38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
|
|
title: DLL Execution via Rasautou.exe
|
|
author: Julia Fomina, oscd.community
|
|
date: 2020/10/09
|
|
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d
|
|
option and executes the export specified in -p.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*\rasautou.exe'
|
|
SELECTION_3:
|
|
OriginalFileName: rasdlui.exe
|
|
SELECTION_4:
|
|
CommandLine: '*-d*'
|
|
SELECTION_5:
|
|
CommandLine: '*-p*'
|
|
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5))
|
|
falsepositives:
|
|
- Unlikely
|
|
id: cd3d1298-eb3b-476c-ac67-12847de55813
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
definition: Since options '-d' and '-p' were removed in Windows 10 this rule is
|
|
relevant only for Windows before 10. And as Windows 7 doesn't log command line
|
|
in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375
|
|
installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
|
|
product: windows
|
|
references:
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
|
|
- https://github.com/fireeye/DueDLLigence
|
|
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218
|