LoFP / limited false positives. filter as needed.

Techniques

• T1055
• T1059
• T1059.001
• T1547
• T1547.012

Sample rules

Spoolsv Writing a DLL - Sysmon

• source: splunk
• technicques:
  • T1547.012
  • T1547

Description

The following analytic detects spoolsv.exe writing a .dll file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the \spool\drivers\x64\ directory. This activity is significant because spoolsv.exe typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.

Detection logic

`sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*" file_name=*.dll 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `spoolsv_writing_a_dll___sysmon_filter`

Powershell Fileless Process Injection via GetProcAddress

• source: splunk
• technicques:
  • T1059
  • T1055
  • T1059.001

Description

The following analytic detects the use of GetProcAddress in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of GetProcAddress is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.

Detection logic

`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_fileless_process_injection_via_getprocaddress_filter`