separate rules to submodule (#304)
* rm: rules * Add: hayabusa-rules to submodule
This commit is contained in:
itiB
GitHub
@@ -1,35 +0,0 @@
|
||||
|
||||
title: XSL Script Processing
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
description: Extensible Stylesheet Language (XSL) files are commonly used to describe
|
||||
the processing and rendering of data within XML files. Rule detects when adversaries
|
||||
abuse this functionality to execute arbitrary files while potentially bypassing
|
||||
application whitelisting defenses.
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 1
|
||||
SELECTION_2:
|
||||
Image: '*\wmic.exe'
|
||||
SELECTION_3:
|
||||
CommandLine: '*/format*'
|
||||
SELECTION_4:
|
||||
Image: '*\msxsl.exe'
|
||||
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
|
||||
falsepositives:
|
||||
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
|
||||
- msxsl.exe is not installed by default, so unlikely.
|
||||
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
|
||||
level: medium
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1220
|
||||
- attack.execution
|
||||
ruletype: SIGMA
|
||||
Reference in New Issue
Block a user