From 66ad325fde95de44b0497c67dec7e0dc765d4a85 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 14 Jul 2020 14:01:43 +0545 Subject: [PATCH 1/3] Added support for Defender's PSExec and WMI ASR rules. --- .../other/win_defender_psexec_wmi_asr.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/other/win_defender_psexec_wmi_asr.yml diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml new file mode 100644 index 000000000..7942fec45 --- /dev/null +++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml @@ -0,0 +1,29 @@ +title: Process Creations from PSExec and WMI Detected via Attack Surface Reduction +id: ffa2790e-21f4-90da-dd33-ed8b77a9bf78 +description: Detects blocking of process creations originating from PSExec and WMI commands +status: experimental +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands + - https://twitter.com/duff22b/status/1280166329660497920 +author: Bhabesh Raj +date: 2020/07/14 +tags: + - attack.lateral_movement + - attack.execution + - attack.t1570 + - attack.t1047 + - attack.t1569 + - attack.t1569.002 +logsource: + product: windows_defender + definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' +detection: + selection: + EventID: 1121 + ProcessName|endswith: + - '\wmiprvse.exe' + - '\psexesvc.exe' + condition: selection +falsepositives: + - Unknown +level: high From 6fb045aa4bbd16c9b1435bb8703821df73c522d9 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 14 Jul 2020 14:20:07 +0545 Subject: [PATCH 2/3] Conforming to Rule Creation Guide. --- rules/windows/other/win_defender_psexec_wmi_asr.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml index 7942fec45..adae1deba 100644 --- a/rules/windows/other/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml @@ -1,5 +1,5 @@ -title: Process Creations from PSExec and WMI Detected via Attack Surface Reduction -id: ffa2790e-21f4-90da-dd33-ed8b77a9bf78 +title: PSExec and WMI Process Creations Block +id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003 description: Detects blocking of process creations originating from PSExec and WMI commands status: experimental references: @@ -8,9 +8,7 @@ references: author: Bhabesh Raj date: 2020/07/14 tags: - - attack.lateral_movement - attack.execution - - attack.t1570 - attack.t1047 - attack.t1569 - attack.t1569.002 From e0c1d84951c5e0240e4b2482725cad30162a36e0 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Tue, 14 Jul 2020 22:32:29 +0545 Subject: [PATCH 3/3] Added new Lateral Movement Attack ID --- rules/windows/other/win_defender_psexec_wmi_asr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml index adae1deba..850023895 100644 --- a/rules/windows/other/win_defender_psexec_wmi_asr.yml +++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml @@ -9,6 +9,8 @@ author: Bhabesh Raj date: 2020/07/14 tags: - attack.execution + - attack.lateral_movement + - attack.t1570 - attack.t1047 - attack.t1569 - attack.t1569.002