mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
5.7 KiB
5.7 KiB
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| Description | Detects PowerShell remote thread creation in Rundll32.exe |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Florian Roth |
Detection Rules
Sigma rule
title: PowerShell Rundll32 Remote Thread Creation
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
status: experimental
description: Detects PowerShell remote thread creation in Rundll32.exe
author: Florian Roth
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
date: 2018/06/25
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
SourceImage: '*\powershell.exe'
TargetImage: '*\rundll32.exe'
condition: selection
tags:
- attack.defense_evasion
- attack.execution
- attack.t1085 # an old one
- attack.t1218.011
- attack.t1086 # an old one
- attack.t1059.001
falsepositives:
- Unkown
level: high
powershell
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\\\powershell.exe" -and $_.message -match "TargetImage.*.*\\\\rundll32.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
(winlog.channel:"Microsoft\\-Windows\\-Sysmon\\/Operational" AND winlog.event_id:"8" AND winlog.event_data.SourceImage.keyword:*\\\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\\\rundll32.exe)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/99b97608-3e21-4bfe-8217-2a127c396a0e <<EOF\n{\n "metadata": {\n "title": "PowerShell Rundll32 Remote Thread Creation",\n "description": "Detects PowerShell remote thread creation in Rundll32.exe",\n "tags": [\n "attack.defense_evasion",\n "attack.execution",\n "attack.t1085",\n "attack.t1218.011",\n "attack.t1086",\n "attack.t1059.001"\n ],\n "query": "(winlog.channel:\\"Microsoft\\\\-Windows\\\\-Sysmon\\\\/Operational\\" AND winlog.event_id:\\"8\\" AND winlog.event_data.SourceImage.keyword:*\\\\\\\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\\\\\\\rundll32.exe)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(winlog.channel:\\"Microsoft\\\\-Windows\\\\-Sysmon\\\\/Operational\\" AND winlog.event_id:\\"8\\" AND winlog.event_data.SourceImage.keyword:*\\\\\\\\powershell.exe AND winlog.event_data.TargetImage.keyword:*\\\\\\\\rundll32.exe)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Rundll32 Remote Thread Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
(EventID:"8" AND SourceImage.keyword:*\\\\powershell.exe AND TargetImage.keyword:*\\\\rundll32.exe)
splunk
(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
logpoint
(event_id="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
grep
grep -P '^(?:.*(?=.*8)(?=.*.*\\powershell\\.exe)(?=.*.*\\rundll32\\.exe))'