From 3983baf2b02289ec5753700e66d8ae71f38dc2bf Mon Sep 17 00:00:00 2001 From: phantinuss Date: Tue, 26 Oct 2021 16:35:06 +0200 Subject: [PATCH 1/3] windows commandline obfuscation --- .../win_commandline_path_obfuscation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_commandline_path_obfuscation.yml diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml new file mode 100644 index 000000000..70fa5a9d1 --- /dev/null +++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml @@ -0,0 +1,29 @@ +title: Command Line Path Obfuscation +status: experimental +id: 1327381e-6ab0-4f38-b583-4c1b8346a56b +author: Christian Burkard +date: 2021/10/26 +description: Detects the attempt to hide or obfuscate the executed command on the CommandLine using bogus path traversal +references: + - https://twitter.com/hexacorn/status/1448037865435320323 + - https://twitter.com/Gal_B1t/status/1062971006078345217 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|contains: + - '\Windows\' + CommandLine|contains: + - '\..\Windows\' + - '\..\System32\' + - '\..\..\' + selection2: + CommandLine|contains: '.exe\..\' + condition: 1 of them +falsepositives: + - Unknown +level: high From eb4ef6bcfc81c14101f4a78436ae907bfe8d834b Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 27 Oct 2021 11:16:12 +0200 Subject: [PATCH 2/3] fix: single list item to value --- .../process_creation/win_commandline_path_obfuscation.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_obfuscation.yml index 70fa5a9d1..8fcf0948d 100644 --- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml +++ b/rules/windows/process_creation/win_commandline_path_obfuscation.yml @@ -15,8 +15,7 @@ logsource: product: windows detection: selection1: - Image|contains: - - '\Windows\' + Image|contains: '\Windows\' CommandLine|contains: - '\..\Windows\' - '\..\System32\' From 8b1279448682019f84b4ad0373c289c16af893c7 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 27 Oct 2021 14:07:27 +0200 Subject: [PATCH 3/3] fix: change title and filename --- ...scation.yml => win_commandline_path_traversal_evasion.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{win_commandline_path_obfuscation.yml => win_commandline_path_traversal_evasion.yml} (79%) diff --git a/rules/windows/process_creation/win_commandline_path_obfuscation.yml b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml similarity index 79% rename from rules/windows/process_creation/win_commandline_path_obfuscation.yml rename to rules/windows/process_creation/win_commandline_path_traversal_evasion.yml index 8fcf0948d..0ddf5aa89 100644 --- a/rules/windows/process_creation/win_commandline_path_obfuscation.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml @@ -1,9 +1,9 @@ -title: Command Line Path Obfuscation +title: Command Line Path Traversial Evasion status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard date: 2021/10/26 -description: Detects the attempt to hide or obfuscate the executed command on the CommandLine using bogus path traversal +description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217