security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: harmonize wuauclt rules - kept the oldest, most generic, highest level one

Browse Source
This commit is contained in:
phantinuss
2022-05-11 12:12:51 +02:00
parent 32169dbc33
commit 54c2977ddb
2 changed files with 9 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml
-32
View File
@@ -1,32 +0,0 @@
title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
status: experimental
description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
references:
- https://dtm.uk/wuauclt/
author: Sreeman
date: 2020/10/29
modified: 2022/03/07
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'wuauclt.exe'
- '/UpdateDeploymentProvider'
- '/Runhandlercomserver'
filter:
CommandLine|contains:
- 'wuaueng.dll'
- 'UpdateDeploymentProvider.dll /ClassId'
condition: selection and not filter
falsepositives:
- Wuaueng.dll which is a module belonging to Microsoft Windows Update.
fields:
- CommandLine
level: medium
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml
+9 -3
View File
@@ -1,13 +1,19 @@
title: Proxy Execution via Wuauclt
id: af77cf95-c469-471c-b6a0-946c685c4798
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
related:
- id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
type: obsoletes
- id: d7825193-b70a-48a4-b992-8b5b3015cc11
type: obsoletes
status: experimental
date: 2020/10/12
modified: 2021/05/10
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution
references:
- https://dtm.uk/wuauclt/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
@@ -19,12 +25,12 @@ detection:
- Image|contains: wuauclt
- OriginalFileName: wuauclt.exe
selection_two:
CommandLine|contains|all:
CommandLine|contains|all:
- 'UpdateDeploymentProvider'
- '.dll'
- 'RunHandlerComServer'
filter:
CommandLine|contains:
CommandLine|contains:
- ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
- ' wuaueng.dll '
condition: selection_one and selection_two and not filter