security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144)

Browse Source 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2024-10-15 10:49:01 +01:00
committed by GitHub
parent 8404d41cca
commit a98161ad2a
1 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_persistence_phantom_dll.toml
+24 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2020/01/07"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/07/11"
updated_date = "2024/10/09"
[rule]
author = ["Elastic"]
@@ -99,7 +99,7 @@ any where host.os.type == "windows" and
?dll.name : (
"wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll"
)
and (
@@ -110,11 +110,18 @@ any where host.os.type == "windows" and
not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
)
) or
/* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */
(
(?dll.path : "?:\\Windows\\*\\oci.dll" and process.executable : "?:\\Windows\\*.exe" and
(?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or
(file.path : "?:\\Windows\\*\\oci.dll" and not file.code_signature.status == "Valid" and process.executable : "?:\\Windows\\*.exe")
) or
/* compatible with Sysmon EventID 7 - Image Load */
(file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and
not file.hash.sha256 :
("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f",
@@ -128,13 +135,25 @@ any where host.os.type == "windows" and
"?:\\Windows\\System32\\wbemcomn.dll",
"?:\\Windows\\SysWOW64\\wbemcomn.dll",
"?:\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"?:\\Windows\\System32\\wlanhlp.dll"
"?:\\Windows\\System32\\wlanhlp.dll",
"\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wbemcomn.dll",
"\\Device\\HarddiskVolume?\\Windows\\System32\\wbemcomn.dll",
"\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wlanhlp.dll",
"\\Device\\HarddiskVolume?\\Windows\\System32\\wlanhlp.dll",
"\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\windowsperformancerecordercontrol.dll",
"\\Device\\HarddiskVolume?\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll"
) or
file.path : (
"?:\\Windows\\System32\\wbemcomn.dll",
"?:\\Windows\\SysWOW64\\wbemcomn.dll",
"?:\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"?:\\Windows\\System32\\wlanhlp.dll"
"?:\\Windows\\System32\\wlanhlp.dll",
"C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
"C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\wbemcomn.dll",
"\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll"
)
)
)