security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml
T
frack113 8bb3379b68 Normalization of rule names
2022-02-22 11:16:31 +01:00

175 lines
5.1 KiB
YAML
Raw Blame History

title: False Sysinternals Suite Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: experimental
description: Rename as a legitim Sysinternals Suite tools to evade detection
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113
date: 2021/12/20
logsource:
category: process_creation
product: windows
detection:
selection_exe:
Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- '\AccessEnum.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADInsight.exe'
- '\ADInsight64.exe'
- '\adrestore.exe'
- '\adrestore64.exe'
- '\Autologon.exe'
- '\Autologon64.exe'
- '\Autoruns.exe'
- '\Autoruns64.exe'
- '\autorunsc.exe'
- '\autorunsc64.exe'
- '\Bginfo.exe'
- '\Bginfo64.exe'
- '\Cacheset.exe'
- '\Cacheset64.exe'
- '\Clockres.exe'
- '\Clockres64.exe'
- '\Contig.exe'
- '\Contig64.exe'
- '\Coreinfo.exe'
- '\Coreinfo64.exe'
- '\CPUSTRES.EXE'
- '\CPUSTRES64.EXE'
- '\ctrl2cap.exe'
- '\Dbgview.exe'
- '\dbgview64.exe'
- '\Desktops.exe'
- '\Desktops64.exe'
- '\disk2vhd.exe'
- '\disk2vhd64.exe'
- '\diskext.exe'
- '\diskext64.exe'
- '\Diskmon.exe'
- '\Diskmon64.exe'
- '\DiskView.exe'
- '\DiskView64.exe'
- '\du.exe'
- '\du64.exe'
- '\efsdump.exe'
- '\FindLinks.exe'
- '\FindLinks64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\hex2dec.exe'
- '\hex2dec64.exe'
- '\junction.exe'
- '\junction64.exe'
- '\ldmdump.exe'
- '\listdlls.exe'
- '\listdlls64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\loadOrd.exe'
- '\loadOrd64.exe'
- '\loadOrdC.exe'
- '\loadOrdC64.exe'
- '\logonsessions.exe'
- '\logonsessions64.exe'
- '\movefile.exe'
- '\movefile64.exe'
- '\notmyfault.exe'
- '\notmyfault64.exe'
- '\notmyfaultc.exe'
- '\notmyfaultc64.exe'
- '\ntfsinfo.exe'
- '\ntfsinfo64.exe'
- '\pendmoves.exe'
- '\pendmoves64.exe'
- '\pipelist.exe'
- '\pipelist64.exe'
- '\portmon.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\Procmon.exe'
- '\Procmon64.exe'
- '\psExec.exe'
- '\psExec64.exe'
- '\psfile.exe'
- '\psfile64.exe'
- '\psGetsid.exe'
- '\psGetsid64.exe'
- '\psInfo.exe'
- '\psInfo64.exe'
- '\pskill.exe'
- '\pskill64.exe'
- '\pslist.exe'
- '\pslist64.exe'
- '\psLoggedon.exe'
- '\psLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\psping.exe'
- '\psping64.exe'
- '\psService.exe'
- '\psService64.exe'
- '\psshutdown.exe'
- '\psshutdown64.exe'
- '\pssuspend.exe'
- '\pssuspend64.exe'
- '\RAMMap.exe'
- '\RDCMan.exe'
- '\RegDelNull.exe'
- '\RegDelNull64.exe'
- '\regjump.exe'
- '\ru.exe'
- '\ru64.exe'
- '\sdelete.exe'
- '\sdelete64.exe'
- '\ShareEnum.exe'
- '\ShareEnum64.exe'
- '\shellRunas.exe'
- '\sigcheck.exe'
- '\sigcheck64.exe'
- '\streams.exe'
- '\streams64.exe'
- '\strings.exe'
- '\strings64.exe'
- '\sync.exe'
- '\sync64.exe'
- '\Sysmon.exe'
- '\Sysmon64.exe'
- '\tcpvcon.exe'
- '\tcpvcon64.exe'
- '\tcpview.exe'
- '\tcpview64.exe'
- '\Testlimit.exe'
- '\Testlimit64.exe'
- '\vmmap.exe'
- '\vmmap64.exe'
- '\Volumeid.exe'
- '\Volumeid64.exe'
- '\whois.exe'
- '\whois64.exe'
- '\Winobj.exe'
- '\Winobj64.exe'
- '\ZoomIt.exe'
- '\ZoomIt64.exe'
filter_valid:
Company:
- 'Sysinternals - www.sysinternals.com'
- 'Sysinternals'
filter_empty:
Company: null
condition: selection_exe and not 1 of filter*
falsepositives:
- Unknown
level: medium
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
- attack.t1202
Reference in New Issue View Git Blame Copy Permalink