security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rules: advancedrun executions

Browse Source
This commit is contained in:
Florian Roth
2022-01-20 11:08:08 +01:00
parent 9b7b48c0e6
commit 8cf78fb4e6
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_advancedrun.yml
+28
View File
@@ -0,0 +1,28 @@
title: Suspicious AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
status: experimental
description: Detects the execution of AdvancedRun utitlity
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth
date: 2022/01/20
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\AdvancedRun.exe'
- CommandLine|contains|all:
- ' /EXEFilename '
- ' /Run'
- CommandLine|contains|all:
- ' /WindowState 0'
- ' /RunAs '
- ' /CommandLine '
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/win_susp_advancedrun_priv_user.yml
+30
View File
@@ -0,0 +1,30 @@
title: Suspicious AdvancedRun Runas Priv User
id: fa00b701-44c6-4679-994d-5a18afa8a707
status: experimental
description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller or SYSTEM account
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth
date: 2022/01/20
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '/EXEFilename'
- '/CommandLine'
selection_runas:
- CommandLine|contains:
- ' /RunAs 8 '
- ' /RunAs 4 '
- CommandLine|endswith:
- '/RunAs 8'
- '/RunAs 4'
condition: all of selection*
falsepositives:
- Unknown
level: high