security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: increase level of some sideloading rules

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-03-15 01:10:52 +01:00
parent 64295b1ed7
commit 83bcab5fd6
9 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/image_load_side_load_advapi32.yml → rules-deprecated/windows/image_load_side_load_advapi32.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: Suspicious Load of Advapi31.dll
id: d813d662-785b-42ca-8b4a-f7457d78d5a9
status: test
status: deprecated
description: Detects the load of advapi31.dll by a process running in an uncommon folder
references:
- https://github.com/hlldz/Phant0m
author: frack113
date: 2022/02/03
modified: 2022/02/11
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.t1070
rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/22
modified: 2023/03/15
tags:
- attack.privilege_escalation
- attack.persistence
@@ -41,4 +42,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: medium
level: high
rules/windows/image_load/image_load_side_load_coregen.yml
+1 -1
View File
@@ -17,7 +17,7 @@ detection:
selection:
Image|endswith: '\coregen.exe'
filter:
ImageLoaded|startswith:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\Microsoft Silverlight\'
rules/windows/image_load/image_load_side_load_dbgcore_dll.yml
+4 -4
View File
@@ -6,7 +6,7 @@ references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022/10/25
modified: 2022/10/28
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -28,9 +28,9 @@ detection:
- 'C:\Windows\SystemTemp\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_steam:
ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
#filter_steam:
# ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
level: high
rules/windows/image_load/image_load_side_load_dbghelp_dll.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022/10/25
modified: 2022/10/28
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -36,4 +36,4 @@ detection:
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
level: high
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/14
modified: 2023/02/28
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -468,4 +468,4 @@ detection:
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: medium
level: high
rules/windows/image_load/image_load_side_load_office_dlls.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022/08/17
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -27,4 +28,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unlikely
level: medium
level: high
rules/windows/image_load/image_load_side_load_rcdll.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior
date: 2023/03/13
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -24,4 +25,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: medium
level: high
rules/windows/image_load/image_load_side_load_wazuh.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior
date: 2023/03/13
modified: 2023/03/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -28,4 +29,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: medium
level: high