security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195)

Browse Source 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions.

* Update persistence_via_update_orchestrator_service_hijack.toml

revert back to eql

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 386a8202c0)
This commit is contained in:
Isai
2022-07-29 16:11:16 -04:00
committed by github-actions[bot]
parent 044b5a2c61
commit 5b183e66fa
1 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_via_update_orchestrator_service_hijack.toml
+14 -10
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/08/17"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/29"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"]
risk_score = 73
rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313"]
timestamp_override = "event.ingested"
type = "eql"
@@ -31,14 +31,18 @@ process where event.type == "start" and
process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
process.parent.args : "UsoSvc" and
not process.executable :
(
"C:\\Windows\\System32\\UsoClient.exe",
"C:\\Windows\\System32\\MusNotification.exe",
"C:\\Windows\\System32\\MusNotificationUx.exe",
"C:\\Windows\\System32\\MusNotifyIcon.exe",
"C:\\Windows\\System32\\WerFault.exe",
"C:\\Windows\\System32\\WerMgr.exe"
)
("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoClient.exe",
"?:\\Windows\\System32\\MusNotification.exe",
"?:\\Windows\\System32\\MusNotificationUx.exe",
"?:\\Windows\\System32\\MusNotifyIcon.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\System32\\WerMgr.exe",
"?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe",
"?:\\Windows\\System32\\MoUsoCoreWorker.exe",
"?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe",
"?:\\Windows\\System32\\UsoCoreWorker.exe",
"?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe")
'''