LoFP LoFP / legitimate script

Techniques

Sample rules

Powershell DNSExfiltration

Description

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Detection logic

condition: selection_cmdlet
selection_cmdlet:
- ScriptBlockText|contains: Invoke-DNSExfiltrator
- ScriptBlockText|contains|all:
  - ' -i '
  - ' -d '
  - ' -p '
  - ' -doh '
  - ' -t '

Enable Windows Remote Management

Description

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Detection logic

condition: selection_cmdlet
selection_cmdlet:
  ScriptBlockText|contains: 'Enable-PSRemoting '

Execute Invoke-command on Remote Host

Description

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Detection logic

condition: selection_cmdlet
selection_cmdlet:
  ScriptBlockText|contains|all:
  - 'invoke-command '
  - ' -ComputerName '

Dism Remove Online Package

Description

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Detection logic

condition: 1 of selection_*
selection_dism:
  CommandLine|contains|all:
  - /Online
  - /Disable-Feature
  Image|endswith: \Dism.exe
selection_dismhost:
  Image|endswith: \DismHost.exe
  ParentCommandLine|contains|all:
  - /Online
  - /Disable-Feature

Suspicious Msiexec Execute Arbitrary DLL

Description

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Detection logic

condition: selection and not 1 of filter_*
filter_apple:
  CommandLine|contains:
  - \MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll
  - \MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
  - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
  - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
  - \MsiExec.exe" /Y "C:\Windows\CCM\
  - \MsiExec.exe" /Y C:\Windows\CCM\
  - \MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll
  - \MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
  - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
  - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
  - \MsiExec.exe" -Y "C:\Windows\CCM\
  - \MsiExec.exe" -Y C:\Windows\CCM\
selection:
  CommandLine|contains|windash: ' -y'
  Image|endswith: \msiexec.exe

Suspicious Scan Loop Network

Description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Detection logic

condition: all of selection_*
selection_loop:
  CommandLine|contains:
  - 'for '
  - 'foreach '
selection_tools:
  CommandLine|contains:
  - nslookup
  - ping