From c5b881019a6f141401c0cf1444ec83799afa98fb Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 10 Dec 2025 20:14:38 +0545 Subject: [PATCH] Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze update: Hacktool - EDR-Freeze Execution - add more coverage --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .github/workflows/known-FPs.csv | 1 + .../416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx | Bin 0 -> 69632 bytes .../416bc4a2-7217-4519-8dc7-c3271817f1d5.json | 59 ++++++++++++++++ .../info.yml | 12 ++++ .../8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx | Bin 0 -> 69632 bytes .../8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json | 59 ++++++++++++++++ .../info.yml | 12 ++++ .../9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx | Bin 0 -> 69632 bytes .../9f5c1d59-33be-4e60-bcab-85d2f566effd.json | 56 +++++++++++++++ .../info.yml | 12 ++++ .../387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx | Bin 0 -> 69632 bytes .../387df17d-3b04-448f-8669-9e7fd5e5fd8c.json | 56 +++++++++++++++ .../info.yml | 12 ++++ .../c598cc0c-9e70-4852-b9eb-8921af79f598.evtx | Bin 0 -> 69632 bytes .../c598cc0c-9e70-4852-b9eb-8921af79f598.json | 66 ++++++++++++++++++ .../info.yml | 12 ++++ .../589ac73f-8e12-409c-964e-31a2f5775ae2.evtx | Bin 0 -> 69632 bytes .../589ac73f-8e12-409c-964e-31a2f5775ae2.json | 66 ++++++++++++++++++ .../proc_creation_win_hktl_wsass/info.yml | 12 ++++ .../1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx | Bin 0 -> 69632 bytes .../1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json | 66 ++++++++++++++++++ .../info.yml | 12 ++++ ...age_load_win_susp_dbgcore_dbghelp_load.yml | 52 ++++++++++++++ ...in_werfaultsecure_dbgcore_dbghelp_load.yml | 35 ++++++++++ ...c_access_win_susp_dbgcore_dbghelp_load.yml | 64 +++++++++++++++++ ...cess_win_werfaultsecure_msmpeng_access.yml | 42 +++++++++++ .../proc_creation_win_hktl_edr_freeze.yml | 10 ++- .../proc_creation_win_hktl_wsass.yml | 1 + ...proc_creation_win_werfaultsecure_abuse.yml | 6 ++ 29 files changed, 721 insertions(+), 2 deletions(-) create mode 100755 regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx create mode 100644 regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json create mode 100644 regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml create mode 100755 regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx create mode 100644 regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json create mode 100644 regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml create mode 100755 regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx create mode 100644 regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json create mode 100644 regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml create mode 100755 regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx create mode 100644 regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json create mode 100644 regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml create mode 100644 rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml create mode 100644 rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml create mode 100644 rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml create mode 100644 rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 7d1ae95bc..e5644e4c0 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -73,3 +73,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys 8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.* dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr +416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe diff --git a/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx b/regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx new file mode 100755 index 0000000000000000000000000000000000000000..9712587498c4de3c4c11b5dff87cc8fbef83abdf GIT binary patch literal 69632 zcmeI0O>A6O701teGxIziduHsSlmcx?(n6DnIODI_Za&a>JSJ5gFmc;}WKlVtaWd_A zY-Q}WAuJ*wAXq?Ipf0+Jx@jw+?m$&lsVWlNu%L*xR8CSui-gD1A_jk@c_u19v;&h`~x9wNx8!qD+TFR_1*e>#^>*fDkKk=!RNP!55 zfCz|y2#A0Ph=2%)fCz|y2#CNf2~?YlmGiB~E&1#IM$gOCgntU0ESmjsCH(U(72iUD z^K|yT_PNbscSUBotl2*^W`9d>?lBue`*Hjm;^SV|ZZYO3n3LCCn3LDPy!@|xJKLT` z+u}BRzKZ(4{Xa=Qzio~suZv?}^zWx2I}M$$Y|}%TPjY=Z`3KD>8SKaWwae__LHIOp z>;AW+_kOSa$U8wX2&^}F_vrgCBs1}S|KFcIz3(q?zH#}*{^y^@N+?zCw;$q_3*_}m zZ^o+jgw?HOtEm4NC3?(vzFN%KQ?_JHbhgov2}bQa#8z#^?z6+V+x940>X2E$`v9H| zv|O-d)Rt`#k^`tOqy4ZwiM|$|Lsr5)g13^5fQZEWhDQAi6@@ zqOg#%C>`|JJ~Skeen)qgJ?zCAAk{)&Sm?2I8hdUxDoKdfu4QZng7j6>2^ob#yAzc= zeVkS=rR_oIi^rWv$O!}6g9^6*ua|a5_6<0YZXqI07f@5i?m;ElIgkB5YY(9NBK)=t zjx}(nXvTJ>fqfR0UwDm2f7XLZ8;)rOqIDQR7u6u+@NgF~rjA|8ZSi0-2zVmvPX#$d z%SJAlPUSbzJ`II5nU=)l!$Qt-wB-s0B?;lVfAmfynaZNWElxMhfI!l-%Ng^-*x*H34${D`qCW_sA zl6JtGMq6@!>h>}FCvED8-$br_p%3TL>746IVKeZ`aOzXA zd26ydWM|OUf|r-UplyeIxGtgIvPZ^O&K&&hdzIH_q7NHCzy8+89e>#EJEGwJh@+C3 zB2M1dPF;PSDV`VK@3{Wz+<*UYhhZUJ_9UC-cwHP0@|4u zC-CGc%sBh$avHgcld_kGc*J~|39^XoHCRwz&xs)q7drY&e*9-Qq`TnCRS-+IZJ38e zls)8So$F)GJ==mhNvvT$v?9kG@MFHPq5q>Bp=Mz|Wm(Ga_44$-w?2cA;=ywc_J?_d z(G6|ckeh)g7vNv+8 z$tcWcZz9Xg#tqBeeG#(VvFw;gir9O!pVlYxb9jqu zveK59LpF-HLENm5*&ckxjNx-=)cp>lZNP@zr_JuWp9z}j{f*muF}dY! ze_%+t_u2fqb#1)Qg2h?*hq-9pWgU`d&lwQ90KYA`J-WIn*VZvd-JLA4zO7kn-e;}& zGl>?>!#8KaGCn{#x`r8>SVIZ#EJOHAVvX-(_#LzftZcu}hm){?yP<~OK}fQng=5E2 zN_Jpd=G@~?;X1T%SDb~0b3Pi+q3tBvnuuhsu)RYjehD&LSH%{7w`}Ck7WD1eveu7g z z2xBVf8+0>rmI^e*Rx%EcK;NK~9LH#C8HY^#flZHAQD`^chW)%1w2VOCIBwc<1U2fa zpk7A%sMo?(RM11~C!8cX3`0M)a$O~~S7FcnSlg^4N6U_56k~1#+IUwWH;C~i6l&)@ z+&xv-%IKjzTm@%hZ55tcgP(Wu=GK^a7<+>|haaaqf3wVEm+(8cfn4S<{{5s&1Vlgt zL_h>YKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmx!S%1Yg`DoYc-3H-6h$*xv0vUFlEUecl zwt+M+QQNd?ANuitctAo?q>3U{h!>zjNEJxDh6j+K2vtRWX#sOT zfu~CUdo_FS%$zxM=6BAVxpuWRQ){*ww*Crz!znyNOPTcq>qWkDz5L0A{a;y$6o`Nb zh=2%)fCz|y2#A0Ph=2%)fCyZXK(#efIo5vElE3aR^*lvQ_@}^ki)I&|{qWH%D!zgM z=Xv(3=gzMdyDl=zWzGJRG5be)b&uHq+V|n#5MT5*fFG+u8OE z+Gf_-^BvUB`+t&rbKM-XUKhtc@81tXwg#QAuG2%AFLT|T{DbDp4EAIG-eI<52Yi~h zW&fW)`&r>f4}K67gTT6jzwY_hACj5)zU`mS9KQa;_ue`6eD8C=#Y!ku?zNxcl?&wc zYInw}_P8~yZ40RX0wsFHcfMB4*poJEEp*PKBNGhUF^DbLal6fS;hwjL(b9m-G~WC0 zY@+2cn?r5RW+2&z`W)JK*%Rn%<2hg@+(URP*(iP+%hS)VsfEGP(mU`~;?}IX3Iz+IANY9K zzA0_rvqd)&T}3OV$|*Ytu^)ShkEc6U!Mfch(02<;#E_$!?eFL8Zm5_BvL=?_bS4m8 zA#G7uNLiE)y6k#1B$0kiXNTSE#hM`1MqgOyvUD1IZZj%Lh}X|$Y!ZU>Rm%w(g+jX) zm1}*RR!^qw9_I^g`LGaj!oaqm!Y#n-h0T%O1qaeCL`1QGnlg4HD#^}yOG|qpz^q2c?P+Hns9A&pjf?k6mtoGb>w-E-tYJR1BFAj^W4^Vb|Kg2Mw=kcwEakU)d3xVlpFv3R;5iEW z!#u+1lD4eKO~RAY@Gp0An9p2hObs3)nYGC|%tx0QGXZ%XiQEmxmwg=OJK`}LGK~+c zI{d(76y~#+k!5D%hUM-)0ol%2cEqzGQ_rRcu|_M7qO>93vSdBU=@;g)p-AioKYG*3 z=m^`22Re`TdCb#w8ObR(3v&&LcE^$%dN+||ATndnYx!7y*xTTai#URc*n6~})+h2) zc#CVa3WqoCXVfv$nJ@h6)5}RG%oib*MykNJK&t5TX@ezR9ESzm33c@LLz4Y0efS+kDcSaQ>)GN@;0CmCM?3@#M|~t7 zMcVr$&pfZko1np&T7{=vuD9mI^e*Rx$>6Ltnp> z9K~pA8HG&zaZQg_QD`^c2K~GhvRM11~$DAZN3_?G( za$O~~S7FcXSlb~-j+X7iD8}y)wDGP$t{>w|DAdk*xO1wmmC-|cxC+k1+5$Ya2tRM+ z&9yOcFZKq%viV`U@%PFR>=J(CHj&4$`}ud%#ortJQz!Y}V3N=!0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F n0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L|){{%hIxCZu+^u&`}Ow|ogE zjY^Eh`0-$T;Kk^JkQm=g3^6e=F}}eIMl{A~d{G}v5QriV>;K%DVYk(7Erkb@|7>Pw z?!D)nd+zU?duDdqGs7L}OiHF7w%0L%e$^_ak z;|v}220x7l<+zMU27_4)1g%YS0AdqzSej)6K3N$;PYN=FxUa!Ajh=BCLu*WiAz6d= z82UHJF^rAkS}(QuG~ljQn(&>vHGOtU%eHd4ONf;px3T_^^vMZWo-i{a!CP{VqKi2avSR@WIaZmhLWiH} zi%Lu6X-_N-Qll8NV`btv*mKL!@KZc_At+rC)L3PVkf@L?OVC*2^*3_ zX!gO~C;TQ4%r+kM1JPsck1CQzGaq0Z&LO16BmtlCLElfoK8kUKmuD z)f1Pz9g9dreK`#!zaYH#dzrKvG4&&3Jn^w6AlK31?eNHzh_t}s1RU3FnZQb2yRj09 zhqNeY*f)JqDLS=lN!L_FDXQs`%Z*?TzlePDaVZvX+&F&3Oyq`lhx&nNiuw}yy41_r zAqZyi@w^C2IHaXjLwkBl7=#aaY<&Q+QV9pF3X@J+jP-aCDcTCjK_t?s@mqsdA(mt1 za@!!FRZRo8bu?^1jUW}&Id`wvL8}}t9D}}YY&~6DN%Sb|Ct<=b!td6E5l#)u5qRbz z6j=_5kYA67yF#)D2GzQ^u5!6I;KV9rr6c!16sc!UWGWt5?kd8vP{M*o7Y+w^dWI!p zV2GBQ( zD35_bR;s;p9YK3k_B9p*YtBOt0ow{#S z6X~Ry)t;tFSa;U4DVm+AXoIpJ{@c;u3@g=wJ8tAAimo&?!%BP(NbBUY}R^ui}QM=C>NTo8N^@pRmYBEQ>wg1UbAg! zUS3OmJ_GzBU`NYl&?sC@UZWfujvz5nAS^s0+>P%ShMt0UGwvN(AQeFi4>L>F;H)+; z9QCpZcXjw^yAe;sT6{O7SHCx+uLj?BXfIp+j+Jq$()X2PLd;r)it*Y4!RnhOajTeR zao>adeil5miX=?E(3c<`833Dc=>R3&T@xVTSIHFSNttJY&hu6Evb327^CYk%-8lxZ zJ9c4z?1r5_Sj!f?^r)u^*v!JV&gEOn<(3!G?vuT+(vL#XZPuAEkx#-#2HNg*JyyOM zYZ=0)K~BxnQX_mz;Zr*YOFQ9TFIL@-cN{kwZMf@_^@z_f&Llkh?|v1xHiTEsBp5c$ z!CDez_G5m1`Ox_Jo;85g5WJlWvEsIxu+I89t+JS{jaXp=B6=tMs+TSBsqv2ZRgb)= z!z$;J7sb}t06R_aEx$&;Ud(@Iu18D`ZA{!v;l%HI`DUiOTj_<{lmFSy&dfLG z_WjQJ&P=y`aG)bSn3A!Z?G2p7(UyQnl{Hr6p08VP-g^3;jnDuIkN^pg011!)36KB@ zkN^pg011%5qy*Xr2io>!4v7EX{dmWdY6(9IT&Wg0x_bS8e=wNTQ>lRZIbQkE3&o?e zLn4u|$R9zGU!3AQB8?bdho2$tbh|i-&g<~0+idvM?S?1+p*OB$XD~J}CZ1<-{g?M6 z$;>f6hCExUd)_-wK(+%mFO0FHGIz5r^naka8)Z-DYMIEACCF)9M)N=PN%uRM-QQbr z%aTg#$2Gs5^F8VLlfRzXKL6({mrtIr{@^rbqEfBZ@+wYsg1TL(3`)BkmXu^9hwIm{ zhxU6nKaU6Hs0_&Tc^!^vj0{T_S6LZ=WF4-v z7+)qwa4&;nqtxTmgtK~S!FOuZ{Yc4`ZRPWqkt;uM+3t|+kYli%Gagakt@->e#N}u7 z+KI4iGu{uwS3jhNad!pw4!;;Tzw5{r1UrPABC(iQq36ANSUla4jdI9n;#OSZf!2T| zAa>l7xSlL4g4HP-aBmUzkd~a9S^Ql@o`s1dkfkyGv6cMFKS~ib&mAYAGm>7>5AG@&l<5wzZ^Omg zp2an9R={c6Fl~cq3IS+}`XOWR=ql2hT6-c=l0jbyctTPgup+3ILNDnEM2l!|hd~Wl zBXP;wv4})8mQzsj8^Zg)S4f)?(>MlABtF(&$aQphD?D;7BCW8PL*QC1In30x8!MA| zNSlJDz4@zZQP-{|ozplpp^#R1nB^iRPzoBHyH@O=Rf!OeKwlTO?yjwVj412%FyS}hvvpylQ`2$?k+}#( z=0GCk_v3-CknDs(weHQUQXURCv1*y;$U_iC>6smsiU*cEi?B?Wu;9^!&B2-OVTl+y zsGIS6TvbV2HsN@qd>&*_4dxEMPWpZEN>t=rmB`hvUCRM12Hk?{I)Ru=n^mp!U@U_y zXTe}ZYQ1tD!gWS=w;b$Q^5su$Uv!18r{B8u?Vai`GwV)K==yN0Qagp)yf>~Zo1raU zH$A_UPV9K9(`pOszxlWRqOVfO;h$JX`qb5J!^>J=e)Ha7%qB6eeQ_0z`V`hWdn4_z-`G&sRbwc!pMx!kxj4NWl9@%7!AmQ4_Ev2Jm^VK?3e zZ;lHJbfS33X$9)@-tT9AX6$IWOj9YdgW*rTCIb~zv`=w9mS$ldCk05+w6k8 zw)#Q^_)Wl$R!pE#Jez_>B{UpCVWL4;ctp4h-){_EMb~F>?#MJj8^goQl7-l7%?n4P zG~=uRAH80QCt^LmSL3|V`>w;ta@?<3@Saus&!Y586>tczEqK1xqlL6Vu6Im-=*1ih zFC@!hOC@xLcYu(ttQ;i#4w*viDf2u~A6IH?(g}3|AEz-n*S@<__8P)Nql>opHoaHNtO`yf|emn_+P~ zJhkJ!NA1?ZXBR$ds|C^b-6v~JhFUY`UWl#uDR8?i_sbrzabHL@uZ74~AgVrm?%h@+ zW}U+8>;16RfOys3{h6cYa!(2UyXVz_b(lmxr_O6CD@<#o0X34mqbR3lc?GPlx}&U2 z&F)I%XXOJR(E__#llPmj_R*#X5U<)zmE>)*elvcjXfZJsSN&wRZr8i|5ls_TV$-64tK?syv`pLY3MgR6x9dkSY~a0jetV|NERX zV;ehesCfI&(V4R^Yp=cbx7J?!*psly{}Od{weV59Pn4jKO z@iqdSr}5sNC)bMYNSdWnX8%Z-{UyG($1IQbqxd((jb5*BGv;y3$!iDZu`&c8l&YWJVse)HOMz0dpzE1^`W*S?D) z7s%_y?u1qB5u3H9Eu;QDJjn;c&X;ltyJQR2K<5%V5?;aPA+~H6?64icy=3RmG7Fg* zln3#yqvc^+L~YULAUTNoBH9nwMf5fC&f5^~LnsZ|D1K*K(=V;7`QGa4oA6cSx5d** zyU#8|^Rk-}0bW{N{RZrcJo^6Cl$~_5KZ3bxka`%sMLg9g81H#9ZeNA53+ObAxAa)ewVhdLB$M^)v^4# zGlA%`aZCEym?h(0m+eMF6zQMo?69wgVs(&eqR-EESv-zCw-c2p#A~l7Yzl((Rl^Ax zg?zgem0QC&tz3=UY3GZFoQTf}J?lq>TY%TkcP8y#IFN23B2MQ~Q^NM5678G^-$>a# z=)MfUErMeW+$ox{zBsU-MCFN4ezF!W~+XvQ(0(m9BksECs^zA=?N*w$oBEug8TGlQFOF zAVeo2IfFoII=kt#9`oYf>go{)FsspVJzYeeX<&`GiYnV%Zp&JWCLNiE}-7Dv!fTz?0@BtlP^ytKdArk!*_0U`~kP` zh=Thgh)QOPAbEf5`0{9UWU$Wge22?_QqRV-p_OgQk!~v3cAj_oz;#Gq*23aIBLOkyDJIuo*9GHqL1YbwE8v{r3bKeSu6q{tMVYOA z_WBv-Q&_nt9NE_%nM6Y3rw~7imSAIVAi1fHCm|UT4k9Ny0@^%o3V0O4ncQ(2?64em z*jD3%_1zq-Z;Rd89=moI-SRQ*-72Q~g7NePqhd#!OnRNY(V^gHK7|o+W18`i$_K-= z&Xj)|Wwvd64x=rPXD=Qe0X!~(Bf_)CkR{p1dJ+9cLb(C=*_pQja{58stdCf~`vg6V zdLAFNhtNBSmN6T)oqK-lebjMheP1^Wvy45z*Kk}Ow&_-EFQI%1(OW}I&7)jK`68mG zf%gnr*)u|rANCHz$`M%G51aWJ&HKjf+UkT~ zyCM=O{%TMC7t`ZJVA0z{`54xG9;?0&r4lST3f3c_Hww!pV9^BXhwxOuvVyi@^srvS zyM(r~Yd_?;mtlVutrK{2Et4n@*TmP7oz6-hK1oi^S(K4=ZA{;XeOBe^_a}d9I^wD0< zJp!qsYbjuk0$Rv+0`2tFH-B?S{e?9Bl(7eJMg}pl{%dAB{F-52TY!!{BJ>m{KMxJ^SqvJ{zkoos8b zqu6N^f=~n$RFL?1Ks=NO#0xE=RfUA8DkLN%#9NV|Qa@Bxt$2Z#N(EIERmlARGxvIJ z*Nz)1@$|o|>zzAu&Y3g6bLPxlPcF>Y8VhyXe1&nxb$o}GGV2O9i@fLO^1t7{>pdHh z0TB=Z5fA|p5CIVo0TB=Z5fA|p5P=;DOfJk->9wy67f+&&4}8f-qZ$qr@S?e*8TmgL8hf6%nL{-@T# zgNSLt*5d!f@yu73&%PWKgTOk2SH@p|ESZVz{eOS--o3BA@Z9ysyMO)ztb|hKZu=&h zTp+J!Ix{wD4_e)twu0wx3#%I~ip{EX+ zS+x7{-9XPJTf)gscdRT8(Q z`yxAKS7CX@&4>gqudaRxekBoo<673H-Ruuyt~p3u!srO@T9S-+|0r#rgR_emG%FM= zh`t!-!-1Z(ea0?3O$-&Sm@232B*eZFOT0PTwhq<_t77a<+!0fbW)8fRvwL7-7RVY{ ze#5yybcM7qi#5HZBlxMoEt}bGZq=-EI>vk;Q zigWz3o5+XvIQ>90jlSfbZ;x~K90Zr~iM_~LHezXIXdfQSg7AfyZ33XsZrN1O<@*D0dc3YqyET&7Tj94+2i%Q-oyyZ!+@by?Al3F_lM6)RtjIdzjk6}G&wTZ?l?DoHu&r#fBetsU)=Tz0!Ass@Xu)S)a6zEIuk4@ z-c@II7X7S?WBBGN%sl(fQW~|2lXCQfxFgoXOprxxUxo+uwVD_LSinGkG}eEAOS%oA zTmi9U+lF~~MA^Pr)`i|%?%0&nNns81p%tlfAlCVC%letv^qDmjuYhyLD<~kdxb8aqODbFI z><#m*r|@!Ltl87jj8KsHD#VwfW%$_bCAai(8j=ZNpE=19(Bg56=P?}57T%d&n4@{D`*L? zvcvB05c>MvOX+~^-uL5RA-%uR(+S5cZ%?64RUkRDmfOo{Ph*#S8T*mv$c#HN7<-PK z!O2m^eF_%q?j4{HbNbIa$9mz(8OUA2&YpD@c?Fuu$y#5t(Tf-65qNkro@{rT&%i6b z0XC4UTvq;%=_1iaw5xx%o-E z3JtD`ACA$NN!+wE2|aqkF|L}H=-UzK9YP&Bi7X*GdUgyx3_^R@dFJPsfcKM?