From 2b2c5c42caa84077858c1c9cbeebd9d176e9fd65 Mon Sep 17 00:00:00 2001 From: "Mohamed Ashraf (X__Junior)" Date: Fri, 9 Jun 2023 20:43:13 +0300 Subject: [PATCH 1/3] Create proc_creation_win_sndvol_susp_child_processes.yml --- ...eation_win_sndvol_susp_child_processes.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml new file mode 100644 index 000000000..1084c6a25 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -0,0 +1,21 @@ +title: Uncommon Child Processes Of SndVol.exe +id: ba42babc-0666-4393-a4f7-ceaf5a69191e +status: experimental +description: Detects potential uncommon child processes of SndVol.exe +references: + - https://twitter.com/Max_Mal_/status/1661322732456353792 +author: X__Junior (Nextron Systems) +date: 2023/06/09 +tags: + - attack.execution + - attack.t1059 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: '\SndVol.exe' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From d634acec1a734e14a3c3b53695867807fca9034a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Jun 2023 00:23:04 +0200 Subject: [PATCH 2/3] feat: update legit child --- .../proc_creation_win_sndvol_susp_child_processes.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 1084c6a25..853f3376a 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -8,14 +8,16 @@ author: X__Junior (Nextron Systems) date: 2023/06/09 tags: - attack.execution - - attack.t1059 logsource: product: windows category: process_creation detection: selection: ParentImage|endswith: '\SndVol.exe' - condition: selection + filter_main_rundll32: + Image|endswith: '\rundll32.exe' + CommandLine|contains: ' shell32.dll,Control_RunDLL ' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From 2b520f9415f5356387865ac2225f50c0ac295265 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Jun 2023 10:15:23 +0200 Subject: [PATCH 3/3] chore: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../proc_creation_win_sndvol_susp_child_processes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 853f3376a..993df932e 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,7 +1,7 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e status: experimental -description: Detects potential uncommon child processes of SndVol.exe +description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 author: X__Junior (Nextron Systems)