From 3cfb370266fc0516e1cb1268b52c1b194b7a169a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 12 Jun 2022 21:36:52 +0100 Subject: [PATCH 1/9] Renamed LOLBIN Rules --- ..._compiler.yml => proc_creation_win_lolbin_aspnet_compiler.yml} | 0 ...ation_win_lobas_bash.yml => proc_creation_win_lolbin_bash.yml} | 0 ...rifiers.yml => proc_creation_win_lolbin_cl_mutexverifiers.yml} | 0 ...licy.yml => proc_creation_win_lolbin_configsecuritypolicy.yml} | 0 ...reation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml} | 0 ...bas_diantz_ads.yml => proc_creation_win_lolbin_diantz_ads.yml} | 0 ...ote_cab.yml => proc_creation_win_lolbin_diantz_remote_cab.yml} | 0 ...olbas_extexport.yml => proc_creation_win_lolbin_extexport.yml} | 0 ..._lolbas_extrac32.yml => proc_creation_win_lolbin_extrac32.yml} | 0 ...extrac32_ads.yml => proc_creation_win_lolbin_extrac32_ads.yml} | 0 ..._download.yml => proc_creation_win_lolbin_ieexec_download.yml} | 0 ...shell.yml => proc_creation_win_lolbin_offlinescannershell.yml} | 0 ..._win_lolbas_pubprn.yml => proc_creation_win_lolbin_pubprn.yml} | 0 ...in_lolbas_replace.yml => proc_creation_win_lolbin_replace.yml} | 0 ...proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml} | 0 ...susp_grpconv.yml => proc_creation_win_lolbin_susp_grpconv.yml} | 0 ...unctions.yml => proc_creation_win_lolbin_utilityfunctions.yml} | 0 17 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_lobas_aspnet_compiler.yml => proc_creation_win_lolbin_aspnet_compiler.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lobas_bash.yml => proc_creation_win_lolbin_bash.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_cl_mutexverifiers.yml => proc_creation_win_lolbin_cl_mutexverifiers.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_configsecuritypolicy.yml => proc_creation_win_lolbin_configsecuritypolicy.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml => proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_diantz_ads.yml => proc_creation_win_lolbin_diantz_ads.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_diantz_remote_cab.yml => proc_creation_win_lolbin_diantz_remote_cab.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_extexport.yml => proc_creation_win_lolbin_extexport.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_extrac32.yml => proc_creation_win_lolbin_extrac32.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_extrac32_ads.yml => proc_creation_win_lolbin_extrac32_ads.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_ieexec_download.yml => proc_creation_win_lolbin_ieexec_download.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_offlinescannershell.yml => proc_creation_win_lolbin_offlinescannershell.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_pubprn.yml => proc_creation_win_lolbin_pubprn.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_replace.yml => proc_creation_win_lolbin_replace.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbins_susp_driver_installed_by_pnputil.yml => proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbins_susp_grpconv.yml => proc_creation_win_lolbin_susp_grpconv.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_lolbas_utilityfunctions.yml => proc_creation_win_lolbin_utilityfunctions.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml diff --git a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lobas_bash.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_bash.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_ieexec_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_replace.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_replace.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbins_susp_driver_installed_by_pnputil.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbins_susp_grpconv.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml From 13b02a2aecd843b4a8551d78cc3b132f39c46a98 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 12 Jun 2022 21:37:42 +0100 Subject: [PATCH 2/9] Renamed LOLBIN Rules 2 --- ...dassembly.yml => proc_creation_win_lolbin_cl_loadassembly.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_lolbas_cl_loadassembly.yml => proc_creation_win_lolbin_cl_loadassembly.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml From ffd135c6b6984d3ac3f503488d0e699b61cd57bc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 12 Jun 2022 23:59:25 +0100 Subject: [PATCH 3/9] Renamed LOLBIN rules + Other --- ...c_creation_win_lolbin_certoc_download.yml} | 0 ...reation_win_lolbin_class_exec_xwizard.yml} | 0 ...ml => proc_creation_win_lolbin_cmdl32.yml} | 7 ++-- ...ation_win_lolbin_dll_sideload_xwizard.yml} | 2 +- ...ml => proc_creation_win_lolbin_dump64.yml} | 0 ...ml => proc_creation_win_lolbin_pcwrun.yml} | 0 ...tion_win_lolbin_rasautou_dll_execution.yml | 30 +++++++++++++ ...in_lolbin_rundll32_installscreensaver.yml} | 20 ++++----- ...ation_win_lolbin_susp_acccheckconsole.yml} | 4 +- ...roc_creation_win_lolbin_susp_atbroker.yml} | 0 ...tion_win_lolbin_susp_certreq_download.yml} | 8 ++-- ...