From 4e3985866b0a79afaa3aa5c4be709609fd910cbc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Apr 2020 16:50:48 +0200 Subject: [PATCH] Update and rename sysmon_win_chm.yml to win_html_help_spawn.yml --- ...on_win_chm.yml => win_html_help_spawn.yml} | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) rename rules/windows/process_creation/{sysmon_win_chm.yml => win_html_help_spawn.yml} (66%) diff --git a/rules/windows/process_creation/sysmon_win_chm.yml b/rules/windows/process_creation/win_html_help_spawn.yml similarity index 66% rename from rules/windows/process_creation/sysmon_win_chm.yml rename to rules/windows/process_creation/win_html_help_spawn.yml index be4cae850..ed18c5c0f 100644 --- a/rules/windows/process_creation/sysmon_win_chm.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -1,4 +1,4 @@ -title: Suspicious Compiled HTML File +title: HTML Help Shell Spawn id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4 status: experimental description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) @@ -6,26 +6,25 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/ author: Maxim Pavlunin date: 2020/04/01 -modified: 2020/04/01 +modified: 2020/04/03 tags: - attack.execution - attack.defense_evasion - attack.t1223 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 ParentImage: 'C:\Windows\hh.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\rundll32.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\rundll32.exe' condition: selection fields: - CommandLine