From dcf236fedee2d5809fba86bddd7d54b4edaa2b3c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 May 2022 12:50:59 +0100 Subject: [PATCH] Quick Updates and Fixes - Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts" - Added "OriginalFileName" to "proc_creation_win_susp_taskkill" - Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs --- ...e_event_win_powershell_exploit_scripts.yml | 2 ++ .../proc_creation_win_susp_taskkill.yml | 13 +++++---- .../proc_creation_win_winword_lolbin.yml | 28 +++++++++++++++++++ 3 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_winword_lolbin.yml diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml index 1b6c1a956..db13219da 100755 --- a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml @@ -7,6 +7,7 @@ references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL + - https://github.com/CsEnox/EventViewer-UACBypass date: 2018/04/07 modified: 2022/05/13 logsource: @@ -115,6 +116,7 @@ detection: - '\Find-AVSignature.ps1' - '\Get-GPPAutologon.ps1' - '\Get-MicrophoneAudio.ps1' + - '\Invoke-EventViewer.ps1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml index 55d529e6f..b9b9483a3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml @@ -6,16 +6,19 @@ author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process date: 2021/12/26 +modified: 2022/05/17 logsource: category: process_creation product: windows detection: - taskkill: - Image|endswith: \taskkill.exe - CommandLine|contains|all: - - /f + selection_img: + - Image|endswith: \taskkill.exe + - OriginalFileName: 'taskkill.exe' + selection_cli: + CommandLine|contains|all: + - /f - /im - condition: taskkill + condition: all of selection* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_winword_lolbin.yml b/rules/windows/process_creation/proc_creation_win_winword_lolbin.yml new file mode 100644 index 000000000..086078751 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_winword_lolbin.yml @@ -0,0 +1,28 @@ +title: Winword LOLBIN Usage +id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed +status: experimental +description: Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs +author: Nasreddine Bencherchali +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ + - https://github.com/D4Vinci/One-Lin3r/blob/master/one_lin3r/core/liners/windows/cmd/dll_loader_word.py +date: 2022/05/17 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\WINWORD.exe' + - OriginalFileName: 'WinWord.exe' + selection_cli_http: + CommandLine|contains: + - 'http://' + - 'https://' + selection_cli_dll: + CommandLine|contains: + - '/l ' + - '.dll' + condition: selection_img and 1 of selection_cli* +falsepositives: + - Unknown +level: high