From a38c0218765a89f5d18eadd49639c72a5d25d944 Mon Sep 17 00:00:00 2001
From: Kirill Kiryanov <kkiryanov@ptsecurity.com>
Date: Thu, 8 Oct 2020 13:24:59 +0300
Subject: [PATCH 1/3] Created rule win_susp_presentationhost_execution.yml

---
 .../win_susp_presentationhost_execution.yml   | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_presentationhost_execution.yml

diff --git a/rules/windows/process_creation/win_susp_presentationhost_execution.yml b/rules/windows/process_creation/win_susp_presentationhost_execution.yml
new file mode 100644
index 000000000..f8cd768b0
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_presentationhost_execution.yml
@@ -0,0 +1,25 @@
+title: Application Whitelisting Bypass via PresentationHost.exe
+id: d149a338-ae47-408e-a8ff-9064220c0b34
+description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file
+status: experimental
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml
+    - https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
+    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.execution      
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\presentationhost.exe'
+        CommandLine|contains: '.xbap'
+    condition: selection
+level: medium
+falsepositives:
+    - Unknown

From 1581be1ec2f5f35a14372f3213dd2c726e12375c Mon Sep 17 00:00:00 2001
From: Kirill Kiryanov <kkiryanov@ptsecurity.com>
Date: Thu, 8 Oct 2020 14:00:43 +0300
Subject: [PATCH 2/3] Created rule win_susp_sqldumper_activity.yml

---
 .../win_susp_sqldumper_activity.yml           | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml

diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
new file mode 100644
index 000000000..50d90f94b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
@@ -0,0 +1,30 @@
+title: Dumping process via sqldumper.exe
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+description: Detects process dump via legitimate sqldumper.exe binary
+status: experimental
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+    - https://twitter.com/countuponsec/status/910977826853068800
+    - https://twitter.com/countuponsec/status/910969424215232518
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1003.001    
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\sqldumper.exe'
+        CommandLine|contains:
+            - '0x0110'
+            - '0x01100:40'
+    condition: selection
+falsepositives:
+    - Legitimate MSSQL Server actions
+analysis:
+    recommendation: Check if the user is compromised and watch for further suspicious activity
+level: medium

From a09488a90f3bd18131c03c92290cb53ddbd3d40a Mon Sep 17 00:00:00 2001
From: Kirill Kiryanov <kkiryanov@ptsecurity.com>
Date: Thu, 8 Oct 2020 14:20:32 +0300
Subject: [PATCH 3/3] revert changes for making new pull request

---
 .../win_susp_sqldumper_activity.yml           | 30 -------------------
 1 file changed, 30 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml

diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
deleted file mode 100644
index 50d90f94b..000000000
--- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Dumping process via sqldumper.exe
-id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
-description: Detects process dump via legitimate sqldumper.exe binary
-status: experimental
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
-    - https://twitter.com/countuponsec/status/910977826853068800
-    - https://twitter.com/countuponsec/status/910969424215232518
-    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
-author: Kirill Kiryanov, oscd.community
-date: 2020/10/08
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1003.001    
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\sqldumper.exe'
-        CommandLine|contains:
-            - '0x0110'
-            - '0x01100:40'
-    condition: selection
-falsepositives:
-    - Legitimate MSSQL Server actions
-analysis:
-    recommendation: Check if the user is compromised and watch for further suspicious activity
-level: medium