@oHXklFeTaeYqFKX>u>sxA=_0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p c5CIVo0TB=Z5fA|p5CIVo0TB>^|1W|60{)3ZXaE2J literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json new file mode 100644 index 000000000..c52634b02 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T07:57:32.087108Z" + } + }, + "EventRecordID": 676334, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 07:57:32.080", + "ProcessGuid": "0197231E-046C-6928-150C-000000000D00", + "ProcessId": 7088, + "Image": "C:\\Users\\Public\\wsass\\WSASS.exe", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "CommandLine": "WSASS.exe WerFaultSecure.exe 860", + "CurrentDirectory": "C:\\Users\\Public\\wsass\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000", + "LogonId": "0x3b5cb2", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=63AF15DCCB5CA8704918B7A8BFD0308726B2D7FD,MD5=D7A969E5A3636BF8FC9CA8A72021BFDC,SHA256=0977C9337EC1215C48A666464AFDA5C9A30CD24999A5F8E821E672991864A74C,IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42", + "ParentProcessGuid": "0197231E-0250-6928-D30B-000000000D00", + "ParentProcessId": 11640, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml new file mode 100644 index 000000000..88b29f71e --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml @@ -0,0 +1,12 @@ +id: e3ffac4e-8507-43f9-9542-4c9f10f49d3a +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 589ac73f-8e12-409c-964e-31a2f5775ae2 + title: HackTool - WSASS Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx new file mode 100755 index 0000000000000000000000000000000000000000..82441e216d19f036331a21351becd4e2b1fbe930 GIT binary patch literal 69632 zcmeI0Uu;}Q6~@oK-d(TP-d($``P+oeA0Rfd6FXjK9XBBFdY6Pc5ZaW0WGS-jb+WC! zj_P&WG!lw{g31Gh2gE~p0A6TO)dwV0R3TMD0$xy%P$f!*A`ma|f>clisH)8O&7JGD zoj6V@Pw2a=yZ6q_nKNg8=ggVetu8Ir8cTKCeuci`8lItbnDqwRMc#FJ>fdjD{9P-N z0uc}a5fA|p5CIVo0TB=Z5fA|p5P@9@RF@Vjmzs}Q{Of+F=QV1=p8{v^GP|+=de^Rs zcM;$?-+%p;q0M4@Qf8U7**}tIe@Sd^F&jnwN&F4*POs~`^m!U%^4fzjdHvJNzu@ax z_blobx7qUvl>g=bB>BL$F_yh9_I=*JpMh)*I$z$Vhcb71{kgL(`H}b!ns(KH^)@&N zpZ3~@|68T%ch@fbA;<@T^#nI2|Mpxw65kK~_1OpZ|LL_?uRY)Q!*60Hl$z?Zui%vv zYoLd6`AH8A~# zGlA%G2}^~!4ofA1ZrhKFIMUzO)oGveVhxaLqAkpITOxrqw-<#t#22n7Z3cq$)sho3 z3Watr3itXrtzJ#oIp>QsDVW6*|UT7hUC2GB(dka2jpiWpP(UCnIqVB86K zQr6cIWDqUwTvF@EZle7F6w+i`5|Iyc8OzX?r_d=*2tW9Hw^f`N?O1Y_#8_t`SF8CI zo_QlO+WIYReP~69F(qc+22>_x$9A;8Rck>g|Vqbk7Yqj8gF7Z}G}qm)G={7+`Vo zo_1>IP|v(LfhTui#@W|b63A5?l&$Z_onk&r25H3h8Z4-9*<-{*sE{WmX!1q-tsmZtnZFHi4#>yrp6 zZaf!Zf0#uW?PyC4v^mSIi8jn8Z_{TQ^4#7S*_Su`6=qYn;S+5>3t-B`5@tJZBg-ts z#mAL;1+wW#_PC!X`S^MEB5r8KMchruFIhaFcqa?9UALJ@G!jWMvS*wY62pQbv0IK< zaci16l;?tJ^x->a#S~0?yQALpIpd70)!UocSn^@ECz86Qw`ZX1qFY(*=s+5!O}C7` zw)|<#Bh2QattgK4kF_o6LyU5r@i-C@W1eDijaFUMKOaTbF+T&2>1U8bWO3eg*cWHE z_TC$2nNMNm0pGK~-7|%R#G?=oMXRu}FOs~ajb|Yl6OJM$-U8Y@?uvL6{YY**jaFD5 zD{QC!(fsa?=C{M@Z1>%~itf2Xdv}Vd{-{5F!Km2NCX?A>Z@ejl+4rDF!kA`4r1D{( z)|v8W@XnicO!I@d590nMZrJJGxdm{$h_;BpzKSf#I+o8t=7g6Ua>ve5Dh5sW_bT=*Y?&>t{ZoC%yRSYyv|*M^8A594fF6K+js(G{kX5^aglrq z&^qoShCYmEaT@#SGzgvtv7Js+vxozpz#FiY(Ki0lfyR$#CmC)QKLfmW~fqli&Qtc)=#xJ#%R!Tk8-EIHQ_tcu#psIA~0b9PR_O4`dPuc9wC97aq`L+44n z7cmBZpp8Jjg87#5UBWwMEBLM=x{9thC9Ak8Q$}4Cy$*XTxz5I+Zv=f9vt`H?VbyWe zMA~b3Xa6d6k2&4cM1mZ#j8Qm;8hTezPfI3HqQn%W`CW9nE0Bw996>8}a`v=l3ZKKs z<7bd}NRIqYqHO|gl%vcTbdp3FR!yLP^vygl?d+Uzlt`M)t9ZtFVZi5w7Y@dGAvvl$4#vDI6v$zQE>4X$90rJm=EqG z-dvFJe*|43AOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+ zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOiot1pWi{ CRfy>T literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json new file mode 100644 index 000000000..075bccf08 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-11-27T08:12:45.186674Z" + } + }, + "EventRecordID": 733879, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3544, + "ThreadID": 4264 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-11-27 08:12:45.183", + "ProcessGuid": "0197231E-07FD-6928-2A0C-000000000D00", + "ProcessId": 3532, + "Image": "C:\\Windows\\System32\\WerFaultSecure.exe", + "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)", + "Description": "Windows Fault Reporting", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "WerFaultSecure.exe", + "CommandLine": "C:\\Windows\\System32\\WerFaultSecure.exe /h /pid 3472 /tid 3476 /encfile 304 /cancel 364 /type 268310", + "CurrentDirectory": "C:\\WINDOWS", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000", + "LogonId": "0x3b5cb2", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "SHA1=9521BDCD891789724786BDCB9C9468A06818EDDC,MD5=C5A2014C3BC84EDCEEF5185AEA3BB5E0,SHA256=1C60BA5771201F7AEE44DCA30CBCBF78F6E3C39F30AD0A5C6C7BC8137A475EAA,IMPHASH=79E7A5E4F18B29329345D2098E1B95EB", + "ParentProcessGuid": "0197231E-07FD-6928-290C-000000000D00", + "ParentProcessId": 9388, + "ParentImage": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe", + "ParentCommandLine": "EDRFreeze-gnu.exe 3472 10000", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml new file mode 100644 index 000000000..0819e330d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml @@ -0,0 +1,12 @@ +id: 68010a5c-f8bf-4a2c-8cd0-038d4009805e +description: N/A +date: 2025-11-27 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + title: PPL Tampering Via WerFaultSecure +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx diff --git a/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..395d0475f --- /dev/null +++ b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml @@ -0,0 +1,52 @@ +title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location +id: 416bc4a2-7217-4519-8dc7-c3271817f1d5 +related: + - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd + type: similar +status: experimental +description: | + Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. + These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes. +references: + - https://blog.axelarator.net/hunting-for-edr-freeze/ + - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html + - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.credential-access + - attack.t1003 + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: image_load + product: windows +detection: + selection_img: + Image|contains: + - ':\Perflogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\$Recycle.Bin\' + - '\Contacts\' + - '\Desktop\' + - '\Documents\' + - '\Downloads\' + - '\Favorites\' + - '\Favourites\' + - '\inetpub\wwwroot\' + - '\Music\' + - '\Pictures\' + - '\Start Menu\Programs\Startup\' + - '\Users\Default\' + - '\Videos\' + # - '\AppData\Local\Temp\' some installers may load from here + selection_dll: + ImageLoaded|endswith: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: all of