vzB!iKauP%QA^9b{W_$W#u z{iAgcS`nk%XM7!ri7`(xxyHLL9$$gdW*x|qY-7D2^`l;{)4g`~qOB9Jojv&OwLWWiFQSKC z%VE^JVZX-?;Ir$&Zw23ed$BrwFC2re7xo#B%fmLd7TZfGUqod(L3X!jXV1S?yDG=*xGZ)-tK{&c5qsNrHd%_xEgIOpfrjcu-@A)%$Kj`x6f$1 zw~h65xfEQwdN0IO>Cz62AANOuH5Ma{_Za<$R)N z$6O!naW0$@?H<5)1>^eAK8)7b9_K)hVgeOsf564}=MmrMe0={D875x4jc-6>8(!E+ zbPT7!9Efj@wA&xoj(FMnO>_O)y9IY&_}!~Z1VlgtL_h>YKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKm