mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
8a9db12d30
Enhanced to improve specificity per feedback received;
26 lines
1.1 KiB
YAML
26 lines
1.1 KiB
YAML
title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
|
|
id: a7c3d773-caef-227e-a7e7-c2f13c622329
|
|
status: experimental
|
|
description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
|
|
author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community'
|
|
date: 2020/10/23
|
|
references:
|
|
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
|
|
- https://www.cobaltstrike.com/help-opsec
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1085 # legacy
|
|
- attack.t1218.011
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine|endswith:
|
|
- '\WerFault.exe'
|
|
- '\rundll32.exe'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|