security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RTA] Adds RTAs for endpoint rules (#2621)

Browse Source 
* [RTA] Adds RTAs for endpoint rules

* Update exec_cscript_archive_args.py

* Review RTAs 1/2

* Update suspicious_msiexec_child.py

* Update rta/exec_cscript_archive_args.py

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-03-23 18:14:06 -03:00
committed by GitHub
parent 32ca0001ff
commit 5c792b86d7
18 changed files with 698 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rta/exec_java_via_scripting.py
+49
View File
@@ -0,0 +1,49 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from . import common
from . import RtaMetadata
import os
metadata = RtaMetadata(
uuid="a3b26c9e-6910-43f7-93b2-84cc777e54f4",
platforms=["windows"],
endpoint=[
{
'rule_id': '15b1d979-5be0-4e7f-9202-0c4cfd76b146',
'rule_name': 'Suspicious Java Execution via a Windows Script'
},
{'rule_id': '16c84e67-e5e7-44ff-aefa-4d771bcafc0c', 'rule_name': 'Execution from Unusual Directory'},
{'rule_id': '35dedf0c-8db6-4d70-b2dc-a133b808211f', 'rule_name': 'Binary Masquerading via Untrusted Path'},
{'rule_id': '23e29d07-7584-465e-8a6d-912d9ea254a6', 'rule_name': 'Suspicious Image Load via Windows Scripts'}
],
siem=[],
techniques=['T1059', 'T1059.005', 'T1059.007'],
)
EXE_FILE = common.get_path("bin", "renamed_posh.exe")
@common.requires_os(common.WINDOWS)
def main():
path = "C:\\Program Files\\Java\\jrertaendgametest\\bin\\"
argpath = "C:\\\"Program Files\"\\Java\\jrertaendgametest\\bin\\Javafake.exe"
cscript = "C:\\Users\\Public\\cscript.exe"
executable = path + "Javafake.exe"
if not os.path.exists(path):
os.makedirs(path)
else:
pass
common.copy_file(EXE_FILE, cscript)
common.copy_file(EXE_FILE, executable)
# Execute command
common.execute([cscript, "/c", argpath, ("iwr google.com -UseBasicParsing -UserAgent "
"'C:\\Users\\Public\\' -SessionVariable '-jar'")], timeout=10)
common.remove_files(cscript, executable)
if __name__ == "__main__":
exit(main())