Merge pull request #6 from MHaggis/master

Modifications and new adds
This commit is contained in:
Florian Roth 2017-03-05 00:16:26 +01:00 committed by GitHub
commit 0cc3139176
5 changed files with 82 additions and 3 deletions

View File

@ -0,0 +1,23 @@
title: MSHTA Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from MSHTA.
reference: https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
product: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\mshta.exe'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
condition: selection
falsepositives:
- Minimal FPs.
level: high

View File

@ -0,0 +1,28 @@
title: Microsoft Office Product Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
author: Michael Haag
logsource:
product: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
- '*\POWERPNT.exe'
- '*\MSPUB.exe'
- '*\VISIO.exe'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\scrcons.exe'
condition: selection
falsepositives:
- unknown
level: high

View File

@ -0,0 +1,22 @@
title: WSF, JSE, JS, VBA and VBE file execution
status: experimental
description: Detects suspicious file execution by wscript and cscript.
author: Michael Haag
logsource:
product: sysmon
detection:
selection:
EventID: 1
Image:
- '*\wscript.exe'
- '*\cscript.exe'
CommandLine:
- '*.jse'
- '*.vbe'
- '*.js'
- '*.vba'
- '*.vbe'
condition: selection
falsepositives:
- Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
level: medium

View File

@ -9,12 +9,16 @@ detection:
ParentImage: ParentImage:
- '*\apache*' - '*\apache*'
- '*\tomcat*' - '*\tomcat*'
- '*\w3wp.exe'
- '*\php-cgi.exe'
- '*\nginx.exe'
- '*\httpd.exe'
CommandLine: CommandLine:
- 'whoami' - 'whoami'
- 'net user' - 'net user'
- 'ping -n' - 'ping -n'
- 'systeminfo'
condition: selection condition: selection
falsepositives: falsepositives:
- unknown - unknown
level: high level: high

View File

@ -11,10 +11,12 @@ detection:
- '*\w3wp.exe' - '*\w3wp.exe'
- '*\httpd.exe' - '*\httpd.exe'
- '*\nginx.exe' - '*\nginx.exe'
- '*\php-cgi.exe'
Image: Image:
- '*\cmd.exe' - '*\cmd.exe'
- '*\sh.exe' - '*\sh.exe'
- '*\bash.exe' - '*\bash.exe'
- '*\powershell.exe'
condition: selection condition: selection
falsepositives: falsepositives:
- Particular web applications may spawn a shell process legitimately - Particular web applications may spawn a shell process legitimately