valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1092 from zBlurr/win_susp_sqldumper_activity

Browse Source 
[OSCD] Sqldumper.exe LOLbin
This commit is contained in:
Thomas Patzke 2020-10-13 11:51:41 +02:00 committed by GitHub
commit 33c80b8428
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/windows/process_creation/win_susp_presentationhost_execution.yml
View File

@ -1,25 +0,0 @@
title: Application Whitelisting Bypass via PresentationHost.exe
id: d149a338-ae47-408e-a8ff-9064220c0b34
description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file
status: experimental
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml
- https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
- https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
author: Kirill Kiryanov, oscd.community
date: 2020/10/08
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\presentationhost.exe'
CommandLine|contains: '.xbap'
condition: selection
level: medium
falsepositives:
- Unknown

28
rules/windows/process_creation/win_susp_sqldumper_activity.yml Normal file
View File

@ -0,0 +1,28 @@
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
description: Detects process dump via legitimate sqldumper.exe binary
status: experimental
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020/10/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium