SigmaHQ/rules/windows/process_creation/win_lolbas_mpcmdrun.yml

title: LOLBAS - Windows Defender
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: experimental
description: Detect use of Windows Defender to download malicious payload
author: Matthew Matchen
date: 2020/09/04
references:
    - https://twitter.com/djmtshepana/status/1301608169496612866
    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        - CommandLine|contains: 'MpCmdRun.exe'
    selection2:
        - CommandLine|contains: 'DownloadFile'
        - CommandLine|contains: 'url'
    condition: selection1 and 1 of selection2
fields:
    - CommandLine
falsepositives:
    - Unknown
level: medium
Initial creation 2020-09-04 14:00:23 +00:00			`title: LOLBAS - Windows Defender`
Added ID field using UUID generated value 2020-09-04 14:38:52 +00:00			`id: 46123129-1024-423e-9fae-43af4a0fa9a5`
Initial creation 2020-09-04 14:00:23 +00:00			`status: experimental`
			`description: Detect use of Windows Defender to download malicious payload`
			`author: Matthew Matchen`
			`date: 2020/09/04`
			`references:`
			`- https://twitter.com/djmtshepana/status/1301608169496612866`
			`- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/`
			`tags:`
			`- attack.command_and_control`
			`- attack.t1105`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
			`- CommandLine\|contains: 'MpCmdRun.exe'`
			`selection2:`
			`- CommandLine\|contains: 'DownloadFile'`
			`- CommandLine\|contains: 'url'`
			`condition: selection1 and 1 of selection2`
			`fields:`
			`- CommandLine`
			`falsepositives:`
			`- Unknown`
			`level: medium`