2019-01-16 22:36:31 +00:00
|
|
|
title: Suspicious Process Creation
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3
|
2019-01-16 22:36:31 +00:00
|
|
|
description: Detects suspicious process starts on Windows systems based on keywords
|
|
|
|
|
status: experimental
|
|
|
|
|
references:
|
2019-03-01 23:14:20 +00:00
|
|
|
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
|
|
|
|
|
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
|
|
|
|
|
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
|
|
|
|
|
- https://twitter.com/subTee/status/872244674609676288
|
|
|
|
|
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
|
|
|
|
|
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
|
|
|
|
|
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
|
|
|
|
|
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
|
|
|
|
|
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
|
|
|
|
|
- https://twitter.com/vector_sec/status/896049052642533376
|
|
|
|
|
- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
|
2019-11-04 01:26:34 +00:00
|
|
|
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
|
2020-01-30 15:07:37 +00:00
|
|
|
date: 2018/01/01
|
2019-11-04 01:26:34 +00:00
|
|
|
modified: 2019/11/01
|
2019-06-14 04:15:38 +00:00
|
|
|
tags:
|
|
|
|
|
- car.2013-07-001
|
2019-01-16 22:36:31 +00:00
|
|
|
logsource:
|
2019-03-01 23:14:20 +00:00
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
2019-01-16 22:36:31 +00:00
|
|
|
detection:
|
2019-03-01 23:14:20 +00:00
|
|
|
selection:
|
|
|
|
|
CommandLine:
|
|
|
|
|
- '* sekurlsa:*'
|
2019-09-04 15:31:00 +00:00
|
|
|
- net localgroup administrators * /add
|
2019-03-01 23:14:20 +00:00
|
|
|
- net group "Domain Admins" * /ADD /DOMAIN
|
|
|
|
|
- certutil.exe *-urlcache* http*
|
|
|
|
|
- certutil.exe *-urlcache* ftp*
|
|
|
|
|
- netsh advfirewall firewall *\AppData\\*
|
|
|
|
|
- attrib +S +H +R *\AppData\\*
|
|
|
|
|
- schtasks* /create *\AppData\\*
|
|
|
|
|
- schtasks* /sc minute*
|
|
|
|
|
- '*\Regasm.exe *\AppData\\*'
|
|
|
|
|
- '*\Regasm *\AppData\\*'
|
|
|
|
|
- '*\bitsadmin* /transfer*'
|
|
|
|
|
- '*\certutil.exe * -decode *'
|
|
|
|
|
- '*\certutil.exe * -decodehex *'
|
|
|
|
|
- '*\certutil.exe -ping *'
|
|
|
|
|
- icacls * /grant Everyone:F /T /C /Q
|
|
|
|
|
- '* wbadmin.exe delete catalog -quiet*'
|
|
|
|
|
- '*\wscript.exe *.jse'
|
|
|
|
|
- '*\wscript.exe *.js'
|
|
|
|
|
- '*\wscript.exe *.vba'
|
|
|
|
|
- '*\wscript.exe *.vbe'
|
|
|
|
|
- '*\cscript.exe *.jse'
|
|
|
|
|
- '*\cscript.exe *.js'
|
|
|
|
|
- '*\cscript.exe *.vba'
|
|
|
|
|
- '*\cscript.exe *.vbe'
|
|
|
|
|
- '*\fodhelper.exe'
|
|
|
|
|
- '*waitfor*/s*'
|
|
|
|
|
- '*waitfor*/si persist*'
|
|
|
|
|
- '*remote*/s*'
|
|
|
|
|
- '*remote*/c*'
|
|
|
|
|
- '*remote*/q*'
|
|
|
|
|
- '*AddInProcess*'
|
|
|
|
|
- '* /stext *'
|
|
|
|
|
- '* /scomma *'
|
|
|
|
|
- '* /stab *'
|
|
|
|
|
- '* /stabular *'
|
|
|
|
|
- '* /shtml *'
|
|
|
|
|
- '* /sverhtml *'
|
|
|
|
|
- '* /sxml *'
|
|
|
|
|
condition: selection
|
2020-01-10 23:11:27 +00:00
|
|
|
fields:
|
|
|
|
|
- ComputerName
|
|
|
|
|
- User
|
|
|
|
|
- CommandLine
|
2019-01-16 22:36:31 +00:00
|
|
|
falsepositives:
|
2019-03-01 23:14:20 +00:00
|
|
|
- False positives depend on scripts and administrative tools used in the monitored environment
|
2019-01-16 22:36:31 +00:00
|
|
|
level: medium
|
