67 lines
2.5 KiB
YAML
67 lines
2.5 KiB
YAML
title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
|
|
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian
|
|
Burkard
|
|
date: 2020/10/23
|
|
description: Detects attackers using tooling with bad opsec defaults e.g. spawning
|
|
a sacrificial process to inject a capability into the process without taking into
|
|
account how the process is normally run, one trivial example of this is using
|
|
rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted
|
|
by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and
|
|
other examples.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_10:
|
|
Image: '*\regsvr32.exe'
|
|
SELECTION_11:
|
|
CommandLine: '*\regsvr32.exe'
|
|
SELECTION_2:
|
|
Image: '*\WerFault.exe'
|
|
SELECTION_3:
|
|
CommandLine: '*\WerFault.exe'
|
|
SELECTION_4:
|
|
Image: '*\rundll32.exe'
|
|
SELECTION_5:
|
|
CommandLine: '*\rundll32.exe'
|
|
SELECTION_6:
|
|
Image: '*\regsvcs.exe'
|
|
SELECTION_7:
|
|
CommandLine: '*\regsvcs.exe'
|
|
SELECTION_8:
|
|
Image: '*\regasm.exe'
|
|
SELECTION_9:
|
|
CommandLine: '*\regasm.exe'
|
|
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
|
|
SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
|
|
or (SELECTION_10 and SELECTION_11)))
|
|
falsepositives:
|
|
- Unlikely
|
|
fields:
|
|
- ParentImage
|
|
- ParentCommandLine
|
|
id: a7c3d773-caef-227e-a7e7-c2f13c622329
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/09/01
|
|
references:
|
|
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
|
|
- https://www.cobaltstrike.com/help-opsec
|
|
- https://twitter.com/CyberRaiju/status/1251492025678983169
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
|
|
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
|
|
- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
|
|
related:
|
|
- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
|
|
type: obsoletes
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1085
|
|
- attack.t1218.011
|
|
yml_filename: win_bad_opsec_sacrificial_processes.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|