security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4264 from nasbench/qakbot-regsvr32-updates

Browse Source 
feat: new rules and updates related to qakbot and regsvr32
This commit is contained in:
Nasreddine Bencherchali
2023-05-30 12:16:23 +02:00
committed by GitHub
parent 94a88ffef9 bcc0c9a9e0
commit 8bca57f7a5
23 changed files with 566 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml → deprecated/windows/proc_creation_win_regsvr32_anomalies.yml
+3 -3
View File
@@ -1,13 +1,13 @@
title: Regsvr32 Anomaly
id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
status: experimental
status: deprecated
description: Detects various anomalies in relation to regsvr32.exe
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton
date: 2019/01/16
modified: 2023/02/26
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
@@ -83,4 +83,4 @@ fields:
- ParentCommandLine
falsepositives:
- Unknown
level: high
level: high
rules-emerging-threats/2023/Malware/Qakbot/README.md
+17
View File
@@ -0,0 +1,17 @@
# Qakbot
## Summary
QBot is a modular information stealer also known as Qakbot, Quakbot, Oakboat or Pinkslipbot.
You can find more information on the threat in the following articles:
- [Qakbot - malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot)
- [Qakbot- pr0xylife](https://github.com/pr0xylife/Qakbot/)
## Rules
- [Qakbot Regsvr32 Calc Pattern](./proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml)
- [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml)
- [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml)
- [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml)
rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
+25
View File
@@ -0,0 +1,25 @@
title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: experimental
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
- https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/26
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- ' /s'
- ' -s'
CommandLine|endswith: ' calc'
condition: selection
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml
+38
View File
@@ -0,0 +1,38 @@
title: Potential Qakbot Rundll32 Execution
id: cf879ffb-793a-4753-9a14-bc8f37cc90df
status: experimental
description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023/05/24
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_extension:
CommandLine|contains: '.dll'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml
+64
View File
@@ -0,0 +1,64 @@
title: Qakbot Rundll32 Exports Execution
id: 339ed3d6-5490-46d0-96a7-8abe33078f58
status: experimental
description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023/05/24
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_exports:
CommandLine|endswith:
# Note: Only add additional exports seen used by Qakbot
- 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
- 'bind'
- 'DrawThemeIcon'
- 'GG10'
- 'GL70'
- 'jhbvygftr'
- 'kjhbhkjvydrt'
- 'LS88'
- 'Motd'
- 'N115'
- 'Nikn'
- 'print'
- 'qqqb'
- 'qqqq'
- 'RS32'
- 'Test'
- 'Time'
- 'Updt'
- 'vips'
- 'Wind'
- 'WW50'
- 'X555'
- 'XL55'
- 'xlAutoOpen'
- 'XS88'
condition: all of selection_*
falsepositives:
- Unlikely
level: critical
rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml
+38
View File
@@ -0,0 +1,38 @@
title: Qakbot Rundll32 Fake DLL Extension Execution
id: bfd34392-c591-4009-b938-9fd985a28b85
status: experimental
description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/24
tags:
- attack.defense_evasion
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
filter_main_extension:
CommandLine|contains: '.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: critical
rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml
+30
View File
@@ -0,0 +1,30 @@
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: experimental
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021/11/05
modified: 2022/07/07
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: '.vbs -register ' # register_app.vbs
condition: all of selection*
falsepositives:
- Other VB scripts that leverage the same starting command line flags
level: medium
rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml
+2
View File
@@ -8,6 +8,7 @@ references:
- https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/22
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.008
@@ -22,6 +23,7 @@ detection:
# Note: Add more suspicious locations
CommandLine|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml
+13 -12
View File
@@ -1,12 +1,12 @@
title: Regsvr32 Flags Anomaly
