Skip to content

Commit ba64664

Browse files
committed
migrate from deprecated filter fields, expand rundll32.exe proxy execution command line matches
1 parent 51bfb3c commit ba64664

4 files changed

Lines changed: 25 additions & 19 deletions

rules/credential_access_credentials_from_password_stores.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -127,9 +127,9 @@
127127
condition: >
128128
spawn_process
129129
and
130-
ps.sibling.name ~= 'VaultCmd.exe'
130+
ps.child.name ~= 'VaultCmd.exe'
131131
and
132-
ps.sibling.args
132+
ps.child.args
133133
in
134134
(
135135
'"/listcreds:Windows Credentials"',
@@ -148,9 +148,9 @@
148148
condition: >
149149
spawn_process
150150
and
151-
ps.sibling.name ~= 'rundll32.exe'
151+
ps.child.name ~= 'rundll32.exe'
152152
and
153-
(ps.sibling.args iin ('keymgr.dll') and ps.sibling.args iin ('KRShowKeyMgr'))
153+
(ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))
154154
action: >
155155
{{
156156
emit

rules/credential_access_os_credential_dumping.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,8 @@
5454
not
5555
ps.exe imatches
5656
(
57-
'?:\\Windows\\System32\\lsass.exe'
57+
'?:\\Windows\\System32\\lsass.exe',
58+
'?:\\Windows\\System32\\Taskmgr.exe'
5859
)
5960
action: >
6061
{{
@@ -92,7 +93,7 @@
9293
and
9394
ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS')
9495
and
95-
ps.sibling.name ~= 'lsass.exe'
96+
kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
9697
and
9798
not
9899
ps.exe imatches
@@ -144,19 +145,18 @@
144145
condition: >
145146
sequence
146147
maxspan 2m
147-
by ps.pid
148148
|spawn_process
149149
and
150-
ps.name in
150+
ps.child.name in
151151
(
152152
'WerFault.exe',
153153
'WerFaultSecure.exe'
154154
)
155-
|
155+
| by ps.child.uuid
156156
|write_minidump_file
157157
and
158158
file.name icontains 'lsass'
159-
|
159+
| by ps.uuid
160160
action: >
161161
{{
162162
emit

rules/defense_evasion_system_binary_proxy_execution.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,20 +17,26 @@
1717
subtechnique.ref: https://attack.mitre.org/techniques/T1218/011/
1818
rules:
1919
- name: System Binary Proxy Execution via Rundll32
20+
description: |
21+
Detects the execution of rundll32.exe process with suspicious command line
22+
followed by the creation of a child process which would probably unleash
23+
nefarious actions in the system.
2024
condition: >
2125
sequence
2226
maxspan 1m
2327
|spawn_process
2428
and
25-
ps.sibling.name ~= 'rundll32.exe'
29+
ps.child.name ~= 'rundll32.exe'
2630
and
27-
ps.sibling.comm imatches
31+
ps.child.cmdline imatches
2832
(
2933
'*javascript:*',
34+
'*vbscript:*',
3035
'*shell32.dll*ShellExec_RunDLL*',
31-
'*-sta*'
36+
'*-sta*',
37+
'*RunHTMLApplication*',
3238
)
33-
| by ps.sibling.pid
39+
| by ps.child.pid
3440
|spawn_process| by ps.pid
3541
action: >
3642
{{
@@ -55,21 +61,21 @@
5561
rules:
5662
- name: Regsvr32 scriptlet execution
5763
description: |
58-
Identifies the exection of a scriptlet file by regsvr32.exe process. Regsvr32
64+
Identifies the execution of a scriptlet file by regsvr32.exe process. Regsvr32
5965
is usually abused by adversaries to execute malicious payloads without triggering
6066
AV product alerts.
6167
condition: >
6268
spawn_process
6369
and
64-
ps.sibling.name ~= 'regsvr32.exe'
70+
ps.child.name ~= 'regsvr32.exe'
6571
and
6672
(
67-
ps.sibling.comm imatches
73+
ps.child.cmdline imatches
6874
(
6975
'*scrobj*'
7076
)
7177
and
72-
ps.sibling.comm imatches
78+
ps.child.cmdline imatches
7379
(
7480
'*/i:*',
7581
'*-i:*',

rules/initial_access_phishing.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
|spawn_process
2929
and
3030
ps.name iin msoffice_binaries
31-
| by ps.sibling.exe
31+
| by ps.child.exe
3232
action: >
3333
{{
3434
emit . "File execution via Microsoft Office process" ""

0 commit comments

Comments
 (0)