From af45f06d58888c89c44d9e165c9f18dff981795e Mon Sep 17 00:00:00 2001 From: CD-R0M <97048268+CD-R0M@users.noreply.github.com> Date: Wed, 25 May 2022 17:26:26 -0400 Subject: [PATCH 1/4] Filter for Dell Display Manager Child Process Adding filter for Rundll32.exe command line spawned by ddm.exe (Dell Display Manager). --- .../proc_creation_win_susp_rundll32_spawn_explorer.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index aabc317a5..c430ad914 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -1,9 +1,10 @@ title: RunDLL32 Spawning Explorer id: caa06de8-fdef-4c91-826a-7f9e163eef4b description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way -author: elhoim +author: elhoim, CD_ROM_ status: experimental date: 2022/04/27 +modified: 2022/05/25 references: - https://redcanary.com/blog/intelligence-insights-november-2021/ tags: @@ -16,7 +17,9 @@ detection: selection: ParentImage|endswith: '\rundll32.exe' Image|endswith: '\explorer.exe' - condition: selection + filter: + ParentCommandLine|contains: '\shell32.dll,Control_RunDLL' + condition: selection and not filter falsepositives: - Unknown level: high From 2030a6fddc895d592f5cadf31c754c1350549a5b Mon Sep 17 00:00:00 2001 From: CD-R0M <97048268+CD-R0M@users.noreply.github.com> Date: Wed, 25 May 2022 17:30:58 -0400 Subject: [PATCH 2/4] Update proc_creation_win_susp_rundll32_spawn_explorer.yml --- .../proc_creation_win_susp_rundll32_spawn_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index c430ad914..e9e1826e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -19,7 +19,7 @@ detection: Image|endswith: '\explorer.exe' filter: ParentCommandLine|contains: '\shell32.dll,Control_RunDLL' - condition: selection and not filter + condition: selection and not filter falsepositives: - Unknown level: high From 2a2c15a407d920d54416cb9587fa27f41af03a4e Mon Sep 17 00:00:00 2001 From: CD-R0M <97048268+CD-R0M@users.noreply.github.com> Date: Sat, 11 Jun 2022 10:29:46 -0400 Subject: [PATCH 3/4] Create registry_set_custom_file_open_handler_powershell_execution.yml --- ...file_open_handler_powershell_execution.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml new file mode 100644 index 000000000..60a40bc7f --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -0,0 +1,25 @@ +title: Custom File Open Handler Executes PowerShell +id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc +description: Detects the abuse of custom file open handler, executing powershell +author: CD_R0M_ +date: 2022/06/11 +status: experimental +references: + - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: 'shell\open\command\' + Details|contains|all: + - 'powershell' + - '-command' + EventType: SetValue + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1202 From 335e97247e7fc348e5036a10ce71a456c6ba4fa9 Mon Sep 17 00:00:00 2001 From: CD-R0M <97048268+CD-R0M@users.noreply.github.com> Date: Sat, 11 Jun 2022 10:40:04 -0400 Subject: [PATCH 4/4] Update registry_set_custom_file_open_handler_powershell_execution.yml --- ...stry_set_custom_file_open_handler_powershell_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index 60a40bc7f..c13f6736d 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -13,8 +13,8 @@ detection: selection: TargetObject|contains: 'shell\open\command\' Details|contains|all: - - 'powershell' - - '-command' + - 'powershell' + - '-command' EventType: SetValue condition: selection falsepositives: