diff --git a/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml new file mode 100644 index 000000000..efa14d313 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -0,0 +1,53 @@ +title: Uncommon Child Process Of Appvlp.EXE +id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 +status: test +description: 'Detects uncommon child processes of Appvlp.EXE + + Appvlp or the Application Virtualization Utility is included with Microsoft Office. + Attackers are able to abuse "AppVLP" to execute shell commands. + + Normally, this binary is used for Application Virtualization, but it can also + be abused to circumvent the ASR file path rule folder + + or to mark a file as a system file. + + ' +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ +author: Sreeman +date: 2020/03/13 +modified: 2023/11/09 +tags: + - attack.t1218 + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \appvlp.exe + filter_main_generic: + NewProcessName|endswith: + - :\Windows\SysWOW64\rundll32.exe + - :\Windows\System32\rundll32.exe + filter_optional_office_msoasb: + NewProcessName|contains: :\Program Files\Microsoft Office + NewProcessName|endswith: \msoasb.exe + filter_optional_office_skype: + NewProcessName|contains|all: + - :\Program Files\Microsoft Office + - \SkypeSrv\ + NewProcessName|endswith: \SKYPESERVER.EXE + filter_optional_office_msouc: + NewProcessName|contains: :\Program Files\Microsoft Office + NewProcessName|endswith: \MSOUC.EXE + condition: process_creation and (selection and not 1 of filter_main_* and not + 1 of filter_optional_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml index c92b54750..130a6a474 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -1,4 +1,4 @@ -title: File Download From Browser Process Via Inline Link +title: File Download From Browser Process Via Inline URL id: 94771a71-ba41-4b6e-a757-b531372eaab6 status: test description: Detects execution of a browser process with a URL argument pointing to @@ -10,7 +10,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/11 -modified: 2023/04/06 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -29,14 +29,16 @@ detection: - \opera.exe - \vivaldi.exe selection_http: - CommandLine|contains: ' http' - selection_ext: - CommandLine|contains: + CommandLine|contains: http + selection_extensions: + CommandLine|endswith: + - .7z - .dat - .dll - .exe - .hta - .ps1 + - .psm1 - .txt - .vbe - .vbs diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_calc.yml b/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml similarity index 62% rename from sigma/builtin/process_creation/proc_creation_win_susp_calc.yml rename to sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml index e2109cfa2..fce7ddb5d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_calc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -1,13 +1,16 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 status: test -description: Detects suspicious use of 'calc.exe' with command line parameters or - in a suspicious directory, which is likely caused by some PoC or detection evasion +description: 'Detects suspicious use of ''calc.exe'' with command line parameters + or in a suspicious directory, which is likely caused by some PoC or detection + evasion. + + ' references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) date: 2019/02/09 -modified: 2022/11/07 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1036 @@ -22,12 +25,12 @@ detection: CommandLine|contains: '\calc.exe ' selection_2: NewProcessName|endswith: \calc.exe - filter_2: - NewProcessName|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\WinSxS\ - condition: process_creation and (selection_1 or ( selection_2 and not filter_2 + filter_main_known_locations: + NewProcessName|contains: + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - :\Windows\WinSxS\ + condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations )) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ieexec_download.yml b/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml similarity index 78% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_ieexec_download.yml rename to sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml index 8289cfc15..5e21959f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ieexec_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml @@ -1,11 +1,12 @@ -title: Abusing IEExec To Download Payloads +title: File Download And Execution Via IEExec.EXE id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad status: test -description: Detects execution of the IEExec utility to download payloads +description: Detects execution of the IEExec utility to download and execute files references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -16,14 +17,14 @@ detection: process_creation: EventID: 4688 Channel: Security - lolbas: + selection_img: - NewProcessName|endswith: \IEExec.exe - OriginalFileName: IEExec.exe - remote: + selection_cli: CommandLine|contains: - - https:// - http:// - condition: process_creation and (lolbas and remote) + - https:// + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml b/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml new file mode 100644 index 000000000..9664b4e08 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml @@ -0,0 +1,35 @@ +title: Arbitrary File Download Via IMEWDBLD.EXE +id: 863218bd-c7d0-4c52-80cd-0a96c09f54af +related: + - id: 8d7e392e-9b28-49e1-831d-5949c6281228 + type: derived +status: experimental +description: Detects usage of "IMEWDBLD.exe" to download arbitrary files +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \IMEWDBLD.exe + - OriginalFileName: imewdbld.exe + selection_cli: + CommandLine|contains: + - http:// + - https:// + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_installutil_download.yml b/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml similarity index 75% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_installutil_download.yml rename to sigma/builtin/process_creation/proc_creation_win_installutil_download.yml index a5aea39f4..72751bf79 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_installutil_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml @@ -1,12 +1,15 @@ -title: Suspicious Execution of InstallUtil To Download +title: File Download Via InstallUtil.EXE id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc status: test -description: Detects the use the .NET InstallUtil.exe application in order to download - arbitrary files. The files will be written to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ +description: 'Detects use of .NET InstallUtil.exe in order to download arbitrary files. + The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" + + ' references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -22,9 +25,9 @@ detection: - OriginalFileName: InstallUtil.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_appvlp.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_appvlp.yml deleted file mode 100644 index 6f418b0f4..000000000 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_appvlp.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Using AppVLP To Circumvent ASR File Path Rule -id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: test -description: 'Application Virtualization Utility is included with Microsoft Office. - We are able to abuse "AppVLP" to execute shell commands. - - Normally, this binary is used for Application Virtualization, but we can use it - as an abuse binary to circumvent the ASR file path rule folder - - or to mark a file as a system file. - - ' -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ -author: Sreeman -date: 2020/03/13 -modified: 2022/12/29 -tags: - - attack.t1218 - - attack.defense_evasion - - attack.execution -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 4688 - Channel: Security - selection: - ParentProcessName|endswith: \appvlp.exe - filter: - NewProcessName|endswith: - - \msoasb.exe - - \rundll32.exe - condition: process_creation and (selection and not filter) -falsepositives: - - Unknown -level: medium -ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml similarity index 69% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml rename to sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 9b2a4b4ca..6cb992537 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -1,12 +1,13 @@ -title: Windows Defender Download Activity +title: File Download Via Windows Defender MpCmpRun.EXE id: 46123129-1024-423e-9fae-43af4a0fa9a5 status: test -description: Detect the use of Windows Defender to download payloads +description: Detects the use of Windows Defender MpCmdRun.EXE to download files references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ author: Matthew Matchen date: 2020/09/04 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -19,16 +20,16 @@ detection: process_creation: EventID: 4688 Channel: Security - selection1: + selection_img: + - OriginalFileName: MpCmdRun.exe + - NewProcessName|endswith: \MpCmdRun.exe - CommandLine|contains: MpCmdRun.exe - Description: Microsoft Malware Protection Command Line Utility - selection2: + selection_cli: CommandLine|contains|all: - DownloadFile - url - condition: process_creation and (all of selection*) -fields: - - CommandLine + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml b/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml new file mode 100644 index 000000000..99cd600d2 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -0,0 +1,31 @@ +title: Arbitrary File Download Via MSEDGE_PROXY.EXE +id: e84d89c4-f544-41ca-a6af-4b92fd38b023 +status: experimental +description: Detects usage of "msedge_proxy.exe" to download arbitrary files +references: + - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \msedge_proxy.exe + - OriginalFileName: msedge_proxy.exe + selection_cli: + CommandLine|contains: + - http:// + - https:// + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_msohtmed_download.yml b/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml similarity index 85% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_msohtmed_download.yml rename to sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml index e04b01967..906199966 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_msohtmed_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via MSOHTMED.EXE +title: Arbitrary File Download Via MSOHTMED.EXE id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d status: test description: Detects usage of "MSOHTMED" to download arbitrary files @@ -6,6 +6,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -22,10 +23,10 @@ detection: - OriginalFileName: MsoHtmEd.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_mspub_download.yml b/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml similarity index 93% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_mspub_download.yml rename to sigma/builtin/process_creation/proc_creation_win_mspub_download.yml index 1855e5ac1..d89510b41 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml @@ -24,10 +24,10 @@ detection: - OriginalFileName: MSPUB.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml b/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml new file mode 100644 index 000000000..84e98dff0 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml @@ -0,0 +1,34 @@ +title: Msxsl.EXE Execution +id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 +status: test +description: 'Detects the execution of the MSXSL utility. This can be used to execute + Extensible Stylesheet Language (XSL) files. These files are commonly used to describe + the processing and rendering of data within XML files. + + Adversaries can abuse this functionality to execute arbitrary files while potentially + bypassing application whitelisting defenses. + + ' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: \msxsl.exe + condition: process_creation and selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml b/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml new file mode 100644 index 000000000..03f13fc96 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -0,0 +1,28 @@ +title: Remote XSL Execution Via Msxsl.EXE +id: 75d0a94e-6252-448d-a7be-d953dff527bb +status: experimental +description: Detects the execution of the "msxsl" binary with an "http" keyword in + the command line. This might indicate a potential remote execution of XSL files. