atomic-threat-coverage/sysmon_susp_powershell_rundll32.md at d99f01b7735a4cbda88165263043b35488ff069f

mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00

Wydra Mateusz d99f01b773 get rid of dot workaround for markdown, missing analitics added

2019-05-01 23:43:17 +02:00

3.3 KiB

Raw Blame History

Title	PowerShell Rundll32 Remote Thread Creation
Description	Detects PowerShell remote thread creation in Rundll32.exe
ATT&CK Tactic	TA0005: Defense Evasion TA0002: Execution
ATT&CK Technique	T1085: Rundll32 T1086: PowerShell
Data Needed	DN_0012_8_windows_sysmon_CreateRemoteThread
Trigger	T1085: Rundll32 T1086: PowerShell
Severity Level	high
False Positives	Unkown
Development Status	experimental
References	https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
Author	Florian Roth

Detection Rules

Sigma rule

title: PowerShell Rundll32 Remote Thread Creation
status: experimental
description: Detects PowerShell remote thread creation in Rundll32.exe 
author: Florian Roth
references:
    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
date: 2018/06/25
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 8
        SourceImage: '*\powershell.exe'
        TargetImage: '*\rundll32.exe'
    condition: selection
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1085
    - attack.t1086
falsepositives:
    - Unkown
level: high

es-qs

xpack-watcher

graylog

(EventID:"8" AND SourceImage:"*\\\\powershell.exe" AND TargetImage:"*\\\\rundll32.exe")

splunk

logpoint

grep

grep -P '^(?:.*(?=.*8)(?=.*.*\\powershell\\.exe)(?=.*.*\\rundll32\\.exe))'

3.3 KiB Raw Blame History

Detection Rules

Sigma rule

es-qs

xpack-watcher

graylog

splunk

logpoint

grep

3.3 KiB

Raw Blame History