LoFP LoFP / legitimate use

Techniques

Sample rules

Start of NT Virtual DOS Machine

Description

Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications

Detection logic

condition: selection
selection:
  Image|endswith:
  - \ntvdm.exe
  - \csrstub.exe

Use of UltraVNC Remote Access Software

Description

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

Detection logic

condition: selection
selection:
- Description: VNCViewer
- Product: UltraVNC VNCViewer
- Company: UltraVNC
- OriginalFileName: VNCViewer.exe

Use of W32tm as Timer

Description

When configured with suitable command line arguments, w32tm can act as a delay mechanism

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains|all:
  - /stripchart
  - '/computer:'
  - '/period:'
  - /dataonly
  - '/samples:'
selection_w32tm:
- Image|endswith: \w32tm.exe
- OriginalFileName: w32time.dll

Esentutl Steals Browser Information

Description

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Detection logic

condition: all of selection*
selection_flag:
  CommandLine|contains|windash: -r
selection_img:
- Image|endswith: \esentutl.exe
- OriginalFileName: esentutl.exe
selection_webcache:
  CommandLine|contains: \Windows\WebCache

Remote Access Tool - AnyDesk Execution

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
- Image|endswith: \AnyDesk.exe
- Description: AnyDesk
- Product: AnyDesk
- Company: AnyDesk Software GmbH

Remote Access Tool - GoToAssist Execution

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
- Description: GoTo Opener
- Product: GoTo Opener
- Company: LogMeIn, Inc.

Rundll32 Registered COM Objects

Description

load malicious registered COM objects

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - '-sta '
  - '-localserver '
  CommandLine|contains|all:
  - '{'
  - '}'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Description

Detects the usage of “reg.exe” to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  - SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
  CommandLine|contains|all:
  - 'ADD '
  - '/t '
  - 'REG_DWORD '
  - '/v '
  - '/d '
  - '0'
  Image|endswith: \reg.exe

Use of TTDInject.exe

Description

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

Detection logic

condition: selection
selection:
- Image|endswith: ttdinject.exe
- OriginalFileName: TTDInject.EXE

PktMon.EXE Execution

Description

Detects execution of PktMon, a tool that captures network packets.

Detection logic

condition: selection
selection:
- Image|endswith: \pktmon.exe
- OriginalFileName: PktMon.exe

Remote Access Tool - UltraViewer Execution

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
- Product: UltraViewer
- Company: DucFabulous Co,ltd
- OriginalFileName: UltraViewer_Desktop.exe

Use Icacls to Hide File to Everyone

Description

Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files

Detection logic

condition: all of selection*
selection_cmd:
  CommandLine|contains|all:
  - C:\Users\
  - /deny
  - '*S-1-1-0:'
selection_icacls:
- OriginalFileName: iCACLS.EXE
- Image|endswith: \icacls.exe

Remote Access Tool - LogMeIn Execution

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
- Description: LMIGuardianSvc
- Product: LMIGuardianSvc
- Company: LogMeIn, Inc.

Modify Group Policy Settings

Description

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Detection logic

condition: all of selection_*
selection_key:
  CommandLine|contains:
  - GroupPolicyRefreshTimeDC
  - GroupPolicyRefreshTimeOffsetDC
  - GroupPolicyRefreshTime
  - GroupPolicyRefreshTimeOffset
  - EnableSmartScreen
  - ShellSmartScreenLevel
selection_path:
  CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System
selection_reg:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe

PUA- IOX Tunneling Tool Execution

Description

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Detection logic

condition: 1 of selection*
selection:
  Image|endswith: \iox.exe
selection_commandline:
  CommandLine|contains:
  - '.exe fwd -l '
  - '.exe fwd -r '
  - '.exe proxy -l '
  - '.exe proxy -r '
selection_hashes:
- Hashes|contains:
  - MD5=9DB2D314DD3F704A02051EF5EA210993
  - SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD
  - SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731
- md5: 9db2d314dd3f704a02051ef5ea210993
- sha1: 039130337e28a6623ecf9a0a3da7d92c5964d8dd
- sha256: c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731

Remote Access Tool - NetSupport Execution

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
- Description: NetSupport Client Configurator
- Product: NetSupport Remote Control
- Company: NetSupport Ltd
- OriginalFileName: PCICFGUI.EXE

PDQ Deploy Remote Adminstartion Tool Execution

Description

Detect use of PDQ Deploy remote admin tool

Detection logic

condition: selection
selection:
- Description: PDQ Deploy Console
- Product: PDQ Deploy
- Company: PDQ.com
- OriginalFileName: PDQDeployConsole.exe

PUA - WebBrowserPassView Execution

Description

Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera

Detection logic

condition: selection
selection:
- Description: Web Browser Password Viewer
- Image|endswith: \WebBrowserPassView.exe

PUA - Fast Reverse Proxy (FRP) Execution

Description

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains: \frpc.ini
selection_hashes:
- Hashes|contains:
  - MD5=7D9C233B8C9E3F0EA290D2B84593C842
  - SHA1=06DDC9280E1F1810677935A2477012960905942F
  - SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C
- md5: 7d9c233b8c9e3f0ea290d2b84593c842
- sha1: 06ddc9280e1f1810677935a2477012960905942f
- sha256: 57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c
selection_img:
  Image|endswith:
  - \frpc.exe
  - \frps.exe

PUA - NPS Tunneling Tool Execution

Description

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Detection logic

condition: 1 of selection_*
selection_cli_1:
  CommandLine|contains|all:
  - ' -server='
  - ' -vkey='
  - ' -password='
selection_cli_2:
  CommandLine|contains: ' -config=npc'
selection_hashes:
- Hashes|contains:
  - MD5=AE8ACF66BFE3A44148964048B826D005
  - SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181
  - SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856
- md5: ae8acf66bfe3a44148964048b826d005
- sha1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181
- sha256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856
selection_img:
  Image|endswith: \npc.exe

Fsutil Behavior Set SymlinkEvaluation

Description

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - 'behavior '
  - 'set '
  - SymlinkEvaluation
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe

GoToAssist Temporary Installation Artefact

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
  TargetFilename|contains: \AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support
    Expert\

Anydesk Temporary Artefact

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
  TargetFilename|contains:
  - \AppData\Roaming\AnyDesk\user.conf
  - \AppData\Roaming\AnyDesk\system.conf
  TargetFilename|endswith: .temp

ScreenConnect Temporary Installation Artefact

Description

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Detection logic

condition: selection
selection:
  TargetFilename|contains: \Bin\ScreenConnect.

COM Hijacking via TreatAs

Description

Detect modification of TreatAs key to enable “rundll32.exe -sta” command

Detection logic

condition: selection and not 1 of filter_*
filter_misexec:
  Image:
  - C:\Windows\system32\msiexec.exe
  - C:\Windows\SysWOW64\msiexec.exe
filter_office:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
filter_office2:
  Image: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_svchost:
  Image: C:\Windows\system32\svchost.exe
selection:
  TargetObject|endswith: TreatAs\(Default)

Modify Group Policy Settings - ScriptBlockLogging

Description

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Detection logic

condition: all of selection_*
selection_key:
  ScriptBlockText|contains:
  - GroupPolicyRefreshTimeDC
  - GroupPolicyRefreshTimeOffsetDC
  - GroupPolicyRefreshTime
  - GroupPolicyRefreshTimeOffset
  - EnableSmartScreen
  - ShellSmartScreenLevel
selection_path:
  ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System