> proc_creation_win_lolbin_susp_dxcap.yml} | 0 ...tion_win_lolbin_susp_mpcmdrun_download.yml | 32 ++++++++++++++ ...on_win_lolbin_susp_sqldumper_activity.yml} | 0 ... => proc_creation_win_lolbin_susp_wsl.yml} | 0 ...pvpublishingserver_execute_powershell.yml} | 0 ...blishingserver_vbs_execute_powershell.yml} | 0 ...creation_win_lolbin_tttracer_mod_load.yml} | 0 ...tion_win_lolbin_visual_basic_compiler.yml} | 0 ...l => proc_creation_win_lolbin_winword.yml} | 0 ...oc_creation_win_rasautou_dll_execution.yml | 31 -------------- ...oc_creation_win_susp_mpcmdrun_download.yml | 32 -------------- .../proc_creation_win_tool_runx_as_system.yml | 2 +- ...=> proc_creation_win_uac_bypass_cmstp.yml} | 0 ...roc_creation_win_uac_bypass_fodhelper.yml} | 0 .../proc_creation_win_uac_bypass_wsreset.yml | 42 +++++++++---------- ...win_uac_bypass_wsreset_integrity_level.yml | 27 ++++++++++++ .../proc_creation_win_uac_wsreset.yml | 25 ----------- ..._set_lolbin_onedrivestandaloneupdater.yml} | 2 +- 29 files changed, 133 insertions(+), 131 deletions(-) rename rules/windows/process_creation/{proc_creation_win_certoc_download.yml => proc_creation_win_lolbin_certoc_download.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_class_exec_xwizard.yml => proc_creation_win_lolbin_class_exec_xwizard.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_susp_cmdl32_lolbas.yml => proc_creation_win_lolbin_cmdl32.yml} (88%) rename rules/windows/process_creation/{proc_creation_win_dll_sideload_xwizard.yml => proc_creation_win_lolbin_dll_sideload_xwizard.yml} (96%) rename rules/windows/process_creation/{proc_creation_win_win_lolbas_dump64.yml => proc_creation_win_lolbin_dump64.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_indirect_cmd_compatibility_assistant.yml => proc_creation_win_lolbin_pcwrun.yml} (100%) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml rename rules/windows/process_creation/{proc_creation_win_rundll32_installscreensaver.yml => proc_creation_win_lolbin_rundll32_installscreensaver.yml} (52%) rename rules/windows/process_creation/{proc_creation_win_susp_acccheckconsole.yml => proc_creation_win_lolbin_susp_acccheckconsole.yml} (87%) rename rules/windows/process_creation/{proc_creation_win_susp_atbroker.yml => proc_creation_win_lolbin_susp_atbroker.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_susp_certreq_download.yml => proc_creation_win_lolbin_susp_certreq_download.yml} (82%) rename rules/windows/process_creation/{proc_creation_win_susp_dxcap.yml => proc_creation_win_lolbin_susp_dxcap.yml} (100%) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml rename rules/windows/process_creation/{proc_creation_win_susp_sqldumper_activity.yml => proc_creation_win_lolbin_susp_sqldumper_activity.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_susp_wsl_lolbin.yml => proc_creation_win_lolbin_susp_wsl.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_syncappvpublishingserver_execute_powershell.yml => proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml => proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_tttracer_mod_load.yml => proc_creation_win_lolbin_tttracer_mod_load.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_visual_basic_compiler.yml => proc_creation_win_lolbin_visual_basic_compiler.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_winword_lolbin.yml => proc_creation_win_lolbin_winword.yml} (100%) delete mode 100644 rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml rename rules/windows/process_creation/{proc_creation_win_uac_cmstp.yml => proc_creation_win_uac_bypass_cmstp.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_uac_fodhelper.yml => proc_creation_win_uac_bypass_fodhelper.yml} (100%) create mode 100644 rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_uac_wsreset.yml rename rules/windows/registry/registry_set/{registry_set_lolbas_onedrivestandaloneupdater.yml => registry_set_lolbin_onedrivestandaloneupdater.yml} (97%) diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_certoc_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_class_exec_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_class_exec_xwizard.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml similarity index 88% rename from rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml index 829567483..813f33779 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml @@ -12,18 +12,19 @@ tags: - attack.t1202 author: frack113 date: 2021/11/03 +modified: 2022/06/12 logsource: category: process_creation product: windows detection: - cmdl32: + selection_img: - Image|endswith: '\cmdl32.exe' - OriginalFileName: CMDL32.EXE - options: + selection_cli: CommandLine|contains|all: - '/vpn ' - '/lan ' - condition: cmdl32 and options + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml index a9102fa15..ba9184b1c 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml @@ -5,7 +5,7 @@ description: Detects the execution of Xwizard tool from the non-default director references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -author: Christian Burkard +author: Christian Burkard date: 2021/09/20 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_win_lolbas_dump64.