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: http + NewProcessName|endswith: \msxsl.exe + condition: process_creation and selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml new file mode 100644 index 000000000..dbeffa9d3 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -0,0 +1,39 @@ +title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +id: 551d9c1f-816c-445b-a7a6-7a3864720d60 +status: experimental +description: 'Detects suspicious child processes of Excel which could be an indicator + of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. + + ' +references: + - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 + - https://github.com/grayhatkiller/SharpExShell + - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication +author: Aaron Stratton +date: 2023/11/13 +tags: + - attack.t1021.003 + - attack.lateral_movement +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \excel.exe + selection_child: + - OriginalFileName: + - foxprow.exe + - schdplus.exe + - winproj.exe + - NewProcessName|endswith: + - \foxprow.exe + - \schdplus.exe + - \winproj.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost_download.yml b/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml similarity index 86% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost_download.yml rename to sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml index 6f2d02d84..7adf04885 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via PresentationHost.exe +title: Arbitrary File Download Via PresentationHost.EXE id: b124ddf4-778d-418e-907f-6dd3fc0d31cd status: test description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" @@ -7,6 +7,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -26,7 +27,7 @@ detection: - http:// - https:// - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost.yml b/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml similarity index 61% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost.yml rename to sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index f4ed131ab..a84d0b148 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_presentationhost.yml +++ b/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -1,13 +1,16 @@ -title: Application Whitelisting Bypass via PresentationHost.exe +title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f status: test -description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" - (Browser Applications) files. It can be abused to run malicious ".xbap" files - any bypass AWL +description: 'Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE + from an uncommon location. These files can be abused to run malicious ".xbap" + files any bypass AWL + + ' references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/01 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -24,11 +27,11 @@ detection: - OriginalFileName: PresentationHost.exe selection_cli: CommandLine|contains: .xbap - filter: + filter_main_generic: CommandLine|contains: - - C:\Windows\ - - C:\Program Files - condition: process_creation and (all of selection* and not filter) + - ' C:\Windows\' + - ' C:\Program Files' + condition: process_creation and (all of selection* and not 1 of filter_main_*) falsepositives: - Legitimate ".xbap" being executed via "PresentationHost" level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml similarity index 70% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml rename to sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml index 4193934bf..63e5913d2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml @@ -1,14 +1,16 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb status: test -description: Detects usage of "ProtocolHandler" to download files. Downloaded files +description: 'Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + + ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ author: frack113 date: 2021/07/13 -modified: 2022/12/31 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -22,13 +24,12 @@ detection: selection_img: - NewProcessName|endswith: \protocolhandler.exe - OriginalFileName: ProtocolHandler.exe - selection_cli_1: - CommandLine|contains|all: - - '"ms-word' - - .docx" - selection_cli_2: - CommandLine|contains: ' http' - condition: process_creation and (selection_img and 1 of selection_cli_*) + selection_cli: + CommandLine|contains: + - ftp:// + - http:// + - https:// + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml b/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml new file mode 100644 index 000000000..1dd87ac4f --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml @@ -0,0 +1,49 @@ +title: Arbitrary File Download Via Squirrel.EXE +id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c +related: + - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes +status: experimental +description: 'Detects the usage of the "Squirrel.exe" to download arbitrary files. + This binary is part of multiple Electron based software installations (Slack, + Teams, Discord, etc.) + + ' +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan + Ribeiro, oscd.community +date: 2022/06/09 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + NewProcessName|endswith: + - \squirrel.exe + - \update.exe + selection_download_cli: + CommandLine|contains: + - ' --download ' + - ' --update ' + - ' --updateRollback=' + selection_download_http_keyword: + CommandLine|contains: http + condition: process_creation and (all of selection_*) +falsepositives: + - Expected FP with some Electron based applications such as (1Clipboard, Beaker + Browser, Caret, Discord, GitHub Desktop, etc.) +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_squirrel.yml b/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml similarity index 68% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_squirrel.yml rename to sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 3f69d9733..66a8bc473 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -1,11 +1,16 @@ -title: Use of Squirrel.exe +title: Process Proxy Execution Via Squirrel.EXE id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: + - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c + type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes status: experimental -description: Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary - is part of multiple software installations (Slack, Teams, Discord, etc.) +description: 'Detects the usage of the "Squirrel.exe" binary to execute arbitrary + processes. This binary is part of multiple Electron based software installations + (Slack, Teams, Discord, etc.) + + ' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ @@ -13,7 +18,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 -modified: 2023/03/22 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -29,52 +34,44 @@ detection: NewProcessName|endswith: - \squirrel.exe - \update.exe - selection_download_cli: - CommandLine|contains: - - ' --download ' - - ' --update ' - - ' --updateRollback=' - selection_download_http_keyword: - CommandLine|contains: http selection_exec: CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut - filter_discord: + filter_optional_discord: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe - filter_github_desktop: + filter_optional_github_desktop: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe CommandLine|contains: - --createShortcut - --processStartAndWait - filter_teams: + filter_optional_teams: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe CommandLine|contains: - --processStart - --createShortcut - filter_yammer: + filter_optional_yammer: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\yammerdesktop\Update.exe - Yammer.exe CommandLine|contains: - --processStart - --createShortcut - condition: process_creation and (selection_img and (all of selection_download_* - or selection_exec) and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - - Expected FP with some electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop,...Etc) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker + Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index aacce7898..d1921ba44 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -16,6 +16,7 @@ references: - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/09/05 +modified: 2023/11/09 tags: - attack.execution logsource: @@ -25,24 +26,38 @@ detection: process_creation: EventID: 4688 Channel: Security - selection: + selection_img: + - NewProcessName|endswith: + - \chrome.exe + - \code.exe + - \discord.exe + - \GitHubDesktop.exe + - \keybase.exe + - \msedge_proxy.exe + - \msedge.exe + - \msedgewebview2.exe + - \msteams.exe + - \slack.exe + - \Teams.exe + - OriginalFileName: + - chrome.exe + - code.exe + - discord.exe + - GitHubDesktop.exe + - keybase.exe + - msedge_proxy.exe + - msedge.exe + - msedgewebview2.exe + - msteams.exe + - slack.exe + - Teams.exe + selection_cli: CommandLine|contains: - --browser-subprocess-path - --gpu-launcher - --renderer-cmd-prefix - --utility-cmd-prefix - NewProcessName|endswith: - - \chrome.exe - - \code.exe - - \discord.exe - - \GitHubDesktop.exe - - \keybase.exe - - \msedge.exe - - \msedgewebview2.exe - - \msteams.exe - - \slack.exe - - \Teams.exe - condition: process_creation and selection + condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage for debugging purposes level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml new file mode 100644 index 000000000..ec151f422 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -0,0 +1,36 @@ +title: Potential File Download Via MS-AppInstaller Protocol Handler +id: 180c7c5c-d64b-4a63-86e9-68910451bc8b +related: + - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a + type: derived +status: experimental +description: 'Detects usage of the "ms-appinstaller" protocol handler via command + line to potentially download arbitrary files via AppInstaller.EXE + + The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" + + ' +references: + - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - ms-appinstaller://?source= + - http + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index 81dfe5b1b..eab4f5e90 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -1,15 +1,21 @@ -title: XSL Script Processing +title: XSL Script Execution Via WMIC.EXE id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: test -description: Extensible Stylesheet Language (XSL) files are commonly used to describe - the processing and rendering of data within XML files. Rule detects when adversaries - abuse this functionality to execute arbitrary files while potentially bypassing - application whitelisting defenses. +description: 'Detects the execution of WMIC with the "format" flag to potentially + load XSL files. + + Adversaries abuse this functionality to execute arbitrary files while potentially + bypassing application whitelisting defenses. + + Extensible Stylesheet Language (XSL) files are commonly used to describe the processing + and rendering of data within XML files. + + ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel date: 2019/10/21 -modified: 2023/04/21 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1220 @@ -20,14 +26,12 @@ detection: process_creation: EventID: 4688 Channel: Security - selection_wmic: + selection: CommandLine|contains: - /format - -format NewProcessName|endswith: \wmic.exe - selection_msxsl: - NewProcessName|endswith: \msxsl.exe - false_positives: + filter_main_known_format: CommandLine|contains: - Format:List - Format:htable @@ -38,11 +42,10 @@ detection: - Format:rawxml - Format:xml - Format:csv - condition: process_creation and ((selection_wmic and not false_positives) or selection_msxsl) + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - Msxsl.exe is not installed by default, so unlikely. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_lolbin_appinstaller.yml b/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml similarity index 65% rename from sigma/sysmon/dns_query/dns_query_win_lolbin_appinstaller.yml rename to sigma/sysmon/dns_query/dns_query_win_appinstaller.yml index 135f9c60b..cd1997c9a 100644 --- a/sigma/sysmon/dns_query/dns_query_win_lolbin_appinstaller.yml +++ b/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml @@ -1,14 +1,20 @@ -title: AppX Package Installation Attempts Via AppInstaller +title: AppX Package Installation Attempts Via AppInstaller.EXE id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a +related: + - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b + type: derived status: test -description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" - URI. It attempts to load/install a package from the referenced URL +description: 'Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is + the default handler for the "ms-appinstaller" URI. It attempts to load/install + a package from the referenced URL + + ' references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 date: 2021/11/24 -modified: 2023/01/12 