-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathdefense_evasion_process_spawned_from_unusual_directory.yml
More file actions
113 lines (110 loc) · 4.08 KB
/
defense_evasion_process_spawned_from_unusual_directory.yml
File metadata and controls
113 lines (110 loc) · 4.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Process spawned from unusual directory
id: eb51aad3-f2ce-4f5a-b8f1-4cfb8d0d141e
version: 1.0.0
description: |
Detects executions of common utilities or build tools when those binaries
are launched from suspicious default Windows directories. Attackers often
place well-known system binaries beside malicious payloads or abuse proxy
binaries from unexpected paths to evade defenses.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1218
technique.name: System Binary Proxy Execution
technique.ref: https://attack.mitre.org/techniques/T1218/
condition: >
spawn_process and
ps.name iin
(
'rundll32.exe',
'regsvr32.exe',
'certutil.exe',
'mshta.exe',
'wmic.exe',
'cmstp.exe',
'cscript.exe',
'wscript.exe',
'msxsl.exe',
'RegAsm.exe',
'msbuild.exe',
'installutil.exe',
'csc.exe',
'hh.exe',
'jsc.exe',
'vbc.exe'
) and
ps.exe imatches
(
'?:\\Windows\\Tasks\\*',
'?:\\Windows\\System32\\Tasks\\*',
'?:\\PerfLogs\\*',
'?:\\$Recycle.Bin\\*',
'?:\\ProgramData\\*',
'?:\\Users\\Public\\*',
'?:\\Users\\*\\AppData\\Roaming\\*',
'?:\\Users\\*\\Documents\\*',
'?:\\Users\\*\\Pictures\\*',
'?:\\Users\\*\\Music\\*',
'?:\\Users\\*\\Videos\\*',
'?:\\Windows\\AppReadiness\\*',
'?:\\Windows\\Prefetch\\*',
'?:\\Windows\\Fonts\\*',
'?:\\Windows\\INF\\*',
'?:\\Windows\\tracing\\*',
'?:\\Windows\\Help\\*',
'?:\\Windows\\csc\\*',
'?:\\Windows\\Web\\*',
'?:\\Windows\\Servicing\\*',
'?:\\Windows\\Boot\\*',
'?:\\Windows\\Resources\\*',
'?:\\Windows\\Provisioning\\*',
'?:\\Windows\\PrintDialog\\*',
'?:\\Windows\\SchCache\\*',
'?:\\Windows\\Cursors\\*',
'?:\\Windows\\debug\\*',
'?:\\Windows\\Containers\\*',
'?:\\Windows\\ShellComponents\\*',
'?:\\Windows\\ShellExperiences\\*',
'?:\\Windows\\Setup\\*',
'?:\\Windows\\Migration\\*',
'?:\\Windows\\PLA\\*',
'?:\\Windows\\Vss\\*',
'?:\\Windows\\WaaS\\*',
'?:\\Windows\\ImmersiveControlPanel\\*',
'?:\\Windows\\PolicyDefinitions\\*',
'?:\\Windows\\Globalization\\*',
'?:\\Windows\\appcompat\\*',
'?:\\Windows\\apppatch\\*',
'?:\\Windows\\addins\\*',
'?:\\Windows\\SystemTemp\\*',
'?:\\Windows\\WinSxS\\*',
'?:\\Windows\\TextInput\\*',
'?:\\Windows\\TAPI\\*',
'?:\\Windows\\Prefetch\\*',
'?:\\Intel\\*',
'?:\\AMD\\Temp\\*',
'?:\\Windows\\hp\\*',
'?:\\Windows\\RemotePackages\\*',
'?:\\Windows\\ServiceProfiles\\*',
'?:\\Windows\\dot3svc\\*',
'?:\\Windows\\CbsTemp\\*',
'?:\\Windows\\LiveKernelReports\\*',
'?:\\Windows\\SoftwareDistribution\\*',
'?:\\Windows\\ServiceState\\*',
'?:\\Windows\\SKB\\*',
'?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*'
) and
not
(
(ps.name = 'rundll32.exe' and ps.parent.name = 'svchost.exe' and ps.parent.args iin ('LocalServiceNoNetworkFirewall')) or
(ps.name = 'regsvr32.exe' and ps.args imatches ('?:\\Windows\\servicing\\LCU\\Package_for_RollupFix~*')) or
(ps.parent.exe imatches '?:\\Windows\\system32\\CompatTelRunner.exe' and ps.parent.args imatches ('*-m:appraiser.dll')) or
(ps.exe imatches ('?:\\Program Files\\*\\msbuild.exe', '?:\\Program Files (x86)\\*\\msbuild.exe'))
)
action:
- name: kill
output: >
Process %ps.name spawned from suspicious directory %ps.exe
severity: medium
min-engine-version: 3.0.0