security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
309c2dee7f3fb56da08db0d91bdc9afed4f55d6c
blue-team-tools/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
T
Nasreddine Bencherchali 309c2dee7f Merge PR #4560 from @nasbench - Fix FP Found In Testing & Other Rule Updates 
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
update: ISO Image Mounted - Update title and add new filter
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-11-10 17:32:28 +01:00

78 lines
3.0 KiB
YAML
Raw Blame History

title: Potential NT API Stub Patching
id: b916cba1-b38a-42da-9223-17114d846fd6
status: experimental
description: Detects potential NT API stub patching as seen used by the project PatchingAPI
references:
- https://github.com/D1rkMtr/UnhookingPatch
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
modified: 2023/11/09
tags:
- attack.defense_evasion
- attack.t1562.002
logsource:
category: process_access
product: windows
detection:
selection:
GrantedAccess: '0x1FFFFF'
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
filter_main_generic:
# To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
- SourceImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- TargetImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_thor:
SourceImage|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_githubdesktop:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
SourceImage|endswith:
- '\GitHubDesktop.exe'
- '\resources\app\git\usr\bin\sh.exe'
TargetImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
filter_main_dotnet:
SourceImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
SourceImage|endswith: '\NGenTask.exe'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
filter_main_taskhost:
SourceImage|contains:
- ':\WINDOWS\system32\taskhostw.exe'
- ':\Windows\system32\taskhost.exe'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
TargetImage|endswith: '\NGenTask.exe'
filter_optional_teams_to_update:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
filter_optional_teams_update_regsvr32:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
filter_optional_teams_update_to_teams:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink