add more suspicious child processes / relevant parent processes

2022-06-02 16:14:39 +02:00
parent 2c1fd87a27
commit 79cc5f73ea
4 changed files with 18 additions and 6 deletions
@@ -7,6 +7,7 @@ references:
  - https://twitter.com/nao_sec/status/1530196847679401984
  - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 date: 2022/06/01
+modified: 2022/06/02
 tags:
  - attack.defense_evasion
  - attack.t1036
@@ -23,6 +24,8 @@ detection:
      - '\cscript.exe'
      - '\wscript.exe'
      - '\wsl.exe'
+      - '\rundll32.exe'
+      - '\regsvr32.exe'
      # office apps are covered by other rules
  selection_msdt:
    - Image|endswith: '\msdt.exe'
@@ -33,7 +33,10 @@ detection:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'
+      - '\msaccess.exe'
+      - '\mspub.exe'
+      - '\eqnedt32.exe'
  condition: selection1 and selection2
 falsepositives:
  - Unknown
-level: high
+level: high
@@ -12,7 +12,7 @@ tags:
    - car.2013-05-002
 author: Jason Lynch
 date: 2019/04/02
-modified: 2021/04/01
+modified: 2022/06/02
 logsource:
    category: process_creation
    product: windows
@@ -24,6 +24,8 @@ detection:
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
+            - '\MSACCESS.exe'
+            - '\EQNEDT32.exe'
            # - '\OUTLOOK.EXE' too many FPs
        Image|startswith: 'C:\users\'
        Image|endswith: '.exe'
@@ -13,7 +13,7 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2022/03/30
+modified: 2022/06/02
 logsource:
  product: windows
  category: process_creation
@@ -24,9 +24,13 @@ detection:
    - CommandLine|contains: 'wmic '
  selection2:
    ParentImage:
-      - winword.exe
-      - excel.exe
-      - powerpnt.exe
+      - '\winword.exe'
+      - '\excel.exe'
+      - '\powerpnt.exe'
+      - '\msaccess.exe'
+      - '\mspub.exe'
+      - '\eqnedt32.exe'
+      - '\visio.exe'
  condition: selection1 and selection2
 falsepositives:
 - Unknown