-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
55 lines (55 loc) · 2.43 KB
/
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
type: obsoletes
status: experimental
description: |
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
- https://www.cobaltstrike.com/help-opsec
- https://twitter.com/CyberRaiju/status/1251492025678983169
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020/10/23
modified: 2023/01/25
tags:
- attack.defense_evasion
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\WerFault.exe'
CommandLine|endswith: 'WerFault.exe'
selection2:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
selection3:
Image|endswith: '\regsvcs.exe'
CommandLine|endswith: 'regsvcs.exe'
selection4:
Image|endswith: '\regasm.exe'
CommandLine|endswith: 'regasm.exe'
selection5:
Image|endswith: '\regsvr32.exe'
CommandLine|endswith: 'regsvr32.exe'
filter_edge_update:
ParentImage|startswith: 'C:\Users\'
ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
ParentImage|endswith: '\setup.exe'
ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\'
condition: 1 of selection* and not 1 of filter*
fields:
- ParentImage
- ParentCommandLine
falsepositives:
- Unlikely
level: high