title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019/07/13
modified: 2021/11/27
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
@@ -16,13 +16,14 @@ logsource:
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains: ' /i:'
filter:
CommandLine|contains: ' /n '
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
CommandLine|contains:
- ' /i:'
- ' -i:'
filter_main_flag:
CommandLine|contains:
- ' /n '
- ' -n '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
- Administrator typo might cause some false positives
level: medium
rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml
+63
View File
@@ -0,0 +1,63 @@
title: Potentially Suspicious Regsvr32 HTTP IP Pattern
id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
status: experimental
description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2022/01/11
modified: 2023/05/24
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_ip:
CommandLine|contains:
- ' /i:http://1'
- ' /i:http://2'
- ' /i:http://3'
- ' /i:http://4'
- ' /i:http://5'
- ' /i:http://6'
- ' /i:http://7'
- ' /i:http://8'
- ' /i:http://9'
- ' /i:https://1'
- ' /i:https://2'
- ' /i:https://3'
- ' /i:https://4'
- ' /i:https://5'
- ' /i:https://6'
- ' /i:https://7'
- ' /i:https://8'
- ' /i:https://9'
- ' -i:http://1'
- ' -i:http://2'
- ' -i:http://3'
- ' -i:http://4'
- ' -i:http://5'
- ' -i:http://6'
- ' -i:http://7'
- ' -i:http://8'
- ' -i:http://9'
- ' -i:https://1'
- ' -i:https://2'
- ' -i:https://3'
- ' -i:https://4'
- ' -i:https://5'
- ' -i:https://6'
- ' -i:https://7'
- ' -i:https://8'
- ' -i:https://9'
condition: all of selection_*
falsepositives:
- FQDNs that start with a number such as "7-Zip"
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml
-45
View File
@@ -1,45 +0,0 @@
title: Suspicious Regsvr32 HTTP IP Pattern
id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
status: experimental
description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN
references:
- https://twitter.com/mrd0x/status/1461041276514623491c19-ps
- https://twitter.com/tccontre18/status/1480950986650832903
author: Florian Roth (Nextron Systems)
date: 2022/01/11
modified: 2023/01/11
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|all:
- ' /s'
- ' /u'
selection_ip:
CommandLine|contains:
- ' /i:http://1'
- ' /i:http://2'
- ' /i:http://3'
- ' /i:http://4'
- ' /i:http://5'
- ' /i:http://6'
- ' /i:http://7'
- ' /i:http://8'
- ' /i:http://9'
- ' /i:https://1'
- ' /i:https://2'
- ' /i:https://3'
- ' /i:https://4'
- ' /i:https://5'
- ' /i:https://6'
- ' /i:https://7'
- ' /i:https://8'
- ' /i:https://9'
condition: all of selection_*
falsepositives:
- FQDNs that start with a number
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsoletes
status: experimental
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023/05/24
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml
-38
View File
@@ -1,38 +0,0 @@
title: Regsvr32 Command Line Without DLL
id: 50919691-7302-437f-8e10-1fe088afa145
status: test
description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line
references:
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems)
date: 2019/07/17
modified: 2022/12/25
tags:
- attack.defense_evasion
- attack.t1574
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
filter:
CommandLine|contains:
- '.dll'
- '.ocx'
- '.cpl'
- '.ax'
- '.bav'
- '.ppl'
filter_null1_for_4688:
CommandLine: null
filter_null2_for_4688:
CommandLine: ''
condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688
falsepositives:
- Unknown
fields:
- CommandLine
- ParentCommandLine
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml
-32
View File
@@ -1,32 +0,0 @@
title: Suspicious Registration via cscript.exe
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: experimental
description: Detects when the registration of a VSS/VDS Provider as a COM+ application.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://ss64.com/vb/cscript.html
author: Austin Songer @austinsonger
date: 2021/11/05
modified: 2022/07/07
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\cscript.exe'
CommandLine|contains: '-register'
selection2:
CommandLine|contains:
- '\Windows Kits\10\bin\10.0.22000.0\x64'
- '\Windows Kits\10\bin\10.0.19041.0\x64'
- '\Windows Kits\10\bin\10.0.17763.0\x64'
condition: all of selection*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml
-24
View File
@@ -1,24 +0,0 @@
title: Regsvr32 Spawning Explorer
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
status: experimental
description: Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon.
