SigmaHQ/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
status: experimental
description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community'
date: 2020/10/23
references:
    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
    - https://www.cobaltstrike.com/help-opsec
tags:
    - attack.defense_evasion
    - attack.t1085      # legacy
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\WerFault.exe'
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 21:27:52 +00:00			`title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments`
			`id: a7c3d773-caef-227e-a7e7-c2f13c622329`
			`status: experimental`
[OSCD] Bad Opsec Defaults Sacrificial Processes Incorporate feedback from @yugoslavskiy; 2020-10-26 15:52:16 +00:00			`description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'`
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 21:27:52 +00:00			`author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community'`
			`date: 2020/10/23`
			`references:`
			`- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/`
			`- https://www.cobaltstrike.com/help-opsec`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1085 # legacy`
			`- attack.t1218.011`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
Enhanced to improve specificity Enhanced to improve specificity per feedback received; 2020-10-26 16:05:16 +00:00			`CommandLine\|endswith:`
			`- '\WerFault.exe'`
			`- '\rundll32.exe'`
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy 2020-10-23 21:27:52 +00:00			`condition: selection`
			`falsepositives:`
			`- Unlikely`
			`level: high`