security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

refactor: comsvcs.dll adjustments - run by ordinal variants

Browse Source
This commit is contained in:
Florian Roth
2021-12-08 10:02:21 +01:00
parent bfd6b48ee4
commit 33bdfd124d
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
other/godmode_sigma_rule.yml
+5 -1
View File
@@ -19,7 +19,7 @@ description: 'PoC rule to detect malicious activity - following the principle: i
status: experimental
author: Florian Roth
date: 2019/12/22
modified: 2020/05/18
modified: 2021/12/08
level: high
action: global
---
@@ -54,6 +54,10 @@ detection:
- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
- ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll,#24' # Process dumping method apart from procdump
- ' comsvcs.dll MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll #24' # Process dumping method apart from procdump
- 'MiniDump full' # Process dumping method apart from procdump
- '#24 full' # Process dumping method apart from procdump
selection_parent_child:
ParentImage|contains:
# Office Dropper Detection
rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+7 -2
View File
@@ -5,9 +5,10 @@ status: experimental
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
author: Florian Roth
date: 2020/02/18
modified: 2021/12/07
modified: 2021/12/08
tags:
- attack.defense_evasion
- attack.t1036
@@ -23,13 +24,17 @@ detection:
CommandLine|contains:
- 'comsvcs.dll'
- 'rundll32'
- '.dmp'
selection_function:
Commandline|contains:
- '#24'
- '#+24'
- 'MiniDump'
selection_full:
CommandLine|contains: ' full'
condition: all of selection*
unique_selection:
CommandLine|contains: '#-4294967272' # https://twitter.com/Hexacorn/status/1224848930795552769
condition: all of selection* or unique_selection
falsepositives:
- Unlikely, because no one should dump the process memory in that way
level: high