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 diff --git a/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml b/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml index 63ce2e7a0..943c118bf 100644 --- a/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml +++ b/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml @@ -1,12 +1,17 @@ -title: Download a File with IMEWDBLD.exe +title: Network Connection Initiated By IMEWDBLD.EXE id: 8d7e392e-9b28-49e1-831d-5949c6281228 +related: + - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af + type: derived status: test -description: Use IMEWDBLD.exe (built-in to windows) to download a file +description: Detects network connections initiated by IMEWDBLD. This might indicate + potential abuse to download arbitrary files via this utility references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: frack113 date: 2022/01/22 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -23,6 +28,6 @@ detection: Image|endswith: \IMEWDBLD.exe condition: network_connection and selection falsepositives: - - Legitimate script + - Unknown level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml new file mode 100644 index 000000000..789086c84 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -0,0 +1,54 @@ +title: Uncommon Child Process Of Appvlp.EXE +id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 +status: test +description: 'Detects uncommon child processes of Appvlp.EXE + + Appvlp or the Application Virtualization Utility is included with Microsoft Office. + Attackers are able to abuse "AppVLP" to execute shell commands. + + Normally, this binary is used for Application Virtualization, but it can also + be abused to circumvent the ASR file path rule folder + + or to mark a file as a system file. + + ' +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ +author: Sreeman +date: 2020/03/13 +modified: 2023/11/09 +tags: + - attack.t1218 + - attack.defense_evasion + - attack.execution + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + ParentImage|endswith: \appvlp.exe + filter_main_generic: + Image|endswith: + - :\Windows\SysWOW64\rundll32.exe + - :\Windows\System32\rundll32.exe + filter_optional_office_msoasb: + Image|contains: :\Program Files\Microsoft Office + Image|endswith: \msoasb.exe + filter_optional_office_skype: + Image|contains|all: + - :\Program Files\Microsoft Office + - \SkypeSrv\ + Image|endswith: \SKYPESERVER.EXE + filter_optional_office_msouc: + Image|contains: :\Program Files\Microsoft Office + Image|endswith: \MSOUC.EXE + condition: process_creation and (selection and not 1 of filter_main_* and not + 1 of filter_optional_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml index 5f89b7ba5..d5aacfa5c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -1,4 +1,4 @@ -title: File Download From Browser Process Via Inline Link +title: File Download From Browser Process Via Inline URL id: 94771a71-ba41-4b6e-a757-b531372eaab6 status: test description: Detects execution of a browser process with a URL argument pointing to @@ -10,7 +10,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/11 -modified: 2023/04/06 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -30,14 +30,16 @@ detection: - \opera.exe - \vivaldi.exe selection_http: - CommandLine|contains: ' http' - selection_ext: - CommandLine|contains: + CommandLine|contains: http + selection_extensions: + CommandLine|endswith: + - .7z - .dat - .dll - .exe - .hta - .ps1 + - .psm1 - .txt - .vbe - .vbs diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_calc.yml b/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml similarity index 63% rename from sigma/sysmon/process_creation/proc_creation_win_susp_calc.yml rename to sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml index 3192f7f03..bb8f456d0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_calc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -1,13 +1,16 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 status: test -description: Detects suspicious use of 'calc.exe' with command line parameters or - in a suspicious directory, which is likely caused by some PoC or detection evasion +description: 'Detects suspicious use of ''calc.exe'' with command line parameters + or in a suspicious directory, which is likely caused by some PoC or detection + evasion. + + ' references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) date: 2019/02/09 -modified: 2022/11/07 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1036 @@ -23,12 +26,12 @@ detection: CommandLine|contains: '\calc.exe ' selection_2: Image|endswith: \calc.exe - filter_2: - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\WinSxS\ - condition: process_creation and (selection_1 or ( selection_2 and not filter_2 + filter_main_known_locations: + Image|contains: + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - :\Windows\WinSxS\ + condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations )) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ieexec_download.yml b/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml similarity index 79% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_ieexec_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml index 3c1606e65..a4d9abf0d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ieexec_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml @@ -1,11 +1,12 @@ -title: Abusing IEExec To Download Payloads +title: File Download And Execution Via IEExec.EXE id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad status: test -description: Detects execution of the IEExec utility to download payloads +description: Detects execution of the IEExec utility to download and execute files references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/11/09 tags: - attack.command_and_control - attack.t1105 @@ -17,14 +18,14 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - lolbas: + selection_img: - Image|endswith: \IEExec.exe - OriginalFileName: IEExec.exe - remote: + selection_cli: CommandLine|contains: - - https:// - http:// - condition: process_creation and (lolbas and remote) + - https:// + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml b/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml new file mode 100644 index 000000000..d0a68a548 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml @@ -0,0 +1,36 @@ +title: Arbitrary File Download Via IMEWDBLD.EXE +id: 863218bd-c7d0-4c52-80cd-0a96c09f54af +related: + - id: 8d7e392e-9b28-49e1-831d-5949c6281228 + type: derived +status: experimental +description: Detects usage of "IMEWDBLD.exe" to download arbitrary files +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \IMEWDBLD.exe + - OriginalFileName: imewdbld.exe + selection_cli: + CommandLine|contains: + - http:// + - https:// + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_installutil_download.yml b/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml similarity index 76% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_installutil_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml index 3d6458ef3..479507381 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_installutil_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml @@ -1,12 +1,15 @@ -title: Suspicious Execution of InstallUtil To Download +title: File Download Via InstallUtil.EXE id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc status: test -description: Detects the use the .NET InstallUtil.exe application in order to download - arbitrary files. The files will be written to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ +description: 'Detects use of .NET InstallUtil.exe in order to download arbitrary files. + The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" + + ' references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -23,9 +26,9 @@ detection: - OriginalFileName: InstallUtil.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_appvlp.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_appvlp.yml deleted file mode 100644 index 5f9fd1a23..000000000 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_appvlp.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: Using AppVLP To Circumvent ASR File Path Rule -id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: test -description: 'Application Virtualization Utility is included with Microsoft Office. - We are able to abuse "AppVLP" to execute shell commands. - - Normally, this binary is used for Application Virtualization, but we can use it - as an abuse binary to circumvent the ASR file path rule folder - - or to mark a file as a system file. - - ' -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ -author: Sreeman -date: 2020/03/13 -modified: 2022/12/29 -tags: - - attack.t1218 - - attack.defense_evasion - - attack.execution - - sysmon -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 1 - Channel: Microsoft-Windows-Sysmon/Operational - selection: - ParentImage|endswith: \appvlp.exe - filter: - Image|endswith: - - \msoasb.exe - - \rundll32.exe - condition: process_creation and (selection and not filter) -falsepositives: - - Unknown -level: medium -ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml similarity index 71% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 2802bcdc4..4ab54d9f9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -1,12 +1,13 @@ -title: Windows Defender Download Activity +title: File Download Via Windows Defender MpCmpRun.EXE id: 46123129-1024-423e-9fae-43af4a0fa9a5 status: test -description: Detect the use of Windows Defender to download payloads +description: Detects the use of Windows Defender MpCmdRun.EXE to download files references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ author: Matthew Matchen date: 2020/09/04 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -20,16 +21,16 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection1: + selection_img: + - OriginalFileName: MpCmdRun.exe + - Image|endswith: \MpCmdRun.exe - CommandLine|contains: MpCmdRun.exe - Description: Microsoft Malware Protection Command Line Utility - selection2: + selection_cli: CommandLine|contains|all: - DownloadFile - url - condition: process_creation and (all of selection*) -fields: - - CommandLine + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml b/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml new file mode 100644 index 000000000..8927a3a5a --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -0,0 +1,32 @@ +title: Arbitrary File Download Via MSEDGE_PROXY.EXE +id: e84d89c4-f544-41ca-a6af-4b92fd38b023 +status: experimental +description: Detects usage of "msedge_proxy.exe" to download arbitrary files +references: + - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \msedge_proxy.exe + - OriginalFileName: msedge_proxy.exe + selection_cli: + CommandLine|contains: + - http:// + - https:// + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msohtmed_download.yml b/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml similarity index 86% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_msohtmed_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml index abb1b0beb..6cd340171 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msohtmed_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via MSOHTMED.EXE +title: Arbitrary File Download Via MSOHTMED.EXE id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d status: test description: Detects usage of "MSOHTMED" to download arbitrary files @@ -6,6 +6,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -23,10 +24,10 @@ detection: - OriginalFileName: MsoHtmEd.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mspub_download.yml b/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml similarity index 94% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_mspub_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml index c02ade75f..bc9ca7b31 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml @@ -25,10 +25,10 @@ detection: - OriginalFileName: MSPUB.exe selection_cli: CommandLine|contains: + - ftp:// - http:// - https:// - - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml new file mode 100644 index 000000000..a8b00178e --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml @@ -0,0 +1,35 @@ +title: Msxsl.EXE Execution +id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 +status: test +description: 'Detects the execution of the MSXSL utility. This can be used to execute + Extensible Stylesheet Language (XSL) files. These files are commonly used to describe + the processing and rendering of data within XML files. + + Adversaries can abuse this functionality to execute arbitrary files while potentially + bypassing application whitelisting defenses. + + ' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Image|endswith: \msxsl.exe + condition: process_creation and selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml new file mode 100644 index 000000000..63512a272 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -0,0 +1,29 @@ +title: Remote XSL Execution Via Msxsl.EXE +id: 75d0a94e-6252-448d-a7be-d953dff527bb +status: experimental +description: Detects the execution of the "msxsl" binary with an "http" keyword in + the command line. This might indicate a potential remote execution of XSL files. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ +author: Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.t1220 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Image|endswith: \msxsl.exe + CommandLine|contains: http + condition: process_creation and selection +falsepositives: + - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml new file mode 100644 index 000000000..e9ead677b --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -0,0 +1,40 @@ +title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +id: 551d9c1f-816c-445b-a7a6-7a3864720d60 +status: experimental +description: 'Detects suspicious child processes of Excel which could be an indicator + of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. + + ' +references: + - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 + - https://github.com/grayhatkiller/SharpExShell + - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication +author: Aaron Stratton +date: 2023/11/13 +tags: + - attack.t1021.003 + - attack.lateral_movement + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_parent: + ParentImage|endswith: \excel.exe + selection_child: + - OriginalFileName: + - foxprow.exe + - schdplus.exe + - winproj.exe + - Image|endswith: + - \foxprow.exe + - \schdplus.exe + - \winproj.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost_download.yml b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml similarity index 86% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml index 24c5849ea..158053d70 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml @@ -1,4 +1,4 @@ -title: Download Arbitrary Files Via PresentationHost.exe +title: Arbitrary File Download Via PresentationHost.EXE id: b124ddf4-778d-418e-907f-6dd3fc0d31cd status: test description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" @@ -7,6 +7,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -27,7 +28,7 @@ detection: - http:// - https:// - ftp:// - condition: process_creation and (all of selection*) + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost.yml b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml similarity index 61% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost.yml rename to sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index 2801d22e1..f0d199049 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_presentationhost.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -1,13 +1,16 @@ -title: Application Whitelisting Bypass via PresentationHost.exe +title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f status: test -description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" - (Browser Applications) files. It can be abused to run malicious ".xbap" files - any bypass AWL +description: 'Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE + from an uncommon location. These files can be abused to run malicious ".xbap" + files any bypass AWL + + ' references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/01 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -25,11 +28,11 @@ detection: - OriginalFileName: PresentationHost.exe selection_cli: CommandLine|contains: .xbap - filter: + filter_main_generic: CommandLine|contains: - - C:\Windows\ - - C:\Program Files - condition: process_creation and (all of selection* and not filter) + - ' C:\Windows\' + - ' C:\Program Files' + condition: process_creation and (all of selection* and not 1 of filter_main_*) falsepositives: - Legitimate ".xbap" being executed via "PresentationHost" level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml similarity index 71% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml index aee5dda50..213a5d03c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml @@ -1,14 +1,16 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb status: test -description: Detects usage of "ProtocolHandler" to download files. Downloaded files +description: 'Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + + ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ author: frack113 date: 2021/07/13 -modified: 2022/12/31 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1218 @@ -23,13 +25,12 @@ detection: selection_img: - Image|endswith: \protocolhandler.exe - OriginalFileName: ProtocolHandler.exe - selection_cli_1: - CommandLine|contains|all: - - '"ms-word' - - .docx" - selection_cli_2: - CommandLine|contains: ' http' - condition: process_creation and (selection_img and 1 of selection_cli_*) + selection_cli: + CommandLine|contains: + - ftp:// + - http:// + - https:// + condition: process_creation and (all of selection_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml b/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml new file mode 100644 index 000000000..46d409e36 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml @@ -0,0 +1,50 @@ +title: Arbitrary File Download Via Squirrel.EXE +id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c +related: + - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes +status: experimental +description: 'Detects the usage of the "Squirrel.exe" to download arbitrary files. + This binary is part of multiple Electron based software installations (Slack, + Teams, Discord, etc.) + + ' +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan + Ribeiro, oscd.community +date: 2022/06/09 +modified: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + Image|endswith: + - \squirrel.exe + - \update.exe + selection_download_cli: + CommandLine|contains: + - ' --download ' + - ' --update ' + - ' --updateRollback=' + selection_download_http_keyword: + CommandLine|contains: http + condition: process_creation and (all of selection_*) +falsepositives: + - Expected FP with some Electron based applications such as (1Clipboard, Beaker + Browser, Caret, Discord, GitHub Desktop, etc.) +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_squirrel.yml b/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml similarity index 68% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_squirrel.yml rename to sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml index a3f9aa9ba..34b99752f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -1,11 +1,16 @@ -title: Use of Squirrel.exe +title: Process Proxy Execution Via Squirrel.EXE id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: + - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c + type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes status: experimental -description: Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary - is part of multiple software installations (Slack, Teams, Discord, etc.) +description: 'Detects the usage of the "Squirrel.exe" binary to execute arbitrary + processes. This binary is part of multiple Electron based software installations + (Slack, Teams, Discord, etc.) + + ' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ @@ -13,7 +18,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 -modified: 2023/03/22 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.execution @@ -30,52 +35,44 @@ detection: Image|endswith: - \squirrel.exe - \update.exe - selection_download_cli: - CommandLine|contains: - - ' --download ' - - ' --update ' - - ' --updateRollback=' - selection_download_http_keyword: - CommandLine|contains: http selection_exec: CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut - filter_discord: + filter_optional_discord: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe - filter_github_desktop: + filter_optional_github_desktop: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe CommandLine|contains: - --createShortcut - --processStartAndWait - filter_teams: + filter_optional_teams: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe CommandLine|contains: - --processStart - --createShortcut - filter_yammer: + filter_optional_yammer: CommandLine|contains|all: - - C:\Users\ + - :\Users\ - \AppData\Local\yammerdesktop\Update.exe - Yammer.exe CommandLine|contains: - --processStart - --createShortcut - condition: process_creation and (selection_img and (all of selection_download_* - or selection_exec) and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - - Expected FP with some electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop,...Etc) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker + Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index e5f8d3099..09be74368 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -16,6 +16,7 @@ references: - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/09/05 +modified: 2023/11/09 tags: - attack.execution - sysmon @@ -26,24 +27,38 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection: - Image|endswith: - - \chrome.exe - - \code.exe - - \discord.exe - - \GitHubDesktop.exe - - \keybase.exe - - \msedge.exe - - \msedgewebview2.exe - - \msteams.exe - - \slack.exe - - \Teams.exe + selection_img: + - Image|endswith: + - \chrome.exe + - \code.exe + - \discord.exe + - \GitHubDesktop.exe + - \keybase.exe + - \msedge_proxy.exe + - \msedge.exe + - \msedgewebview2.exe + - \msteams.exe + - \slack.exe + - \Teams.exe + - OriginalFileName: + - chrome.exe + - code.exe + - discord.exe + - GitHubDesktop.exe + - keybase.exe + - msedge_proxy.exe + - msedge.exe + - msedgewebview2.exe + - msteams.exe + - slack.exe + - Teams.exe + selection_cli: CommandLine|contains: - --browser-subprocess-path - --gpu-launcher - --renderer-cmd-prefix - --utility-cmd-prefix - condition: process_creation and selection + condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage for debugging purposes level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml new file mode 100644 index 000000000..a216401c8 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -0,0 +1,37 @@ +title: Potential File Download Via MS-AppInstaller Protocol Handler +id: 180c7c5c-d64b-4a63-86e9-68910451bc8b +related: + - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a + type: derived +status: experimental +description: 'Detects usage of the "ms-appinstaller" protocol handler via command + line to potentially download arbitrary files via AppInstaller.EXE + + The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" + + ' +references: + - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/11/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + CommandLine|contains|all: + - ms-appinstaller://?source= + - http + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index 53fc02979..e9af4a795 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -1,15 +1,21 @@ -title: XSL Script Processing +title: XSL Script Execution Via WMIC.EXE id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: test -description: Extensible Stylesheet Language (XSL) files are commonly used to describe - the processing and rendering of data within XML files. Rule detects when adversaries - abuse this functionality to execute arbitrary files while potentially bypassing - application whitelisting defenses. +description: 'Detects the execution of WMIC with the "format" flag to potentially + load XSL files. + + Adversaries abuse this functionality to execute arbitrary files while potentially + bypassing application whitelisting defenses. + + Extensible Stylesheet Language (XSL) files are commonly used to describe the processing + and rendering of data within XML files. + + ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel date: 2019/10/21 -modified: 2023/04/21 +modified: 2023/11/09 tags: - attack.defense_evasion - attack.t1220 @@ -21,14 +27,12 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection_wmic: + selection: Image|endswith: \wmic.exe CommandLine|contains: - /format - -format - selection_msxsl: - Image|endswith: \msxsl.exe - false_positives: + filter_main_known_format: CommandLine|contains: - Format:List - Format:htable @@ -39,11 +43,10 @@ detection: - Format:rawxml - Format:xml - Format:csv - condition: process_creation and ((selection_wmic and not false_positives) or selection_msxsl) + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - Msxsl.exe is not installed by default, so unlikely. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium ruletype: Sigma