Merge pull request #1228 from stvetro/oscd-GfxDownloadWrapper

[OSCD] GfxDownloadWrapper downloads file (LoLBin)

.github/workflows/sigma-test.yml

@@ -23,18 +23,9 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install -r tools/requirements.txt -r tools/requirements-devel.txt
-        wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
-        sudo apt install -y apt-transport-https
-        echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list
-        sudo apt update
-        sudo apt install -y elasticsearch
-        sudo systemctl start elasticsearch
     - name: Test Sigma Tools and Rules
       run: |
         make test
-    - name: Test Generated Elasticsearch Query Strings
-      run: |
-        make test-backend-es-qs
     - name: Test SQL(ite) Backend
       run: |
         make test-backend-sql

rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml

@@ -0,0 +1,27 @@
+title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+id: eee00933-a761-4cd0-be70-c42fe91731e7
+status: experimental
+description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    image_path:
+        Image|endswith: '\GfxDownloadWrapper.exe'
+    cmd_known_url:
+        CommandLine|contains: 'gameplayapi.intel.com'
+    same_parent:
+        ParentImage|endswith: '\GfxDownloadWrapper.exe'
+    condition: image_path and not cmd_known_url and not same_parent
+fields:
+    - CommandLine
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1105