Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suspicious Browser Launch #4840

Merged
merged 18 commits into from
May 27, 2024
Merged

Suspicious Browser Launch #4840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
024315f
Create Rule to detect Process Injection
skaynum Nov 25, 2023
c0c5d22
Merge pull request #1 from skaynum/skaynum-patch-1
skaynum Nov 25, 2023
25d030d
Update proc_creation_lnx_dd_process_injection.yml
nasbench Dec 1, 2023
926a74e
fix: typo
phantinuss Dec 1, 2023
5732b3d
Merge branch 'SigmaHQ:master' into master
skaynum Dec 2, 2023
327d02e
Merge branch 'SigmaHQ:master' into master
skaynum Feb 3, 2024
49a6c8b
Add files via upload
skaynum Feb 3, 2024
fa8a897
Delete rules/windows/file/file_event/file_event_mysql_daemon_executab…
skaynum Feb 3, 2024
b63c4d3
Add files via upload
skaynum Feb 3, 2024
b35dc46
Merge branch 'SigmaHQ:master' into master
skaynum Feb 23, 2024
6d359e0
Add files via upload
skaynum Feb 23, 2024
21c39f5
Update file_event_win_outlook_opening_smb_file.yml
skaynum Feb 23, 2024
69adf3d
Delete rules/windows/file/file_event/file_event_win_outlook_opening_s…
skaynum Feb 23, 2024
b3e2cc0
Merge branch 'SigmaHQ:master' into master
skaynum Apr 25, 2024
b394a45
Add files via upload
skaynum Apr 25, 2024
e1e5d92
Merge branch 'SigmaHQ:master' into master
skaynum Apr 30, 2024
9901724
chore: update metadata
nasbench May 27, 2024
9d10f52
Update proc_creation_win_susp_browser_launch_from_document_reader_pro…
nasbench May 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: experimental
description: |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
- https://asec.ahnlab.com/en/58878/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024/05/27
tags:
- attack.defense_evasion
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- \mysqld.exe
- \mysqld-nt.exe
TargetFilename|endswith:
- '.bat'
- '.dat'
- '.dll'
- '.exe'
- '.ps1'
- '.psm1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
37 changes: 37 additions & 0 deletions ...s/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: experimental
description: |
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024/05/27
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Acrobat Reader'
- 'Microsoft Office'
- 'PDF Reader'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\maxthon.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- ''
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium
Loading