From fd1be59f557cadfbf8805da9b39c8275bb30fd0d Mon Sep 17 00:00:00 2001 From: Alexander McDonald Date: Fri, 24 Jun 2022 16:44:40 -0400 Subject: [PATCH 1/3] New experimental rule designed to find process injection --- ...oc_creation_win_msra_process_injection.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_msra_process_injection.yml diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml new file mode 100644 index 000000000..874610c2f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -0,0 +1,31 @@ +title: Msra.exe Process Injection +status: experimental +description: Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics +author: Alexander McDonald +date: 2022/06/24 +references: + - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ + - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\msra.exe' + ParentCommandLine: 'msra.exe' + Image|endswith: + - 'arp.exe' + - 'cmd.exe' + - 'net.exe' + - 'netstat.exe' + - 'nslookup.exe' + - 'route.exe' + - 'schtasks.exe' + - 'whoami.exe' + condition: selection +falsepositives: + - Legitimate use of Msra.exe +level: high +tags: + - attack.defense_evasion + - attack.t1055 \ No newline at end of file From e740cbcaa3e7f196407ae00ef586636333c05dc7 Mon Sep 17 00:00:00 2001 From: Alexander McDonald Date: Fri, 24 Jun 2022 16:55:10 -0400 Subject: [PATCH 2/3] Including id number per the error reported in testing --- .../proc_creation_win_msra_process_injection.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 874610c2f..ed83d9c5a 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,4 +1,5 @@ title: Msra.exe Process Injection +id: 744a188b-0415-4792-896f-11ddb0588dbc status: experimental description: Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics author: Alexander McDonald From 1b08ee7916f37f8ec883e679cc75ab7a22116f6d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 25 Jun 2022 08:47:36 +0200 Subject: [PATCH 3/3] Update proc_creation_win_msra_process_injection.yml --- ...oc_creation_win_msra_process_injection.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index ed83d9c5a..9cf409ee3 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -12,21 +12,21 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\msra.exe' - ParentCommandLine: 'msra.exe' + ParentImage|endswith: '\msra.exe' + ParentCommandLine|endswith: 'msra.exe' Image|endswith: - - 'arp.exe' - - 'cmd.exe' - - 'net.exe' - - 'netstat.exe' - - 'nslookup.exe' - - 'route.exe' - - 'schtasks.exe' - - 'whoami.exe' + - '\arp.exe' + - '\cmd.exe' + - '\net.exe' + - '\netstat.exe' + - '\nslookup.exe' + - '\route.exe' + - '\schtasks.exe' + - '\whoami.exe' condition: selection falsepositives: - Legitimate use of Msra.exe level: high tags: - attack.defense_evasion - - attack.t1055 \ No newline at end of file + - attack.t1055