Skip to content

Commit

Permalink
chore(rules): Improve System Binary Proxy Execution via Rundll32 ru…
Browse files Browse the repository at this point in the history 
…le (#249)
  • Loading branch information
@rabbitstack
rabbitstack authored Mar 25, 2024
1 parent 1752716 commit 1b566d4
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 10 deletions.
11 changes: 11 additions & 0 deletions rules/credential_access_os_credential_dumping.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,13 +63,24 @@
ps.exe imatches
(
'?:\\Windows\\System32\\lsass.exe',
'?:\\Windows\\System32\\RuntimeBroker.exe',
'?:\\Windows\\explorer.exe',
'?:\\Windows\\System32\\Taskmgr.exe',
'?:\\Windows\\System32\\sihost.exe',
'?:\\Windows\\System32\\SearchIndexer.exe',
'?:\\Windows\\System32\\SearchProtocolHost.exe',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\services.exe',
'?:\\Windows\\System32\\taskhostw.exe',
'?:\\Windows\\System32\\backgroundTaskHost.exe',
'?:\\Windows\\System32\\WerFault.exe',
'?:\\Windows\\System32\\ctfmon.exe',
'?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
'?:\\Windows\\System32\\CompatTelRunner.exe',
'?:\\Windows\\System32\\cleanmgr.exe',
'?:\\Windows\\System32\\MoUsoCoreWorker.exe',
'?:\\Windows\\System32\\lpremove.exe',
'?:\\Windows\\System32\\LogonUI.exe',
'?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
)
| by ps.uuid
Expand Down
48 changes: 38 additions & 10 deletions rules/defense_evasion_system_binary_proxy_execution.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
Adversaries may abuse rundll32.exe to proxy execution of malicious code.
Using rundll32.exe, vice executing directly (i.e. Shared Modules),
may avoid triggering security tools that may not monitor execution of the
rundll32.exe process because of allowlists or false positives from normal operations.
rundll32.exe process because of allowlists or false positives from normal
operations.
Rundll32.exe is commonly associated with executing DLL payloads.
labels:
tactic.id: TA0005
Expand All @@ -19,7 +20,7 @@
- name: System Binary Proxy Execution via Rundll32
description: |
Detects the execution of rundll32.exe process with suspicious command line
followed by the creation of a child process which would probably unleash
followed by the creation of a child process that would probably unleash
nefarious actions in the system.
condition: >
sequence
Expand All @@ -28,16 +29,43 @@
and
ps.child.name ~= 'rundll32.exe'
and
ps.child.cmdline imatches
(
ps.child.cmdline imatches
(
'*javascript:*',
'*vbscript:*',
'*shell32.dll*ShellExec_RunDLL*',
'*shell32*WaitForExplorerRestart*',
'*-sta*',
'*ActiveXObject*',
'*WScript.Shell*',
'*RunHTMLApplication*',
'*advpack*#12*',
'*advpack*RegisterOCX*',
'*advpack*LaunchINFSection*',
'*url.dll*FileProtocolHandler*file://*',
'*url.dll*FileProtocolHandler*.exe*',
'*zipfldr*RouteTheCall*',
'*pcwutl*LaunchApplication*',
'*pcwutl*#1*',
'*desk*InstallScreenSaver*',
'*PointFunctionCall*'
)
or
regex(ps.child.cmdline, '(?i)[A-Z]:\\\\.+:.+$')
)
| by ps.child.uuid
|spawn_process
and
not
ps.child.exe imatches
(
'*javascript:*',
'*vbscript:*',
'*shell32.dll*ShellExec_RunDLL*',
'*-sta*',
'*RunHTMLApplication*'
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe'
)
| by ps.child.uuid
|spawn_process| by ps.uuid
| by ps.uuid
action:
- name: kill
min-engine-version: 2.0.0

- group: System Binary Proxy Execution via Regsvr32
Expand Down

0 comments on commit 1b566d4

Please sign in to comment.