Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND ((PROCESSNAME endswith "\WerFault.exe" AND COMMANDLINE endswith "WerFault.exe") OR (PROCESSNAME endswith "\rundll32.exe" AND COMMANDLINE endswith "rundll32.exe") OR (PROCESSNAME endswith "\regsvcs.exe" AND COMMANDLINE endswith "regsvcs.exe") OR (PROCESSNAME endswith "\regasm.exe" AND COMMANDLINE endswith "regasm.exe") OR (PROCESSNAME endswith "\regsvr32.exe" AND COMMANDLINE endswith "regsvr32.exe")) AND ((PARENTPROCESSNAME notcontains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" OR PROCESSNAME notendswith "\rundll32.exe" OR COMMANDLINE notendswith "rundll32.exe") AND (PARENTPROCESSNAME notcontains "\AppData\Local\BraveSoftware\Brave-Browser\Application\,\AppData\Local\Google\Chrome\Application" OR PARENTPROCESSNAME notendswith "\Installer\setup.exe" OR PARENTPROCESSCOMMANDLINE notcontains "--uninstall " OR PROCESSNAME notendswith "\rundll32.exe" OR COMMANDLINE notendswith "rundll32.exe")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
