CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/sigma/process_creation/win_susp_mshta_execution.yml
+47
View File
@@ -0,0 +1,47 @@
title: MSHTA Suspicious Execution 01
ruletype: Sigma
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
date: 2019/02/22
description: Detection for mshta.exe suspicious execution patterns sometimes involving
file polyglotism
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\mshta.exe'
SELECTION_3:
CommandLine:
- '*vbscript*'
- '*.jpg*'
- '*.png*'
- '*.lnk*'
- '*.xls*'
- '*.doc*'
- '*.zip*'
- '*.dll*'
- '*.exe*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
level: high
logsource:
category: process_creation
product: windows
modified: 2021/12/01
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
status: test
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020.1599