selection_* +falsepositives: + - Possibly during software installation or update processes +level: high +regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml b/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..d1ec67873 --- /dev/null +++ b/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml @@ -0,0 +1,35 @@ +title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze +id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b +related: + - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c + type: similar + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + type: similar +status: experimental +description: | + Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function. + The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot. + The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes. + By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period. +references: + - https://github.com/TwoSevenOneT/EDR-Freeze + - https://blog.axelarator.net/hunting-for-edr-freeze/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\WerFaultSecure.exe' + ImageLoaded|endswith: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: selection +falsepositives: + - Unknown +level: medium +regression_tests_path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml new file mode 100644 index 000000000..e01e1644e --- /dev/null +++ b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml @@ -0,0 +1,64 @@ +title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs +id: 9f5c1d59-33be-4e60-bcab-85d2f566effd +related: + - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5 + type: similar +status: experimental +description: | + Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. + These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, + dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques. +references: + - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.credential-access + - attack.t1003.001 + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_access + product: windows +detection: + selection_lsass_calltrace: + TargetImage|endswith: '\lsass.exe' + CallTrace|contains: + - 'dbgcore.dll' + - 'dbghelp.dll' + # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious, + # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory. + # Uncomment if you observe false positives with the default rule. + # selection_granted_access: + # GrantedAccess|contains: + # - '0x1fffff' + # - '0x10' + # - '0x1010' + # - '0x1410' + # - '0x1438' + selection_susp_location: + SourceImage|contains: + - ':\Perflogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\$Recycle.Bin\' + - '\AppData\Roaming\' + - '\Contacts\' + - '\Desktop\' + - '\Documents\' + - '\Downloads\' + - '\Favorites\' + - '\Favourites\' + - '\inetpub\wwwroot\' + - '\Music\' + - '\Pictures\' + - '\Start Menu\Programs\Startup\' + - '\Users\Default\' + - '\Videos\' + - '\Windows\Temp\' + condition: all of selection_* +falsepositives: + - Possibly during software installation or update processes +level: high +regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml diff --git a/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml new file mode 100644 index 