security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
T
Gott 120bff21f8 Update proc_creation_win_lolbin_setres.yml
2022-12-12 17:09:26 -05:00

27 lines
1.0 KiB
YAML
Raw Blame History

title: Use of Setres.exe
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: experimental
description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022/12/11
tags:
- attack.defense_evasion
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|endswith: '\choice'
condition: all of selection*
falsepositives:
- Legitimate usage of Setres
level: medium
Reference in New Issue View Git Blame Copy Permalink