security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml
T
Swachchhanda Shrawan Poudel fc716d14f6 Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules 
new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: Msxsl.EXE Execution
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote XSL Execution Via Msxsl.EXE
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enahnce false positives filters
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-11-14 09:46:39 +01:00

30 lines
885 B
YAML
Raw Blame History

title: Arbitrary File Download Via PresentationHost.EXE
id: b124ddf4-778d-418e-907f-6dd3fc0d31cd
status: test
description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/239/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/19
modified: 2023/11/09
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\presentationhost.exe'
- OriginalFileName: 'PresentationHost.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- 'ftp://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink