title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add type: obsoletes description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard date: 2020/10/23 modified: 2021/09/01 references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec - https://twitter.com/CyberRaiju/status/1251492025678983169 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback tags: - attack.defense_evasion - attack.t1085 # an old one - attack.t1218.011 logsource: category: process_creation product: windows detection: selection1: Image|endswith: '\WerFault.exe' CommandLine|endswith: '\WerFault.exe' selection2: Image|endswith: '\rundll32.exe' CommandLine|endswith: '\rundll32.exe' selection3: Image|endswith: '\regsvcs.exe' CommandLine|endswith: '\regsvcs.exe' selection4: Image|endswith: '\regasm.exe' CommandLine|endswith: '\regasm.exe' selection5: Image|endswith: '\regsvr32.exe' CommandLine|endswith: '\regsvr32.exe' condition: 1 of selection* fields: - ParentImage - ParentCommandLine falsepositives: - Unlikely level: high