000000000..be9bf1483 --- /dev/null +++ b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml @@ -0,0 +1,42 @@ +title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze +id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c +related: + - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b + type: similar + - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 + type: similar +status: experimental +description: | + Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. + This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period. +references: + - https://blog.axelarator.net/hunting-for-edr-freeze/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-27 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_access + product: windows + definition: | + Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled. + Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs: + + + \MsMpEng.exe + \WerFaultSecure.exe + + +detection: + selection: + SourceImage|endswith: '\WerFaultSecure.exe' + TargetImage|endswith: '\MsMpEng.exe' + CallTrace|contains: + - '\dbgcore.dll' + - '\dbghelp.dll' + condition: selection +falsepositives: + - Legitimate Windows Error Reporting operations +level: high +regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml index 8d597c0b5..929b20662 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml @@ -5,11 +5,12 @@ description: | Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions. -date: 2025-09-24 references: - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html - https://github.com/TwoSevenOneT/EDR-Freeze author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-09-24 +modified: 2025-11-27 tags: - attack.defense-evasion - attack.t1562.001 @@ -18,7 +19,9 @@ logsource: product: windows detection: selection_img: - Image|contains: '\EDR-Freeze' + Image|contains: + - '\EDR-Freeze' + - '\EDRFreeze' Image|endswith: '.exe' selection_imphash: Hashes|contains: @@ -28,7 +31,10 @@ detection: - 'IMPHASH=8828F0B906F7844358FB92A899E9520F' - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447' - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5' + - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0' + - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7' condition: 1 of selection_* falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml b/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml index a6b8a4f5f..7be5e7335 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wsass.yml @@ -29,3 +29,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml index aca2a53ad..db5dd1dbe 100644 --- a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml @@ -1,5 +1,10 @@ title: PPL Tampering Via WerFaultSecure id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 +related: + - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c + type: similar + - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b + type: similar status: experimental description: | Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). @@ -41,3 +46,4 @@ detection: falsepositives: - Legitimate usage of WerFaultSecure for debugging purposes level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml