mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
5.3 KiB
5.3 KiB
| Title | Application Whitelisting Bypass via Dxcap.exe |
|---|---|
| Description | Detects execution of of Dxcap.exe |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | medium |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Beyu Denis, oscd.community |
Detection Rules
Sigma rule
title: Application Whitelisting Bypass via Dxcap.exe
id: 60f16a96-db70-42eb-8f76-16763e333590
status: experimental
description: Detects execution of of Dxcap.exe
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
- https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution # an old one
level: medium
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dxcap.exe'
CommandLine|contains|all:
- '-c'
- '.exe'
condition: selection
falsepositives:
- Legitimate execution of dxcap.exe by legitimate user
powershell
Get-WinEvent | where {($_.message -match "Image.*.*\\\\dxcap.exe" -and $_.message -match "CommandLine.*.*-c.*" -and $_.message -match "CommandLine.*.*.exe.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
(winlog.event_data.Image.keyword:*\\\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/60f16a96-db70-42eb-8f76-16763e333590 <<EOF\n{\n "metadata": {\n "title": "Application Whitelisting Bypass via Dxcap.exe",\n "description": "Detects execution of of Dxcap.exe",\n "tags": [\n "attack.defense_evasion",\n "attack.t1218",\n "attack.execution"\n ],\n "query": "(winlog.event_data.Image.keyword:*\\\\\\\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\\\\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(winlog.event_data.Image.keyword:*\\\\\\\\dxcap.exe AND winlog.event_data.CommandLine.keyword:*\\\\-c* AND winlog.event_data.CommandLine.keyword:*.exe*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'Application Whitelisting Bypass via Dxcap.exe\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
(Image.keyword:*\\\\dxcap.exe AND CommandLine.keyword:*\\-c* AND CommandLine.keyword:*.exe*)
splunk
(Image="*\\\\dxcap.exe" CommandLine="*-c*" CommandLine="*.exe*")
logpoint
(Image="*\\\\dxcap.exe" CommandLine="*-c*" CommandLine="*.exe*")
grep
grep -P '^(?:.*(?=.*.*\\dxcap\\.exe)(?=.*.*-c.*)(?=.*.*\\.exe.*))'