valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a7eb4d3e34
SigmaHQ/rules/windows/builtin/win_plugx_susp_exe_locations.yml
SherifEldeeb 348728bdd9 Cleaning up empty list items
2018-01-28 02:36:39 +03:00

145 lines
4.3 KiB
YAML
Raw Blame History

title: Executable used by PlugX in Uncommon Location
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
- 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
- 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
author: Florian Roth
date: 2017/06/12
logsource:
product: windows
service: security
detection:
# CamMute
selection_cammute:
EventID: 4688
ProcessCommandLine: '*\CamMute.exe'
filter_cammute:
EventID: 4688
ProcessCommandLine: '*\Lenovo\Communication Utility\*'
# Chrome Frame Helper
selection_chrome_frame:
EventID: 4688
ProcessCommandLine: '*\chrome_frame_helper.exe'
filter_chrome_frame:
EventID: 4688
ProcessCommandLine: '*\Google\Chrome\application\*'
# Microsoft Device Emulator
selection_devemu:
EventID: 4688
ProcessCommandLine: '*\dvcemumanager.exe'
filter_devemu:
EventID: 4688
ProcessCommandLine: '*\Microsoft Device Emulator\*'
# Windows Media Player Gadget
selection_gadget:
EventID: 4688
ProcessCommandLine: '*\Gadget.exe'
filter_gadget:
EventID: 4688
ProcessCommandLine: '*\Windows Media Player\*'
# HTML Help Workshop
selection_hcc:
EventID: 4688
ProcessCommandLine: '*\hcc.exe'
filter_hcc:
EventID: 4688
ProcessCommandLine: '*\HTML Help Workshop\*'
# Hotkey Command Module for Intel Graphics Contollers
selection_hkcmd:
EventID: 4688
ProcessCommandLine: '*\hkcmd.exe'
filter_hkcmd:
EventID: 4688
ProcessCommandLine:
- '*\System32\*'
- '*\SysNative\*'
- '*\SysWowo64\*'
# McAfee component
selection_mc:
EventID: 4688
ProcessCommandLine: '*\Mc.exe'
filter_mc:
EventID: 4688
ProcessCommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
# MsMpEng - Microsoft Malware Protection Engine
selection_msmpeng:
EventID: 4688
ProcessCommandLine: '*\MsMpEng.exe'
filter_msmpeng:
EventID: 4688
ProcessCommandLine:
- '*\Microsoft Security Client\*'
- '*\Windows Defender\*'
- '*\AntiMalware\*'
# Microsoft Security Center
selection_msseces:
EventID: 4688
ProcessCommandLine: '*\msseces.exe'
filter_msseces:
EventID: 4688
ProcessCommandLine: '*\Microsoft Security Center\*'
# Microsoft Office 2003 OInfo
selection_oinfo:
EventID: 4688
ProcessCommandLine: '*\OInfoP11.exe'
filter_oinfo:
EventID: 4688
ProcessCommandLine: '*\Common Files\Microsoft Shared\*'
# OLE View
selection_oleview:
EventID: 4688
ProcessCommandLine: '*\OleView.exe'
filter_oleview:
EventID: 4688
ProcessCommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
# RC
selection_rc:
EventID: 4688
ProcessCommandLine: '*\OleView.exe'
filter_rc:
EventID: 4688
ProcessCommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Microsoft.NET\*'
condition: ( selection_cammute and not filter_cammute ) or
( selection_chrome_frame and not filter_chrome_frame ) or
( selection_devemu and not filter_devemu ) or
( selection_gadget and not filter_gadget ) or
( selection_hcc and not filter_hcc ) or
( selection_hkcmd and not filter_hkcmd ) or
( selection_mc and not filter_mc ) or
( selection_msmpeng and not filter_msmpeng ) or
( selection_msseces and not filter_msseces ) or
( selection_oinfo and not filter_oinfo ) or
( selection_oleview and not filter_oleview ) or
( selection_rc and not filter_rc )
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink