security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55ea53884199c8cb3b37175afa490ca910df8da3
blue-team-tools/rules/windows/process_creation/win_susp_presentationhost_execution.yml
T
Kirill Kiryanov a38c021876 Created rule win_susp_presentationhost_execution.yml
2020-10-08 13:24:59 +03:00

26 lines
873 B
YAML
Raw Blame History

title: Application Whitelisting Bypass via PresentationHost.exe
id: d149a338-ae47-408e-a8ff-9064220c0b34
description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file
status: experimental
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml
- https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
- https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
author: Kirill Kiryanov, oscd.community
date: 2020/10/08
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\presentationhost.exe'
CommandLine|contains: '.xbap'
condition: selection
level: medium
falsepositives:
- Unknown
Reference in New Issue View Git Blame Copy Permalink