/
proc_creation_win_csc_susp_folder.yml
36 lines (36 loc) · 1.66 KB
/
proc_creation_win_csc_susp_folder.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
title: Suspicious Csc.exe Source File Folder
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth (Nextron Systems)
date: 2019/08/24
modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains:
- '\AppData\'
- '\Windows\Temp\'
filter:
- ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897
- ParentImage|endswith:
- '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
- '\choco.exe' # Chocolatey https://chocolatey.org/
- ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
condition: selection and not filter
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
level: medium