diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 7d1ae95bc..e5644e4c0 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -73,3 +73,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys 8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.* dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr +416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe diff --git a/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx new file mode 100755 index 000000000..971258749 Binary files /dev/null and b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx differ diff --git a/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json new file mode 100644 index 000000000..25b1dce79 --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json @@ -0,0 +1,59 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 7, + "Version": 3, + "Level": 4, + "Task": 7, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:57:32.309580Z" + } + }, + "EventRecordID": 676402, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:57:32.308", + "ProcessGuid": "0197231E-046C-6928-160C-000000000D00", + "ProcessId": 296, + "Image": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe", + "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll", + "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)", + "Description": "Windows Core Debugging Helpers", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "DBGCORE.DLL", + "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C", + "Signed": "true", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml new file mode 100644 index 000000000..fa6b5d07d --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml @@ -0,0 +1,12 @@ +id: bc1c627e-6529-459d-9bd6-74ffb88b3320 +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5 + title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx diff --git a/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx new file mode 100755 index 000000000..94998d757 Binary files /dev/null and b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx differ diff --git a/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json new file mode 100644 index 000000000..2c7b47496 --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json @@ -0,0 +1,59 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 7, + "Version": 3, + "Level": 4, + "Task": 7, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:40:10.165324Z" + } + }, + "EventRecordID": 571146, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4272 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:40:10.132", + "ProcessGuid": "0197231E-005A-6928-A50B-000000000D00", + "ProcessId": 4460, + "Image": "C:\\Windows\\System32\\WerFaultSecure.exe", + "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll", + "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)", + "Description": "Windows Core Debugging Helpers", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "DBGCORE.DLL", + "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C", + "Signed": "true", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml new file mode 100644 index 000000000..8dc34fd39 --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml @@ -0,0 +1,12 @@ +id: 63b16abe-2d5c-4a2f-b0ae-f1bc4580e40c +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b + title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx diff --git a/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx new file mode 100755 index 000000000..978b3f8bc Binary files /dev/null and b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx differ diff --git a/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json new file mode 100644 index 000000000..f6c56e496 --- /dev/null +++ b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json @@ -0,0 +1,56 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 10, + "Version": 3, + "Level": 4, + "Task": 10, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:57:32.317336Z" + } + }, + "EventRecordID": 676404, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:57:32.315", + "SourceProcessGUID": "0197231E-046C-6928-160C-000000000D00", + "SourceProcessId": 296, + "SourceThreadId": 5260, + "SourceImage": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe", + "TargetProcessGUID": "0197231E-2DD5-691E-0C00-000000000D00", + "TargetProcessId": 860, + "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe", + "GrantedAccess": "0x1fffff", + "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+16bcc4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+17aee0|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+7f7dc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+c8d28|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+44c34|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+48f2c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+3d414|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+29c7c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+2a1f0|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+4f894|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+3a64|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+2576|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+20c9|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+1a0b|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+48cc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+f17ac", + "SourceUser": "swachchhanda\\xodih", + "TargetUser": "NT AUTHORITY\\SYSTEM" + } + } +} diff --git a/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml new file mode 100644 index 000000000..08d7f5f63 --- /dev/null +++ b/regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml @@ -0,0 +1,12 @@ +id: f0a580dc-386c-4049-8ca4-cef9f956dc4c +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd + title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx diff --git a/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx new file mode 100755 index 000000000..3e5880c61 Binary files /dev/null and b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx differ diff --git a/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json new file mode 100644 index 000000000..192744b94 --- /dev/null +++ b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json @@ -0,0 +1,56 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 10, + "Version": 3, + "Level": 4, + "Task": 10, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:22:22.033828Z" + } + }, + "EventRecordID": 445923, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:22:22.031", + "SourceProcessGUID": "0197231E-FC2D-6927-810B-000000000D00", + "SourceProcessId": 7224, + "SourceThreadId": 4144, + "SourceImage": "C:\\Windows\\System32\\WerFaultSecure.exe", + "TargetProcessGUID": "0197231E-2DD8-691E-4D00-000000000D00", + "TargetProcessId": 