Techniques
Sample rules
Suspicious Msiexec Execute Arbitrary DLL
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Detection logic
condition: selection and not 1 of filter_*
filter_apple:
CommandLine|contains:
- \MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
- \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
- \MsiExec.exe" /Y "C:\Windows\CCM\
- \MsiExec.exe" /Y C:\Windows\CCM\
- \MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll
- \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll
- \MsiExec.exe" -Y "C:\Windows\CCM\
- \MsiExec.exe" -Y C:\Windows\CCM\
selection:
CommandLine|contains|windash: ' -y'
Image|endswith: \msiexec.exe
Suspicious Scan Loop Network
- source: sigma
- technicques:
- t1018
- t1059
Description
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Detection logic
condition: all of selection_*
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- nslookup
- ping
Dism Remove Online Package
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detection logic
condition: 1 of selection_*
selection_dism:
CommandLine|contains|all:
- /Online
- /Disable-Feature
Image|endswith: \Dism.exe
selection_dismhost:
Image|endswith: \DismHost.exe
ParentCommandLine|contains|all:
- /Online
- /Disable-Feature
Enable Windows Remote Management
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detection logic
condition: selection_cmdlet
selection_cmdlet:
ScriptBlockText|contains: 'Enable-PSRemoting '
Powershell DNSExfiltration
- source: sigma
- technicques:
- t1048
Description
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Detection logic
condition: selection_cmdlet
selection_cmdlet:
- ScriptBlockText|contains: Invoke-DNSExfiltrator
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
Execute Invoke-command on Remote Host
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detection logic
condition: selection_cmdlet
selection_cmdlet:
ScriptBlockText|contains|all:
- 'invoke-command '
- ' -ComputerName '
Powershell Exfiltration Over SMTP
- source: sigma
- technicques:
- t1048
- t1048.003
Description
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Detection logic
condition: selection and not filter
filter:
ScriptBlockText|contains: CmdletsToExport
selection:
ScriptBlockText|contains: Send-MailMessage