From 9da42e4b526dcf543132e9deb15b245cb6f41665 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 16 May 2023 09:38:53 +0200 Subject: [PATCH 1/2] fix: FP with CheckPoint SmartConsole --- .../image_load_side_load_from_non_system_location.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 9ba7d5d57..051c668ce 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,7 +1,7 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 status: experimental -description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.) references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/05/05 +modified: 2023/05/16 tags: - attack.defense_evasion - attack.persistence @@ -462,6 +462,13 @@ detection: filter_optional_dell_wldp: Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' + filter_optional_checkpoint: + Image|startswith: + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' + ImageLoaded|startswith: + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule From 06ec405ce7e5c07829d0c3c38523f3cecf3280d4 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 16 May 2023 15:37:13 +0200 Subject: [PATCH 2/2] fix: specify image and loaded image --- .../image_load_side_load_from_non_system_location.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 051c668ce..22c45a0a9 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -466,9 +466,11 @@ detection: Image|startswith: - 'C:\Program Files\CheckPoint\' - 'C:\Program Files (x86)\CheckPoint\' + Image|endswith: '\SmartConsole.exe' ImageLoaded|startswith: - 'C:\Program Files\CheckPoint\' - 'C:\Program Files (x86)\CheckPoint\' + ImageLoaded|endswith: '\PolicyManager.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule