fibratus/rules/execution_process_execution_from_compressed_file_via_explorer.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Process execution from compressed file via Explorer
id: e4f373a0-1fe3-42a5-bca6-b465e930713f
version: 1.0.0
description: |
  Detects child processes commonly used for code execution that are spawned
  from compressed files when initiated from Windows Explorer. Adversaries can
  leverage archives to deliver malicious executables and scripts for execution.
labels:
  tactic.id: TA0002
  tactic.name: Execution
  tactic.ref: https://attack.mitre.org/tactics/TA0002/
  technique.id: T1204
  technique.name: User Execution
  technique.ref: https://attack.mitre.org/techniques/T1204/
  subtechnique.id: T1204.002
  subtechnique.name: Malicious File
  subtechnique.ref: https://attack.mitre.org/techniques/T1204/002/

condition: >
  spawn_process and (ps.parent.name ~= 'explorer.exe' or ps.ancestor iin ('explorer.exe')) and
  thread.callstack.summary imatches
                          (
                            '*zipfldr.dll*',
                            'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|7z*.exe|*',
                            'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|WinRar.exe|*'
                          ) and
  (ps.name iin
          (
            'rundll32.exe',
            'regsvr32.exe',
            'wscript.exe',
            'cscript.exe',
            'certutil.exe',
            'cmstp.exe',
            'mshta.exe',
            'msxsl.exe',
            'RegAsm.exe',
            'installutil.exe',
            'powershell.exe',
            'cmd.exe',
            'msbuild.exe',
            'AppLaunch.exe',
            'AddInUtil.exe',
            'AddInProcess.exe'
          ) or
   ps.pe.file.name iin
          (
            'rundll32.exe',
            'regsvr32.exe',
            'wscript.exe',
            'cscript.exe',
            'certutil.exe',
            'cmstp.exe',
            'mshta.exe',
            'msxsl.exe',
            'RegAsm.exe',
            'installutil.exe',
            'powershell.exe',
            'cmd.exe',
            'msbuild.exe',
            'AppLaunch.exe',
            'AddInUtil.exe',
            'AddInProcess.exe'
          )
  )
action:
  - name: kill

output: >
  Suspicious process %ps.exe executed from compressed file via Windows Explorer
severity: high

min-engine-version: 3.0.0