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_win_lolbas_dump64.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml diff --git a/rules/windows/process_creation/proc_creation_win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_indirect_cmd_compatibility_assistant.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml new file mode 100644 index 000000000..ad81c2104 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -0,0 +1,30 @@ +title: DLL Execution via Rasautou.exe +id: cd3d1298-eb3b-476c-ac67-12847de55813 +status: test +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +author: Julia Fomina, oscd.community +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ + - https://github.com/fireeye/DueDLLigence + - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +date: 2020/10/09 +modified: 2022/06/12 +logsource: + product: windows + category: process_creation + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) +detection: + selection_img: + - Image|endswith: '\rasautou.exe' + - OriginalFileName: 'rasdlui.exe' + selection_cli: + CommandLine|contains|all: + - ' -d ' + - ' -p ' + condition: all of selection* +falsepositives: + - Unlikely +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml similarity index 52% rename from rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml index e3b36653f..c49116aa4 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml @@ -4,19 +4,19 @@ status: experimental description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec' references: - - https://lolbas-project.github.io/lolbas/Libraries/Desk/ + - https://lolbas-project.github.io/lolbas/Libraries/Desk/ date: 2022/04/28 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\rundll32.exe' - CommandLine|contains: 'InstallScreenSaver' - condition: selection + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'InstallScreenSaver' + condition: selection falsepositives: - - Legitimate installation of a new screensaver + - Legitimate installation of a new screensaver level: medium tags: - - attack.t1218.011 - - attack.defense_evasion + - attack.t1218.011 + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml similarity index 87% rename from rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 4d363511c..693a98743 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection_img: - Image|endswith: '\AccCheckConsole.exe' - OriginalFileName: 'AccCheckConsole.exe' + - Image|endswith: '\AccCheckConsole.exe' + - OriginalFileName: 'AccCheckConsole.exe' selection_cli: CommandLine|contains|all: - ' -window ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_atbroker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_atbroker.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 202947360..c4ec6ff5c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -10,14 +10,16 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\certreq.exe' + selection_img: + - Image|endswith: '\certreq.exe' + - OriginalFileName: 'CertReq.exe' + selection_cli: CommandLine|contains|all: - ' -Post ' - ' -config ' - ' http' - ' C:\windows\win.ini ' - condition: selection + condition: all of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_dxcap.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml new file mode 100644 index 000000000..552f7684b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml @@ -0,0 +1,32 @@ +title: Windows Defender Download Activity +id: 46123129-1024-423e-9fae-43af4a0fa9a5 +status: test +description: Detect the use of Windows Defender to download payloads +author: Matthew Matchen +references: + - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 + - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ +date: 2020/09/04 +modified: 2022/06/12 +logsource: + category: process_creation + product: windows +detection: + selection1: + - CommandLine|contains: 'MpCmdRun.exe' + - Description: 'Microsoft Malware Protection Command Line Utility' + selection2: + CommandLine|contains|all: + - 'DownloadFile' + - 'url' + condition: selection1 and selection2 +fields: + - CommandLine +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sqldumper_activity.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_sqldumper_activity.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml diff --git a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml diff --git a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml diff --git a/rules/windows/process_creation/proc_creation_win_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_tttracer_mod_load.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_visual_basic_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_visual_basic_compiler.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml diff --git a/rules/windows/process_creation/proc_creation_win_winword_lolbin.yml b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_winword_lolbin.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_winword.yml diff --git a/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml deleted file mode 100644 index 3dc9e1ad2..000000000 --- a/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: DLL Execution via Rasautou.exe -id: cd3d1298-eb3b-476c-ac67-12847de55813 -status: test -description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. -author: Julia Fomina, oscd.community -references: - - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - - https://github.com/fireeye/DueDLLigence - - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html -date: 2020/10/09 -modified: 2021/11/27 -logsource: - product: windows - category: process_creation - definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) -detection: - use_rasautou: - Image|endswith: '\rasautou.exe' - remaned_rasautou: - OriginalFileName: 'rasdlui.exe' - special_keys: - CommandLine|contains|all: - - '-d' - - '-p' - condition: (use_rasautou or remaned_rasautou) and special_keys -falsepositives: - - Unlikely -level: medium -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml deleted file mode 100644 index f5a0eb93f..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Windows Defender Download Activity -id: 46123129-1024-423e-9fae-43af4a0fa9a5 -status: test -description: Detect the use of Windows Defender to download payloads -author: Matthew Matchen -references: - - https://twitter.com/djmtshepana/status/1301608169496612866 - - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ -date: 2020/09/04 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection1: - - CommandLine|contains: 'MpCmdRun.exe' - - Description: 'Microsoft Malware Protection Command Line Utility' - selection2: - CommandLine|contains|all: - - 'DownloadFile' - - 'url' - condition: selection1 and selection2 -fields: - - CommandLine -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1218 - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml index 75eae1053..ea0ad60e7 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /account=system ' - '/exec=' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_uac_cmstp.yml rename to rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml diff --git a/rules/windows/process_creation/proc_creation_win_uac_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_uac_fodhelper.yml rename to rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 8e4707a93..9cec27839 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -1,27 +1,25 @@ -title: UAC Bypass WSReset -id: 89a9a0e0-f61a-42e5-8957-b1479565a658 -description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config -author: Christian Burkard -date: 2021/08/23 -status: experimental +title: Bypass UAC via WSReset.exe +id: d797268e-28a9-49a7-b9a8-2f5039011c5c +status: test +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community references: - - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - - https://github.com/hfiref0x/UACME - - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +date: 2019/10/24 +modified: 2022/05/13 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\wsreset.exe' - IntegrityLevel: - - 'High' - - 'System' - condition: selection + selection: + ParentImage|endswith: '\wsreset.exe' + filter: + - Image|endswith: '\conhost.exe' + - OriginalFileName: 'CONHOST.EXE' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml new file mode 100644 index 000000000..8e4707a93 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -0,0 +1,27 @@ +title: UAC Bypass WSReset +id: 89a9a0e0-f61a-42e5-8957-b1479565a658 +description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wsreset.exe' + IntegrityLevel: + - 'High' + - 'System' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml deleted file mode 100644 index 9cec27839..000000000 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Bypass UAC via WSReset.exe -id: d797268e-28a9-49a7-b9a8-2f5039011c5c -status: test -description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -references: - - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html -date: 2019/10/24 -modified: 2022/05/13 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\wsreset.exe' - filter: - - Image|endswith: '\conhost.exe' - - OriginalFileName: 'CONHOST.EXE' - condition: selection and not filter -falsepositives: - - Unknown -level: high -tags: - - attack.privilege_escalation - - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml similarity index 97% rename from rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml rename to rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index b55d8d8af..24ad1a6f4 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1105 + - attack.t1105 From 7b3e6c7f59736c566bea4e315c85423a692a47a9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 13 Jun 2022 00:21:32 +0100 Subject: [PATCH 4/9] Update proc_creation_win_lolbin_rasautou_dll_execution.yml --- .../proc_creation_win_lolbin_rasautou_dll_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index ad81c2104..0bba60fa3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains|all: - ' -d ' - ' -p ' - condition: all of selection* + condition: all of selection* falsepositives: - Unlikely level: medium From 21f20c9e7aaead0db3b90f0125cf6b8a7d17a23c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 13 Jun 2022 00:52:53 +0100 Subject: [PATCH 5/9] Renamed to shorter names --- ...reation_win_lolbin_syncappvpublishingserver_execute_psh.yml} | 2 +- ...ion_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml => proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml} (97%) rename rules/windows/process_creation/{proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml => proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index 53a1dd165..f87c89905 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -21,7 +21,7 @@ detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' CommandLine|contains: '"n; ' - condition: selection + condition: selection fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml From e96532344f37b63f36355b1efdad4250637c171c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 13 Jun 2022 11:31:47 +0100 Subject: [PATCH 6/9] Removed "modified" date --- .../proc_creation_win_lolbin_rasautou_dll_execution.yml | 1 - .../proc_creation_win_lolbin_susp_mpcmdrun_download.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index 0bba60fa3..927e8485d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -8,7 +8,6 @@ references: - https://github.com/fireeye/DueDLLigence - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html date: 2020/10/09 -modified: 2022/06/12 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml index 552f7684b..0b180c0dc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml @@ -7,7 +7,6 @@ references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ date: 2020/09/04 -modified: 2022/06/12 logsource: category: process_creation product: windows From 92c2976793b92e2ee4f562e2ead9158ecba17420 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 13 Jun 2022 13:26:17 +0200 Subject: [PATCH 7/9] docs: add Follina reference in description --- rules/windows/process_creation/proc_creation_win_msdt.yml | 2 +- .../process_creation/proc_creation_win_msdt_susp_parent.yml | 2 +- .../proc_creation_win_sdiagnhost_susp_child.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index 9eb580e3e..2989d7932 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -1,7 +1,7 @@ title: Execute Arbitrary Commands Using MSDT.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 status: experimental -description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 +description: Detects word documents leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 / Follina exploitation author: Nasreddine Bencherchali (rule) references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index f014392af..2f9db68c3 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,7 +1,7 @@ title: MSDT Executed with Suspicious Parent id: 7a74da6b-ea76-47db-92cc-874ad90df734 status: experimental -description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 +description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index 4aead43f5..5cc19de91 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -1,7 +1,7 @@ title: Sdiagnhost Calling Suspicious Child Process id: f3d39c45-de1a-4486-a687-ab126124f744 status: experimental -description: Detects sdiagnhost.exe calling a suspicious child process +description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 From d382f91313dfa1896b7c0fa05e261ecf9ccfbd5b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 13 Jun 2022 13:26:41 +0200 Subject: [PATCH 8/9] fix: FP with AVG anti virus --- .../registry_set_asep_reg_keys_modification_office.yml | 7 +++++-- .../registry_set/registry_set_office_vsto_persistence.yml | 5 ++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 0ccfbc260..dc54aaaae 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -53,10 +53,13 @@ detection: - '\Outlook\Addins\UCAddin.UCAddin.1' - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\' filter_officeclicktorun: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: office and office_details and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml index 9f2d1fe8a..d3c9a0508 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021/01/10 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -30,6 +30,9 @@ detection: - '\winword.exe' - '\integrator.exe' - '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: selection and not 1 of filter_* falsepositives: - Legitimate Addin Installation From 037bf0f6bb7281f2f7cbb798059c9b9757ba29a1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 13 Jun 2022 18:27:56 +0200 Subject: [PATCH 9/9] Update proc_creation_win_lolbin_susp_certreq_download.yml --- .../proc_creation_win_lolbin_susp_certreq_download.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index c4ec6ff5c..1cd31bf1e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files author: Christian Burkard date: 2021/11/24 +modified: 2022/06/13 references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ logsource: