Skip to content

Commit

Permalink
Merge PR #4853 from @nasbench - Add some cosmetic changes and small u…
Browse files Browse the repository at this point in the history
…pdates

update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
  • Loading branch information
nasbench authored May 13, 2024
1 parent 2837671 commit ed789f5
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ modified: 2023/03/14
tags:
- attack.defense_evasion
- attack.t1564.001
- detection.threat_hunting
logsource:
category: process_creation
product: windows
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ detection:
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +h '
filter_msiexec:
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_intel:
filter_optional_intel:
ParentImage|endswith: '\cmd.exe'
CommandLine: '+R +H +S +A \\\*.cui'
ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
condition: all of selection_* and not 1 of filter_*
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,11 @@ detection:
- '.ps1'
- '.vbe'
- '.vbs'
filter:
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not filter
condition: all of selection* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ references:
- https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
author: frack113
date: 2022/07/18
modified: 2024/04/29
tags:
- attack.defense_evasion
- attack.t1564.001
Expand All @@ -18,10 +19,9 @@ detection:
- Image|endswith: '\icacls.exe'
selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
CommandLine|contains|all:
- 'C:\Users\'
- '/deny'
- '*S-1-1-0:'
condition: all of selection*
condition: all of selection_*
falsepositives:
- Legitimate use
- Unknown
level: medium
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
title: Suspicious Execution Of PDQDeployRunner
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
Expand All @@ -9,46 +9,48 @@ references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/22
modified: 2024/05/02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: 'PDQDeployRunner-'
selection_susp:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\wscript.exe'
- '\cscript.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
- '\wmic.exe'
- '\msiexec.exe'
- '\mshta.exe'
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\bash.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- 'C:\Users\Public\'
- 'C:\ProgramData\'
- 'C:\Windows\TEMP\'
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- 'iex '
- 'Invoke-'
- 'DownloadString'
- 'http'
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- 'FromBase64String'
- ' -decode '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
Expand Down

0 comments on commit ed789f5

Please sign in to comment.