security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Detect RipZip attack

Browse Source
This commit is contained in:
eiger
2022-07-21 16:05:52 +08:00
parent fda9c753e2
commit 4d981fded8
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_access/file_access_ripzip_attack.yml
+25
View File
@@ -0,0 +1,25 @@
title: RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: experimental
description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains “{0AFACED1-E828-11D1-9187-B532F1E9575D}” meaning the folder shortcut operation.
references:
- https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022/07/21
modified: 2022/07/21
tags:
- attack.t1547
- attack.persistence
logsource:
category: file_access
product: windows
detection:
selection1: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
- TargetFileName|contains: '\Microsoft\Windows\Start Menu\Programs\Startup'
- TargetFileName|contains: '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
- TargetFileName|endswith: '.lnk'
selection2:
- Image|endswith: '\explorer.exe'
- OriginalFileName: 'explorer.exe'
condition: all of selection*
level: high