Add process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
This commit is contained in:
frack113
+30
@@ -0,0 +1,30 @@
|
||||
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
|
||||
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
|
||||
status: experimental
|
||||
author: frack113
|
||||
date: 2021/07/16
|
||||
description: Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1216
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
select_vbs:
|
||||
CommandLine|contains: '\SyncAppvPublishingServer.vbs'
|
||||
select_opt:
|
||||
CommandLine|contains|all:
|
||||
- '"n;'
|
||||
- 'Start-Process '
|
||||
condition: select_vbs and select_opt
|
||||
fields:
|
||||
- ComputerName
|
||||
- User
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
falsepositives:
|
||||
- Unknow
|
||||
level: medium
|
||||
Reference in New Issue
Block a user