fibratus/rules/execution_embedded_script_execution_via_shortcut_file.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Embedded script execution via shortcut file
id: 2d94a68b-03fe-4ece-9a99-f4de8ff7261d
version: 1.0.1
description: |
  Detects execution of embedded scripts delivered via Windows shortcut (.lnk) files.
  Adversaries can exploit the attack chain where a shortcut file is accessed by a
  scripting or command interpreter, followed by the creation of a payload in
  user-writable locations and the subsequent execution of a script.
labels:
  tactic.id: TA0002
  tactic.name: Execution
  tactic.ref: https://attack.mitre.org/tactics/TA0002/
  technique.id: T1204
  technique.name: User Execution
  technique.ref: https://attack.mitre.org/techniques/T1204/
  subtechnique.id: T1204.002
  subtechnique.name: Malicious File
  subtechnique.ref: https://attack.mitre.org/techniques/T1204/002/
references:
  - https://unit42.paloaltonetworks.com/lnk-malware/
  - https://github.com/knight0x07/Lnk2Vbs/blob/main/lnk2vbs.py

condition: >
  sequence
  maxspan 1m
  by ps.sessionid
    |open_file and
     ps.name iin ('cmd.exe', 'findstr.exe', 'find.exe', 'powershell.exe', 'pwsh.exe') and
     file.path imatches '?:\\*.lnk'
    |
    |create_file and
     ps.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe') and
     file.path imatches
              (
                '?:\\Users\\*\\AppData\\Local\\*',
                '?:\\Users\\*\\AppData\\LocalLow\\*',
                '?:\\Users\\*\\AppData\\Roaming\\*',
                '?:\\Users\\Public\\*'
              ) and
     file.extension iin ('.exe', '.bat', '.com', '.scr', '.pif', '.dll', '.js', '.vbs', '.vbe', '.jse', '.wsf', '.wsh', '.hta', '.ps1', '.psm1', '.msi', '.msc', '.jar')
    |
    |spawn_process and
     ps.name iin
              (
                'wscript.exe',
                'mshta.exe',
                'powershell.exe',
                'pwsh.exe',
                'cmd.exe',
                'connhost.exe',
                'rundll32.exe',
                'regsvr32.exe',
                'forfiles.exe',
                'wmic.exe',
                'msbuild.exe',
                'java.exe',
                'javaw.exe',
                'mmc.exe',
                'cscript.exe',
                'installutil.exe',
                'scriptrunner.exe'
              )
    |
action:
  - name: kill

severity: high

min-engine-version: 3.0.0