Merge pull request #47 from EbryxLabs/master

netevert · web-flow · commit f2e2a2f164f3 · 2021-01-09T16:29:24.000+01:00
Process hollowing rule update
diff --git a/detections/T1093_Process_Hollowing.txt b/detections/T1093_Process_Hollowing.txt
@@ -0,0 +1,65 @@
+// Name: Process Hollowing
+// Description: Checks for execution of MITRE ATT&CK T1093
+//
+// Severity: High
+//
+// QueryFrequency: 1h
+//
+// QueryPeriod: 1h
+//
+// AlertTriggerThreshold: 1
+//
+// DataSource: #Sysmon
+//
+// Tactics: #Defense Evasion
+//
+Sysmon
+| where EventID == 1 and (
+    (
+        process_path contains "smss.exe" and 
+        process_parent_command_line !contains "smss.exe"
+    ) or (
+        process_path contains "csrss.exe" and (
+            process_parent_command_line !contains "smss.exe" and 
+            process_parent_command_line !contains "svchost.exe"
+        )
+    ) or (
+        process_path contains "wininit.exe"and 
+        process_parent_command_line !contains "smss.exe"
+    ) or (
+        process_path contains "winlogon.exe" and 
+        process_parent_command_line !contains "smss.exe"
+    ) or (
+        process_path contains "lsass.exe" and 
+        process_parent_command_line !contains "wininit.exe"
+    ) or (
+        process_path contains "LogonUI.exe" and (
+            process_parent_command_line !contains "winlogon.exe" and 
+            process_parent_command_line !contains "wininit.exe"
+        )
+    ) or (
+        process_path contains "services.exe" and 
+        process_parent_command_line !contains "wininit.exe"
+    ) or (
+        process_path contains "spoolsv.exe" and 
+        process_parent_command_line !contains "services.exe"
+    ) or (
+        process_path contains "taskhost.exe" and (
+            process_parent_command_line !contains "services.exe" and 
+            process_parent_command_line !contains "svchost.exe"
+        )
+    ) or (
+        process_path contains "taskhostw.exe" and (
+            process_parent_command_line !contains "services.exe" and 
+            process_parent_command_line !contains "svchost.exe"
+        )
+    ) or (
+        process_path contains "userinit.exe" and (
+            process_parent_command_line !contains "dwm.exe" and 
+            process_parent_command_line !contains "winlogon.exe"
+        )
+    )
+)
+| extend AccountCustomEntity = UserName
+| extend HostCustomEntity = Computer
+| extend FileHashCustomEntity = hash_sha256
diff --git a/detections/T1093_Process_Holoowing.txt b/detections/T1093_Process_Holoowing.txt
diff --git a/detections/sentinel_attack_rules.json b/detections/sentinel_attack_rules.json
@@ -863,7 +863,7 @@
         "description": "Checks for execution of MITRE ATT&CK T1093",
         "severity": "High",
         "enabled": "true",
-        "query": "Sysmon | where EventID == 1 and (process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" or process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" or process_parent_command_line !contains \"winlogon.exe\"))",
+        "query": "Sysmon | where EventID == 1 and ((process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" and process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" and process_parent_command_line !contains \"winlogon.exe\"))) | extend AccountCustomEntity = UserName | extend HostCustomEntity = Computer | extend FileHashCustomEntity = hash_sha256",
         "queryFrequency": "1H",
         "queryPeriod": "1H",
         "triggerOperator": "GreaterThan",
@@ -1522,4 +1522,4 @@
         "suppressionEnabled": "false"
       }
     ]
-  }
+  }

Original file line number	Diff line number	Diff line change
`@@ -863,7 +863,7 @@`
`863`	`863`	`"description": "Checks for execution of MITRE ATT&CK T1093",`
`864`	`864`	`"severity": "High",`
`865`	`865`	`"enabled": "true",`
`866`		- "query": "Sysmon \| where EventID == 1 and (process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" or process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" or process_parent_command_line !contains \"winlogon.exe\"))",
	`866`	+ "query": "Sysmon \| where EventID == 1 and ((process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" and process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" and process_parent_command_line !contains \"winlogon.exe\"))) \| extend AccountCustomEntity = UserName \| extend HostCustomEntity = Computer \| extend FileHashCustomEntity = hash_sha256",
`867`	`867`	`"queryFrequency": "1H",`
`868`	`868`	`"queryPeriod": "1H",`
`869`	`869`	`"triggerOperator": "GreaterThan",`
`@@ -1522,4 +1522,4 @@`
`1522`	`1522`	`"suppressionEnabled": "false"`
`1523`	`1523`	`}`
`1524`	`1524`	`]`
`1525`		`- }`
	`1525`	`+ }`