61 lines
1.7 KiB
YAML
61 lines
1.7 KiB
YAML
|
|
title: UNC2452 Process Creation Patterns
|
|
author: Florian Roth
|
|
date: 2021/01/22
|
|
description: Detects a specific process creation patterns as seen used by UNC2452
|
|
and provided by Microsoft as Microsoft Defender ATP queries
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_10:
|
|
CommandLine: '*cmd.exe /C *'
|
|
SELECTION_11:
|
|
CommandLine: '*rundll32 c:\windows\\*'
|
|
SELECTION_12:
|
|
CommandLine: '*.dll *'
|
|
SELECTION_13:
|
|
EventID: 1
|
|
SELECTION_14:
|
|
ParentImage: '*\rundll32.exe'
|
|
SELECTION_15:
|
|
Image: '*\dllhost.exe'
|
|
SELECTION_16:
|
|
CommandLine:
|
|
- ' '
|
|
- ''
|
|
SELECTION_2:
|
|
CommandLine:
|
|
- '*7z.exe a -v500m -mx9 -r0 -p*'
|
|
SELECTION_3:
|
|
ParentCommandLine: '*wscript.exe*'
|
|
SELECTION_4:
|
|
ParentCommandLine: '*.vbs*'
|
|
SELECTION_5:
|
|
CommandLine: '*rundll32.exe*'
|
|
SELECTION_6:
|
|
CommandLine: '*C:\Windows*'
|
|
SELECTION_7:
|
|
CommandLine: '*.dll,Tk_*'
|
|
SELECTION_8:
|
|
ParentImage: '*\rundll32.exe'
|
|
SELECTION_9:
|
|
ParentCommandLine: '*C:\Windows*'
|
|
condition: (SELECTION_1 and ((((SELECTION_2 or (SELECTION_3 and SELECTION_4 and
|
|
SELECTION_5 and SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9
|
|
and SELECTION_10)) or (SELECTION_11 and SELECTION_12)) or (SELECTION_13 and (SELECTION_14
|
|
and SELECTION_15) and not (SELECTION_16))))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/06/27
|
|
references:
|
|
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|