references:
- https://redcanary.com/blog/intelligence-insights-april-2022/
- https://www.echotrail.io/insights/search/regsvr32.exe
author: elhoim
date: 2022/05/05
modified: 2022/07/28
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith: '\explorer.exe'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml
+45
View File
@@ -0,0 +1,45 @@
title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsoletes
status: experimental
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
- https://redcanary.com/blog/intelligence-insights-april-2022/
- https://www.echotrail.io/insights/search/regsvr32.exe
- https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/05/05
modified: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
filter_main_werfault:
Image|endswith: '\werfault.exe'
CommandLine|contains: ' -u -p '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml
+34
View File
@@ -0,0 +1,34 @@
title: Regsvr32 Execution From Potential Suspicious Location
id: 9525dc73-0327-438c-8c04-13c0e037e9da
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsoletes
status: experimental
description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
level: medium
rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml
+63
View File
@@ -0,0 +1,63 @@
title: Regsvr32 Execution From Highly Suspicious Location
id: 327ff235-94eb-4f06-b9de-aaee571324be
status: experimental
description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_path_1:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- '\Windows\Registration\CRMLog'
- '\Windows\System32\com\dmp\'
- '\Windows\System32\FxsTmp\'
- '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- '\Windows\System32\spool\drivers\color\'
- '\Windows\System32\spool\PRINTERS\'
- '\Windows\System32\spool\SERVERS\'
- '\Windows\System32\Tasks_Migrated\'
- '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\SysWOW64\com\dmp\'
- '\Windows\SysWOW64\FxsTmp\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\Tasks\'
- '\Windows\Tracing\'
selection_path_2:
CommandLine|contains:
# This is to avoid collisions with CLI starting with "C:\"
- ' "C:\'
- ' C:\'
- " 'C:\\"
- 'D:\'
selection_exclude_known_dirs:
CommandLine|contains:
# Note: add additional locations that are related to third party applications
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\'
- 'C:\Users\'
# Note: The space added here are to avoid collisions with the "regsvr32" binary full path
- ' C:\Windows\'
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_image.yml → rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml
+15 -8
View File
@@ -1,17 +1,17 @@
title: Suspicious Regsvr32 Execution With Image Extension
title: Regsvr32 DLL Execution With Suspicious File Extension
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
related:
- id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
type: similar
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsoletes
status: experimental
description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files
description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
references:
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://guides.lib.umich.edu/c.php?g=282942&p=1885348
author: frack113
author: Florian Roth (Nextron Systems), frack113
date: 2021/11/29
modified: 2022/10/31
modified: 2023/05/24
tags:
- attack.defense_evasion
- attack.t1218.010
@@ -21,12 +21,15 @@ logsource:
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: '\REGSVR32.EXE'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|endswith:
# Add more image extensions
# https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
- '.bin'
- '.bmp'
- '.cr2'
- '.dat'
- '.eps'
- '.gif'
- '.ico'
@@ -37,9 +40,13 @@ detection:
- '.png'
- '.raw'
- '.sr2'
- '.temp'
- '.tif'
- '.tiff'
- '.tmp'
- '.rtf'
- '.txt'
condition: all of selection_*
falsepositives:
- Unknown
- Unlikely
level: high
rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml
+37
View File
@@ -0,0 +1,37 @@
title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsoletes
status: experimental
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/26
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\regsvr32.exe'
filter_main_rpcproxy:
ParentImage: C:\Windows\System32\cmd.exe
CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
- Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP
rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml
+39
View File
@@ -0,0 +1,39 @@
title: Regsvr32 DLL Execution With Uncommon Extension
id: 50919691-7302-437f-8e10-1fe088afa145
status: test
description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
references:
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems)
date: 2019/07/17
modified: 2023/05/24
tags:
- attack.defense_evasion
- attack.t1574
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
filter_main_legit_ext:
CommandLine|contains:
# Note: For better accuracy you might not want to use contains
- '.ax'
- '.cpl'
- '.dll' # Covers ".dll.mui"
- '.ocx'
filter_optional_pascal:
CommandLine|contains: '.ppl'
filter_optional_avg:
CommandLine|contains: '.bav'
filter_main_null_4688:
CommandLine: null
filter_main_empty_4688:
CommandLine: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate extensions currently not in the list either from third party or specific Windows components.
level: medium
rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml
+2
View File
@@ -5,6 +5,8 @@ description: Detects potential SquiblyTwo attack technique with possible renamed
references:
- https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/mattifestation/status/986280382042595328 # Deleted
- https://atomicredteam.io/defense-evasion/T1220/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
author: Markus Neis, Florian Roth
date: 2019/01/16
modified: 2023/02/15
rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml
+2
View File
@@ -6,6 +6,7 @@ references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/23
modified: 2023/05/26
tags:
- attack.persistence
- attack.t1003
@@ -21,6 +22,7 @@ detection:
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'