false positives depend on scripts and administrative tools used in the monitored environment

Techniques

Sample rules

MsiExec Web Install

source: sigma
technicques:
- t1105
- t1218
- t1218.007

Description

Detects suspicious msiexec process starts with web addresses as parameter

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' msiexec'
  - ://

Sysprep on AppData Folder

source: sigma
technicques:
- t1059

Description

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Detection logic

condition: selection
selection:
  CommandLine|contains: \AppData\
  Image|endswith: \sysprep.exe

MSHTA Suspicious Execution 01

source: sigma
technicques:
- t1059
- t1059.007
- t1140
- t1218
- t1218.005

Description

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - vbscript
  - .jpg
  - .png
  - .lnk
  - .xls
  - .doc
  - .zip
  - .dll
  Image|endswith: \mshta.exe

Suspicious RASdial Activity

source: sigma
technicques:
- t1059

Description

Detects suspicious process related to rasdial.exe

Detection logic

condition: selection
selection:
  Image|endswith: rasdial.exe

Suspicious Call by Ordinal

source: sigma
technicques:
- t1218
- t1218.011

Description

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_edge:
  CommandLine|contains|all:
  - EDGEHTML.dll
  - '#141'
filter_vsbuild_dll:
  CommandLine|contains:
  - \FileTracker32.dll,#1
  - \FileTracker32.dll",#1
  - \FileTracker64.dll,#1
  - \FileTracker64.dll",#1
  ParentImage|contains:
  - \Msbuild\Current\Bin\
  - \VC\Tools\MSVC\
  - \Tracker.exe
selection_cli:
  CommandLine|contains:
  - ',#'
  - ', #'
  - '.dll #'
  - '.ocx #'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE

Suspicious Desktopimgdownldr Command

source: sigma
technicques:
- t1105

Description

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Detection logic

condition: ( selection1 and not selection1_filter ) or selection_reg
selection1:
  CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
  CommandLine|contains:
  - .jpg
  - .jpeg
  - .png
selection_reg:
  CommandLine|contains|all:
  - reg delete
  - \PersonalizationCSP

Potentially Suspicious Rundll32 Activity

source: sigma
technicques:
- t1218
- t1218.011

Description

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_parent_cpl:
  CommandLine|contains|all:
  - Shell32.dll
  - Control_RunDLL
  - .cpl
  ParentCommandLine|contains: .cpl
  ParentImage: C:\Windows\System32\control.exe
filter_main_screensaver:
  CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver
filter_main_startmenu:
  CommandLine|endswith: .cpl",
  CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL
    "C:\Windows\System32\'
  ParentImage: C:\Windows\System32\control.exe
selection:
- CommandLine|contains|all:
  - 'javascript:'
  - .RegisterXLL
- CommandLine|contains|all:
  - url.dll
  - OpenURL
- CommandLine|contains|all:
  - url.dll
  - OpenURLA
- CommandLine|contains|all:
  - url.dll
  - FileProtocolHandler
- CommandLine|contains|all:
  - zipfldr.dll
  - RouteTheCall
- CommandLine|contains|all:
  - shell32.dll
  - Control_RunDLL
- CommandLine|contains|all:
  - shell32.dll
  - ShellExec_RunDLL
- CommandLine|contains|all:
  - mshtml.dll
  - PrintHTML
- CommandLine|contains|all:
  - advpack.dll
  - LaunchINFSection
- CommandLine|contains|all:
  - advpack.dll
  - RegisterOCX
- CommandLine|contains|all:
  - ieadvpack.dll
  - LaunchINFSection
- CommandLine|contains|all:
  - ieadvpack.dll
  - RegisterOCX
- CommandLine|contains|all:
  - ieframe.dll
  - OpenURL
- CommandLine|contains|all:
  - shdocvw.dll
  - OpenURL
- CommandLine|contains|all:
  - syssetup.dll
  - SetupInfObjectInstallAction
- CommandLine|contains|all:
  - setupapi.dll
  - InstallHinfSection
- CommandLine|contains|all:
  - pcwutl.dll
  - LaunchApplication
- CommandLine|contains|all:
  - dfshim.dll
  - ShOpenVerbApplication
- CommandLine|contains|all:
  - dfshim.dll
  - ShOpenVerbShortcut
- CommandLine|contains|all:
  - scrobj.dll
  - GenerateTypeLib
  - http
- CommandLine|contains|all:
  - shimgvw.dll
  - ImageView_Fullscreen
  - http
- CommandLine|contains|all:
  - comsvcs.dll
  - MiniDump

Suspicious Process Start Locations

source: sigma
technicques:
- t1036

Description

Detects suspicious process run from unusual locations

Detection logic

condition: selection
selection:
- Image|contains:
  - :\RECYCLER\
  - :\SystemVolumeInformation\
- Image|startswith:
  - C:\Windows\Tasks\
  - C:\Windows\debug\
  - C:\Windows\fonts\
  - C:\Windows\help\
  - C:\Windows\drivers\
  - C:\Windows\addins\
  - C:\Windows\cursors\
  - C:\Windows\system32\tasks\

Network Reconnaissance Activity

source: sigma
technicques:
- t1082
- t1087

Description

Detects a set of suspicious network related commands often used in recon stages

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - nslookup
  - _ldap._tcp.dc._msdcs.

Suspicious Desktopimgdownldr Target File

source: sigma
technicques:
- t1105

Description

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Detection logic

condition: selection and not filter1 and not filter2
filter1:
  TargetFilename|contains: C:\Windows\
filter2:
  TargetFilename|contains:
  - .jpg
  - .jpeg
  - .png
selection:
  Image|endswith: \svchost.exe
  TargetFilename|contains: \Personalization\LockScreenImage\