security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
T
phantinuss 5cb6eed52e fix: remove single value lists
2021-09-02 14:09:03 +02:00

49 lines
2.1 KiB
YAML
Raw Blame History

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
status: experimental
related:
- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
type: obsoletes
description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard
date: 2020/10/23
modified: 2021/09/01
references:
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
- https://www.cobaltstrike.com/help-opsec
- https://twitter.com/CyberRaiju/status/1251492025678983169
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
tags:
- attack.defense_evasion
- attack.t1085 # an old one
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\WerFault.exe'
CommandLine|endswith: '\WerFault.exe'
selection2:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: '\rundll32.exe'
selection3:
Image|endswith: '\regsvcs.exe'
CommandLine|endswith: '\regsvcs.exe'
selection4:
Image|endswith: '\regasm.exe'
CommandLine|endswith: '\regasm.exe'
selection5:
Image|endswith: '\regsvr32.exe'
CommandLine|endswith: '\regsvr32.exe'
condition: 1 of selection*
fields:
- ParentImage
- ParentCommandLine
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink