From cb7a7766231dbd7a353ade3e2a27acdb062159ca Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 6 Mar 2022 12:10:51 +0100
Subject: [PATCH] Add lolbas rules

---
 ...reation_win_lolbas_offlinescannershell.yml | 23 +++++++++++++++++++
 .../proc_creation_win_lolbas_replace.yml      | 23 +++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbas_replace.yml

diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
new file mode 100644
index 000000000..ddbf2b18e
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
@@ -0,0 +1,23 @@
+title: Suspicious OfflineScannerShell.exe Execution From Another Folder
+id: 02b18447-ea83-4b1b-8805-714a8a34546a
+status: experimental
+description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory 
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
+author: frack113
+date: 2022/03/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    lolbas:
+        Image|endswith: '\OfflineScannerShell.exe'
+    filter:
+        CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
+    condition: lolbas and not filter
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218 
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
new file mode 100644
index 000000000..b22fbc7e9
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
@@ -0,0 +1,23 @@
+title: Suspicious Replace.exe Execution
+id: 9292293b-8496-4715-9db6-37028dcda4b3
+status: experimental
+description: Replace.exe is used to replace file with another file
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Replace/
+author: frack113
+date: 2022/03/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    lolbas:
+        CommandLine|contains|all: 
+            - 'replace '
+            - '/A'
+    condition: lolbas 
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1105
\ No newline at end of file