Florian Roth
@@ -4,7 +4,7 @@ status: test
|
||||
description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
|
||||
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
|
||||
date: 2020/05/26
|
||||
modified: 2022/10/28
|
||||
modified: 2022/11/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036.005
|
||||
@@ -14,78 +14,78 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename|endswith:
|
||||
- '\svchost.exe'
|
||||
- '\rundll32.exe'
|
||||
- '\services.exe'
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\lsass.exe'
|
||||
- '\smss.exe'
|
||||
- '\csrss.exe'
|
||||
- '\conhost.exe'
|
||||
- '\wininit.exe'
|
||||
- '\lsm.exe'
|
||||
- '\winlogon.exe'
|
||||
- '\explorer.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\Taskmgr.exe'
|
||||
- '\sihost.exe'
|
||||
- '\RuntimeBroker.exe'
|
||||
- '\smartscreen.exe'
|
||||
- '\dllhost.exe'
|
||||
- '\audiodg.exe'
|
||||
- '\wlanext.exe'
|
||||
- '\AtBroker.exe'
|
||||
- '\audiodg.exe'
|
||||
- '\backgroundTaskHost.exe'
|
||||
- '\bcdedit.exe'
|
||||
- '\bitsadmin.exe'
|
||||
- '\cmdl32.exe'
|
||||
- '\cmstp.exe'
|
||||
- '\conhost.exe'
|
||||
- '\csrss.exe'
|
||||
- '\dasHost.exe'
|
||||
- '\dfrgui.exe'
|
||||
- '\dllhost.exe'
|
||||
- '\dwm.exe'
|
||||
- '\eventcreate.exe'
|
||||
- '\eventvwr.exe'
|
||||
- '\explorer.exe'
|
||||
- '\extrac32.exe'
|
||||
- '\fontdrvhost.exe'
|
||||
- '\ipconfig.exe'
|
||||
- '\LsaIso.exe'
|
||||
- '\LogonUI.exe'
|
||||
- '\iscsicli.exe'
|
||||
- '\iscsicpl.exe'
|
||||
- '\logman.exe'
|
||||
- '\LogonUI.exe'
|
||||
- '\LsaIso.exe'
|
||||
- '\lsass.exe'
|
||||
- '\lsm.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\msinfo32.exe'
|
||||
- '\mstsc.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\nbtstat.exe'
|
||||
- '\regini.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\WmiPrvSE.exe'
|
||||
- '\WUDFHost.exe'
|
||||
- '\taskhostw.exe'
|
||||
- '\dasHost.exe'
|
||||
- '\wslhost.exe'
|
||||
- '\fontdrvhost.exe'
|
||||
- '\dwm.exe'
|
||||
- '\backgroundTaskHost.exe'
|
||||
- '\SystemSettingsBroker.exe'
|
||||
- '\odbcconf.exe'
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
- '\regini.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\rundll32.exe'
|
||||
- '\RuntimeBroker.exe'
|
||||
- '\schtasks.exe'
|
||||
- '\SearchProtocolHost.exe'
|
||||
- '\SearchIndexer.exe'
|
||||
- '\SearchFilterHost.exe'
|
||||
- '\SecurityHealthSystray.exe'
|
||||
- '\SearchIndexer.exe'
|
||||
- '\SearchProtocolHost.exe'
|
||||
- '\SecurityHealthService.exe'
|
||||
- '\SecurityHealthSystray.exe'
|
||||
- '\services.exe'
|
||||
- '\ShellAppRuntime.exe'
|
||||
- '\sihost.exe'
|
||||
- '\smartscreen.exe'
|
||||
- '\smss.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\svchost.exe'
|
||||
- '\SystemSettingsBroker.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\taskhostw.exe'
|
||||
- '\Taskmgr.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\vssadmin.exe'
|
||||
- '\w32tm.exe'
|
||||
- '\WerFault.exe'
|
||||
- '\WerFaultSecure.exe'
|
||||
- '\wermgr.exe'
|
||||
- '\wevtutil.exe'
|
||||
- '\wininit.exe'
|
||||
- '\winlogon.exe'
|
||||
- '\winrshost.exe'
|
||||
- '\wlrmdr.exe'
|
||||
- '\WinRTNetMUAHostServer.exe'
|
||||
- '\wlanext.exe'
|
||||
- '\wlrmdr.exe'
|
||||
- '\WmiPrvSE.exe'
|
||||
- '\wslhost.exe'
|
||||
- '\WSReset.exe'
|
||||
- '\WUDFHost.exe'
|
||||
- '\WWAHost.exe'
|
||||
- '\iscsicpl.exe'
|
||||
- '\iscsicli.exe'
|
||||
- '\extrac32.exe'
|
||||
- '\eventvwr.exe'
|
||||
- '\eventcreate.exe'
|
||||
- '\dfrgui.exe'
|
||||
- '\cmdl32.exe'
|
||||
- '\cmstp.exe'
|
||||
filter1:
|
||||
TargetFilename|startswith:
|
||||
- 'C:\Windows\System32\'
|
||||
@@ -95,6 +95,7 @@ detection:
|
||||
Image|endswith:
|
||||
- '\Windows\System32\dism.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\bcdedit.exe'
|
||||
filter2:
|
||||
TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
|
||||
Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
|
||||
|
||||
@@ -3,8 +3,10 @@ id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
|
||||
related:
|
||||
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
|
||||
type: derived
|
||||
- id: 3215aa19-f060-4332-86d5-5602511f3ca8
|
||||
type: similar
|
||||
status: experimental
|
||||
description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
|
||||
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
|
||||
references:
|
||||
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
|
||||
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
|
||||
@@ -13,7 +15,7 @@ references:
|
||||
- https://twitter.com/luc4m/status/1073181154126254080
|
||||
author: Nasreddine Bencherchali, frack113
|
||||
date: 2022/06/19
|
||||
modified: 2022/07/28
|
||||
modified: 2022/11/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036.007
|
||||
@@ -25,7 +27,7 @@ detection:
|
||||
TargetFilename|endswith:
|
||||
- '.zip'
|
||||
- '.rar'
|
||||
- '.lnk'
|
||||
#- '.lnk' # legitimate links can happen just anywhere
|
||||
- '.iso'
|
||||
- '.exe'
|
||||
TargetFilename|contains:
|
||||
@@ -36,15 +38,16 @@ detection:
|
||||
- '.ppt.'
|
||||
- '.pptx.'
|
||||
- '.jpg.'
|
||||
- '.pdf.'
|
||||
selection_exe:
|
||||
TargetFilename|endswith:
|
||||
- '.zip.exe'
|
||||
- '.rar.exe'
|
||||
filter:
|
||||
TargetFilename|contains:
|
||||
- '\AppData\Roaming\Microsoft\Office\Recent\'
|
||||
- '\AppData\Roaming\Microsoft\Windows\Recent\'
|
||||
condition: 1 of selection_* and not filter
|
||||
#filter:
|
||||
# TargetFilename|contains:
|
||||
# - '\AppData\Roaming\Microsoft\Office\Recent\'
|
||||
# - '\AppData\Roaming\Microsoft\Windows\Recent\'
|
||||
condition: 1 of selection_*
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: high
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
title: Suspicious LNK Double Extension Files
|
||||
id: 3215aa19-f060-4332-86d5-5602511f3ca8
|
||||
related:
|
||||
- id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
|
||||
references:
|
||||
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
|
||||
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
|
||||
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
|
||||
- https://twitter.com/malwrhunterteam/status/1235135745611960321
|
||||
- https://twitter.com/luc4m/status/1073181154126254080
|
||||
author: Nasreddine Bencherchali, frack113
|
||||
date: 2022/11/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036.007
|
||||
logsource:
|
||||
category: file_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename|endswith: '.lnk'
|
||||
TargetFilename|contains:
|
||||
- '.doc.'
|
||||
- '.docx.'
|
||||
- '.xls.'
|
||||
- '.xlsx.'
|
||||
- '.ppt.'
|
||||
- '.pptx.'
|
||||
- '.jpg.'
|
||||
- '.pdf.'
|
||||
filter:
|
||||
TargetFilename|contains:
|
||||
- '\AppData\Roaming\Microsoft\Office\Recent\'
|
||||
- '\AppData\Roaming\Microsoft\Windows\Recent\'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Users creating a shortcut on e.g. desktop
|
||||
level: medium
|
||||
Reference in New Issue
Block a user