Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Aug 17, 2024
1 parent 85b9937 commit 185d9fe
Show file tree
Hide file tree
Showing 7 changed files with 121 additions and 1 deletion.
20 changes: 20 additions & 0 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11862,6 +11862,26 @@
],
"filename": "proc_creation_win_remote_access_tools_gotoopener.yml"
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))"
],
"filename": "proc_creation_win_rundll32_udl_exec.yml"
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
20 changes: 20 additions & 0 deletions rules_windows_generic_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10859,6 +10859,26 @@
],
"filename": "proc_creation_win_remote_access_tools_gotoopener.yml"
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))"
],
"filename": "proc_creation_win_rundll32_udl_exec.yml"
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
20 changes: 20 additions & 0 deletions rules_windows_generic_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35306,6 +35306,26 @@
],
"filename": ""
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName='RUNDLL32.EXE') AND ((CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\%' ESCAPE '\\') AND CommandLine LIKE '%.udl' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
20 changes: 20 additions & 0 deletions rules_windows_sysmon_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11862,6 +11862,26 @@
],
"filename": "proc_creation_win_remote_access_tools_gotoopener.yml"
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))"
],
"filename": "proc_creation_win_rundll32_udl_exec.yml"
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
20 changes: 20 additions & 0 deletions rules_windows_sysmon_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10859,6 +10859,26 @@
],
"filename": "proc_creation_win_remote_access_tools_gotoopener.yml"
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))"
],
"filename": "proc_creation_win_rundll32_udl_exec.yml"
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
20 changes: 20 additions & 0 deletions rules_windows_sysmon_pysigma.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35306,6 +35306,26 @@
],
"filename": ""
},
{
"title": "Potentially Suspicious Rundll32.EXE Execution of UDL File",
"id": "0ea52357-cd59-4340-9981-c46c7e900428",
"status": "experimental",
"description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n",
"author": "@kostastsale",
"tags": [
"attack.execution",
"attack.t1218.011",
"attack.t1071"
],
"falsepositives": [
"UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios."
],
"level": "medium",
"rule": [
"SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName='RUNDLL32.EXE') AND ((CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\%' ESCAPE '\\') AND CommandLine LIKE '%.udl' ESCAPE '\\')))"
],
"filename": ""
},
{
"title": "Abusing Print Executable",
"id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed",
Expand Down
2 changes: 1 addition & 1 deletion sigma
Submodule sigma updated 5 files
+2 −1 deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml
+1 −1 rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml
+1 −1 rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml
+1 −1 rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml
+33 −0 rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml

0 comments on commit 185d9fe

Please sign in to comment.