From 59ccb74bc61bbf6342c3359f97f02fd7d8b7feab Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:26:04 +0100 Subject: [PATCH] Add proc_creation_win_susp_powercfg Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_powercfg.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_powercfg.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml new file mode 100644 index 000000000..d9229ef1c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml @@ -0,0 +1,34 @@ +title: Suspicious Powercfg Execution To Change Lock Screen Timeout +id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b +status: experimental +description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options +author: frack113 +date: 2022/11/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_power: + - Image|endswith: '\powercfg.exe' + - OriginalFileName: 'PowerCfg.exe' + selection_standby: + # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK + - CommandLine|contains|all: + - '/setacvalueindex ' + - 'SCHEME_CURRENT' + - 'SUB_VIDEO' + - 'VIDEOCONLOCK' + # powercfg -change -standby-timeout-dc 3000 + # powercfg -change -standby-timeout-ac 3000 + - CommandLine|contains|all: + - '-change ' + - '-standby-timeout-' + condition: all of selection_* +falsepositives: + - Unknown +level: medium