3472, + "TargetImage": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25100.9008-0\\MsMpEng.exe", + "GrantedAccess": "0x1fffff", + "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+1284|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+185c4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+4fe50|C:\\Windows\\System32\\dbgcore.DLL+164cc|C:\\Windows\\System32\\dbgcore.DLL+23e6c|C:\\Windows\\System32\\dbgcore.DLL+1b230|C:\\Windows\\System32\\dbgcore.DLL+112b4|C:\\Windows\\System32\\dbgcore.DLL+117a8|C:\\Windows\\System32\\WerFaultSecure.exe+115a4|C:\\Windows\\System32\\WerFaultSecure.exe+6a9c|C:\\Windows\\System32\\WerFaultSecure.exe+7378|C:\\Windows\\System32\\WerFaultSecure.exe+834c|C:\\Windows\\System32\\WerFaultSecure.exe+2748|C:\\Windows\\System32\\WerFaultSecure.exe+27e4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+8740|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+d4464", + "SourceUser": "swachchhanda\\xodih", + "TargetUser": "NT AUTHORITY\\SYSTEM" + } + } +} diff --git a/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml new file mode 100644 index 000000000..aa47a3bdc --- /dev/null +++ b/regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml @@ -0,0 +1,12 @@ +id: bd66a891-01c3-40b6-aafd-5c1676b44cf3 +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c + title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx new file mode 100755 index 000000000..71f069305 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json new file mode 100644 index 000000000..7f6a01012 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T08:12:45.123135Z" + } + }, + "EventRecordID": 733841, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 08:12:45.093", + "ProcessGuid": "0197231E-07FD-6928-290C-000000000D00", + "ProcessId": 9388, + "Image": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "CommandLine": "EDRFreeze-gnu.exe 3472 10000", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000", + "LogonId": "0x3b5cb2", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=67582B0B646E9E23846A8A9D9E412DCFABC0CCA0,MD5=A3BE334229BEBE056335780502747595,SHA256=0502C36D1F146A6B6BE31F7D7D65FEEF96A3FB3F3743DFFC38BB47AE426849F3,IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7", + "ParentProcessGuid": "0197231E-CC5A-6927-B80A-000000000D00", + "ParentProcessId": 4952, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml new file mode 100644 index 000000000..811e83e1e --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml @@ -0,0 +1,12 @@ +id: f668b689-59c5-41a7-bc0b-22168d3df14e +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: c598cc0c-9e70-4852-b9eb-8921af79f598 + title: Hacktool - EDR-Freeze Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx new file mode 100755 index 000000000..67b413ce1 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json new file mode 100644 index 000000000..c52634b02 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:57:32.087108Z" + } + }, + "EventRecordID": 676334, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:57:32.080", + "ProcessGuid": "0197231E-046C-6928-150C-000000000D00", + "ProcessId": 7088, + "Image": "C:\\Users\\Public\\wsass\\WSASS.exe", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "CommandLine": "WSASS.exe WerFaultSecure.exe 860", + "CurrentDirectory": "C:\\Users\\Public\\wsass\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000", + "LogonId": "0x3b5cb2", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=63AF15DCCB5CA8704918B7A8BFD0308726B2D7FD,MD5=D7A969E5A3636BF8FC9CA8A72021BFDC,SHA256=0977C9337EC1215C48A666464AFDA5C9A30CD24999A5F8E821E672991864A74C,IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42", + "ParentProcessGuid": "0197231E-0250-6928-D30B-000000000D00", + "ParentProcessId": 11640, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml new file mode 100644 index 000000000..88b29f71e --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml @@ -0,0 +1,12 @@ +id: e3ffac4e-8507-43f9-9542-4c9f10f49d3a +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 589ac73f-8e12-409c-964e-31a2f5775ae2 + title: HackTool - WSASS Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx new file mode 100755 index 000000000..82441e216 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json new file mode 100644 index 000000000..075bccf08 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T08:12:45.186674Z" + } + }, + "EventRecordID": 733879, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 08:12:45.183", + "ProcessGuid": "0197231E-07FD-6928-2A0C-000000000D00", + "ProcessId": 3532, + "Image": "C:\\Windows\\System32\\WerFaultSecure.exe", + "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)", + "Description": "Windows Fault Reporting", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "WerFaultSecure.exe", + "CommandLine": "C:\\Windows\\System32\\WerFaultSecure.exe /h /pid 3472 /tid 3476 /encfile 304 /cancel 364 /type 268310", + "CurrentDirectory": "C:\\WINDOWS", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000", + "LogonId": "0x3b5cb2", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=9521BDCD891789724786BDCB9C9468A06818EDDC,MD5=C5A2014C3BC84EDCEEF5185AEA3BB5E0,SHA256=1C60BA5771201F7AEE44DCA30CBCBF78F6E3C39F30AD0A5C6C7BC8137A475EAA,IMPHASH=79E7A5E4F18B29329345D2098E1B95EB", + "ParentProcessGuid": "0197231E-07FD-6928-290C-000000000D00", + "ParentProcessId": 9388, + "ParentImage": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe", + "ParentCommandLine": "EDRFreeze-gnu.exe 3472 10000", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml new file mode 100644 index 000000000..0819e330d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml @@ -0,0 +1,12 @@ +id: 68010a5c-f8bf-4a2c-8cd0-038d4009805e +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + title: PPL Tampering Via WerFaultSecure +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx diff --git a/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..395d0475f --- /dev/null +++ b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml @@ -0,0 +1,52 @@ +title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location +id: 416bc4a2-7217-4519-8dc7-c3271817f1d5 +related: + - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd + type: similar +status: experimental +description: | + Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. + These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes. +references: + - https://blog.axelarator.net/hunting-for-edr-freeze/ + - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html + - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.credential-access + - attack.t1003 + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: image_load + product: windows +detection: + selection_img: + Image|contains: + - ':\Perflogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\$Recycle.Bin\' + - '\Contacts\' + - '\Desktop\' + - '\Documents\' + - '\Downloads\' + - '\Favorites\' + - '\Favourites\' + - '\inetpub\wwwroot\' + - '\Music\' + - '\Pictures\' + - '\Start Menu\Programs\Startup\' + - '\Users\Default\' + - '\Videos\' + # - '\AppData\Local\Temp\' some installers may load from here + selection_dll: + ImageLoaded|endswith: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: all of selection_* +falsepositives: + - Possibly during software installation or update processes +level: high +regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml b/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..d1ec67873 --- /dev/null +++ b/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml @@ -0,0 +1,35 @@ +title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze +id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b +related: + - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c + type: similar + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + type: similar +status: experimental +description: | + Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function. + The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot. + The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes. + By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period. +references: + - https://github.com/TwoSevenOneT/EDR-Freeze + - https://blog.axelarator.net/hunting-for-edr-freeze/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\WerFaultSecure.exe' + ImageLoaded|endswith: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: selection +falsepositives: + - Unknown +level: medium +regression_tests_path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..e01e1644e --- /dev/null +++ b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml @@ -0,0 +1,64 @@ +title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs +id: 9f5c1d59-33be-4e60-bcab-85d2f566effd +related: + - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5 + type: similar +status: experimental +description: | + Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. + These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, + dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques. +references: + - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.credential-access + - attack.t1003.001 + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_access + product: windows +detection: + selection_lsass_calltrace: + TargetImage|endswith: '\lsass.exe' + CallTrace|contains: + - 'dbgcore.dll' + - 'dbghelp.dll' + # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious, + # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory. + # Uncomment if you observe false positives with the default rule. + # selection_granted_access: + # GrantedAccess|contains: + # - '0x1fffff' + # - '0x10' + # - '0x1010' + # - '0x1410' + # - '0x1438' + selection_susp_location: + SourceImage|contains: + - ':\Perflogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\$Recycle.Bin\' + - '\AppData\Roaming\' + - '\Contacts\' + - '\Desktop\' + - '\Documents\' + - '\Downloads\' + - '\Favorites\' + - '\Favourites\' + - '\inetpub\wwwroot\' + - '\Music\' + - '\Pictures\' + - '\Start Menu\Programs\Startup\' + - '\Users\Default\' + - '\Videos\' + - '\Windows\Temp\' + condition: all of selection_* +falsepositives: + - Possibly during software installation or update processes +level: high +regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml new file mode 100644 index 000000000..be9bf1483 --- /dev/null +++ b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml @@ -0,0 +1,42 @@ +title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze +id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c +related: + - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b + type: similar + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + type: similar +status: experimental +description: | + Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. + This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period. +references: + - https://blog.axelarator.net/hunting-for-edr-freeze/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_access + product: windows + definition: | + Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled. + Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs: + + + \MsMpEng.exe + \WerFaultSecure.exe + + +detection: + selection: + SourceImage|endswith: '\WerFaultSecure.exe' + TargetImage|endswith: '\MsMpEng.exe' + CallTrace|contains: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: selection +falsepositives: + - Legitimate Windows Error Reporting operations +level: high +regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml index 8d597c0b5..929b20662 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml @@ -5,11 +5,12 @@ description: | Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions. -date: 2025-09-24 references: - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html - https://github.com/TwoSevenOneT/EDR-Freeze author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-09-24 +modified: 2025-11-27 tags: - attack.defense-evasion - attack.t1562.001 @@ -18,7 +19,9 @@ logsource: product: windows detection: selection_img: - Image|contains: '\EDR-Freeze' + Image|contains: + - '\EDR-Freeze' + - '\EDRFreeze' Image|endswith: '.exe' selection_imphash: Hashes|contains: @@ -28,7 +31,10 @@ detection: - 'IMPHASH=8828F0B906F7844358FB92A899E9520F' - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447' - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5' + - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0' + - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7' condition: 1 of selection_* falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml b/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml index a6b8a4f5f..7be5e7335 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml @@ -29,3 +29,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml index aca2a53ad..db5dd1dbe 100644 --- a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml @@ -1,5 +1,10 @@ title: PPL Tampering Via WerFaultSecure id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 +related: + - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c + type: similar + - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b + type: similar status: experimental description: | Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). @@ -41,3 +46,4 @@ detection: falsepositives: - Legitimate usage of WerFaultSecure for debugging purposes level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml