diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml new file mode 100644 index 000000000..a50faf8b5 --- /dev/null +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml @@ -0,0 +1,52 @@ +title: Legitimate Application Dropped Archive +id: 654fcc6d-840d-4844-9b07-2c3300e54a26 +description: Detects programs on a Windows system that should not write an archive to disk +status: experimental +author: frack113, Florian Roth +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + # - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \notepad.exe + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: + - '.zip' + - '.rar' + - '.7z' + - '.diagcab' + - '.appx' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml new file mode 100644 index 000000000..f9abb5613 --- /dev/null +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml @@ -0,0 +1,50 @@ +title: Legitimate Application Dropped Executable +id: f0540f7e-2db3-4432-b9e0-3965486744bc +description: Detects programs on a Windows system that should not write executables to disk +status: experimental +author: frack113, Florian Roth +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + # - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \notepad.exe + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: + - '.exe' + - '.dll' + - '.ocx' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml new file mode 100644 index 000000000..654cbae90 --- /dev/null +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml @@ -0,0 +1,52 @@ +title: Legitimate Application Dropped Script +id: 7d604714-e071-49ff-8726-edeb95a70679 +description: Detects programs on a Windows system that should not write scripts to disk +status: experimental +author: frack113, Florian Roth +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + # - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: + - '.ps1' + - '.bat' + - '.vbs' + - '.scf' + - '.wsf' + - '.wsh' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218