-
Notifications
You must be signed in to change notification settings - Fork 73
/
sigma_file.yml
43 lines (43 loc) · 2.2 KB
/
sigma_file.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
title: Possible preparation for {{ include.page.Name }} DLL Hijacking
id: {% include generate_uuid.yml page=include.page type=2 -%}
status: experimental
description: Detects possible DLL hijacking of {{ include.page.Name }} by looking for suspicious file writes of this DLL, to unexpected locations.
references:
- {{ include.page.url | absolute_url }}
author: "{{ include.page.Author }}"
date: {{ include.page.Created }}
tags:
- attack.defense_evasion
{% assign types = include.page.VulnerableExecutables | group_by:"Type"| sort:"name" -%}
{% for type in types %} - attack.{{ site.mapping[type.name]['attack'] }}
{% endfor -%}
logsource:
product: windows
category: file_event
detection:
selection:
TargetFileName: '*\{{ include.page.Name }}'
{% if include.page.ExpectedLocations %} filter:
TargetFileName:
{% for loc in include.page.ExpectedLocations %}{% if loc contains '%PROGRAMFILES%' %} - '{{ loc | replace: "%PROGRAMFILES%", "c:\program files"
| replace: "%VERSION%", "*"
}}\*'
- '{{ loc | replace: "%PROGRAMFILES%", "c:\program files (x86)"
| replace: "%VERSION%", "*"
}}\*'{% else %} - '{{ loc | replace: "%SYSTEM32%", "c:\windows\system32"
| replace: "%SYSWOW64%", "c:\windows\syswow64"
| replace: "%WINDIR%", "c:\windows"
| replace: "%PROGRAMDATA%", "c:\programdata"
| replace: "%APPDATA%", "c:\users\*\appdata\roaming"
| replace: "%LOCALAPPDATA%", "c:\users\*\appdata\local"
| replace: "%VERSION%", "*"
}}\*'{% endif %}
{% endfor %}{% endif %}
{%- assign concat = include.page.ExpectedLocations | join "-" -%}
{% if concat contains "SYSWOW" or concat contains "SYSTEM32" %} - 'c:\windows\winsxs\*'
- 'c:\$windows.~bt\*'
- 'c:\windows\softwaredistribution\*'
{% endif %}
condition: selection {% if include.page.ExpectedLocations %}and not filter{% endif %}
falsepositives:
- False positives are likely. This rule is more suitable for hunting than for generating detections.