mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
8.5 KiB
8.5 KiB
| Title | Formbook Process Creation |
|---|---|
| Description | Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. |
| ATT&CK Tactic | This Detection Rule wasn't mapped to ATT&CK Tactic yet |
| ATT&CK Technique | This Detection Rule wasn't mapped to ATT&CK Technique yet |
| Data Needed | |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | critical |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Florian Roth |
Detection Rules
Sigma rule
title: Formbook Process Creation
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to
delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth
date: 2019/09/30
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
logsource:
category: process_creation
product: windows
detection:
selection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine:
- 'C:\Windows\System32\\*.exe'
- 'C:\Windows\SysWOW64\\*.exe'
CommandLine:
- '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- '* /c del "C:\Users\\*\Desktop\\*.exe'
- '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: critical
powershell
Get-WinEvent | where {(($_.message -match "ParentCommandLine.*C:\\\\Windows\\\\System32\\\\.*.exe" -or $_.message -match "ParentCommandLine.*C:\\\\Windows\\\\SysWOW64\\\\.*.exe") -and ($_.message -match "CommandLine.*.* /c del \\"C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\.*.exe" -or $_.message -match "CommandLine.*.* /c del \\"C:\\\\Users\\\\.*\\\\Desktop\\\\.*.exe" -or $_.message -match "CommandLine.*.* /C type nul > \\"C:\\\\Users\\\\.*\\\\Desktop\\\\.*.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
(winlog.event_data.ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ >\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/032f5fb3-d959-41a5-9263-4173c802dc2b <<EOF\n{\n "metadata": {\n "title": "Formbook Process Creation",\n "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",\n "tags": "",\n "query": "(winlog.event_data.ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ >\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(winlog.event_data.ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND winlog.event_data.CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ >\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Formbook Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul > \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
splunk
((ParentCommandLine="C:\\\\Windows\\\\System32\\\\*.exe" OR ParentCommandLine="C:\\\\Windows\\\\SysWOW64\\\\*.exe") (CommandLine="* /c del \\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe" OR CommandLine="* /c del \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe" OR CommandLine="* /C type nul > \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe")) | table CommandLine,ParentCommandLine
logpoint
(ParentCommandLine IN ["C:\\\\Windows\\\\System32\\\\*.exe", "C:\\\\Windows\\\\SysWOW64\\\\*.exe"] CommandLine IN ["* /c del \\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe", "* /c del \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe", "* /C type nul > \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe"])
grep
grep -P \'^(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*\\.exe|.*C:\\Windows\\SysWOW64\\\\.*\\.exe))(?=.*(?:.*.* /c del "C:\\Users\\\\.*\\AppData\\Local\\Temp\\\\.*\\.exe|.*.* /c del "C:\\Users\\\\.*\\Desktop\\\\.*\\.exe|.*.* /C type nul > "C:\\Users\\\\.*\\Desktop\\\\.*\\.exe)))\'