From b7ea91278e3263b341b2c1b1e04bd260c746ec13 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 26 Feb 2024 05:37:37 -0500 Subject: [PATCH] Merge PR #4719 from @joshnck - Update Rules Related To RunHTMLApplication Abuse update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass remove: Rundll32 JS RunHTMLApplication Pattern remove: Suspicious Rundll32 Script in CommandLine --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ation_win_rundll32_js_runhtmlapplication.yml | 8 +++++--- .../proc_creation_win_rundll32_script_run.yml | 4 ++-- ...n_win_rundll32_mshtml_runhtmlapplication.yml | 17 +++++++++++++---- 3 files changed, 20 insertions(+), 9 deletions(-) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_rundll32_js_runhtmlapplication.yml (75%) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_rundll32_script_run.yml (96%) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml b/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml similarity index 75% rename from rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml rename to deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml index 04b77fd79..5507c6b29 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml +++ b/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml @@ -1,11 +1,12 @@ title: Rundll32 JS RunHTMLApplication Pattern id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 -status: test +status: deprecated description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt + - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt author: Florian Roth (Nextron Systems) -date: 2022/01/14 +date: 2024/02/23 tags: - attack.defense_evasion logsource: @@ -16,7 +17,8 @@ detection: CommandLine|contains|all: - 'rundll32' - 'javascript' - - '..\..\mshtml,RunHTMLApplication' + - '..\..\mshtml,' + - 'RunHTMLApplication' selection2: CommandLine|contains: ';document.write();GetObject("script' condition: 1 of selection* diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml b/deprecated/windows/proc_creation_win_rundll32_script_run.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml rename to deprecated/windows/proc_creation_win_rundll32_script_run.yml index 827b016b8..f8a8b1da7 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/deprecated/windows/proc_creation_win_rundll32_script_run.yml @@ -1,13 +1,13 @@ title: Suspicious Rundll32 Script in CommandLine id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 -status: test +status: deprecated description: Detects suspicious process related to rundll32 based on arguments references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 - https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md author: frack113, Zaw Min Htun (ZETA) date: 2021/12/04 -modified: 2023/02/03 +modified: 2024/02/23 tags: - attack.defense_evasion - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index ee8bb05c6..8463d8459 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -1,16 +1,23 @@ -title: Mshtml DLL RunHTMLApplication Abuse +title: Mshtml.DLL RunHTMLApplication Suspicious Usage id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 - type: derived + type: obsoletes + - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 + type: obsoletes status: test -description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) +description: | + Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) references: - https://twitter.com/n1nj4sec/status/1421190238081277959 -author: Nasreddine Bencherchali (Nextron Systems) + - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt + - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt +author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) date: 2022/08/14 +modified: 2024/02/23 tags: - attack.defense_evasion + - attack.execution logsource: category: process_creation product: windows @@ -19,6 +26,8 @@ detection: CommandLine|contains|all: - '\..\' - 'mshtml' + CommandLine|contains: + - '#135' - 'RunHTMLApplication' condition: selection falsepositives: