General

Detection Techniques

VBA Macros

- **Registry Monitoring**:
  - Path: `HKCU\Software\Microsoft\Office\<Version>\Word\Security\Trusted Documents\TrustRecords`
  - Sysmon Rule:
    ```xml
    <Sysmon schemaversion="4.00">
      <EventFiltering>
        <RegistryEvent default="include"> 
          <TargetObject condition="contains">\Security\Trusted</TargetObject>
        </RegistryEvent>
      </EventFiltering>
    </Sysmon>
    ```
  - RegRipper Plugin: `trusterecords` to display files trusted in Microsoft Office.

#### Dynamic Data Exchange (DDE)
- **Windows Event Monitoring**:
  - Path: `C:\Windows\System32\winevt\Logs\OAlerts.evtx`
  - Event ID: 300
  - Note: Check recently opened files in Windows or Microsoft Word's recent folder for suspicious documents.

#### Object Linking & Embedding (OLE)
- **Sysmon Process Creation Monitoring**:
  - Detect parent processes in the Microsoft Office directory.
  - Sysmon Rule:
    ```xml
    <Sysmon schemaversion="4.00">
      <EventFiltering>
        <ProcessCreate default="include"> 
          <ParentImage condition="contains">Microsoft Office\Office</ParentImage>
        </ProcessCreate>
      </EventFiltering>
    </Sysmon>
    ```
- **Digital Forensics**:
  - Registry Path: `HKCU\Software\Microsoft\Office\<Version>\Word\File MRU`
  - Focus on the Most Recently Used (MRU) list to identify potentially malicious Office files.



-----


| Attack Vector | Description | Detection Method |
|---------------|-------------|------------------|
| **MSHTA Execution** | Executes HTML applications, potentially running malicious scripts. | Monitor for the creation of mshta.exe processes, especially with command lines specifying HTA files. |
| **HTA File Execution** | HTA files can contain malicious scripts in VBScript or JScript. | Monitor for the execution of HTA files, especially those downloaded from external sources. |
| **HTA File Execution Tricks** | HTA files appended to other file types to evade detection. | Monitor for mshta.exe executing files with non-standard extensions or unexpected file combinations. |
| **VBScript in HTA** | Using VBScript within HTA files to execute malicious code. | Monitor for VBScript execution within HTA files, particularly those creating or running executables. |

### Detection Techniques

#### MSHTA Execution
- **Sysmon Process Creation Monitoring**:
  - Detect mshta.exe process creation with specific file paths or URLs.
  - Sysmon Rule:
    ```xml
    <Sysmon schemaversion="4.00">
      <EventFiltering>
        <ProcessCreate default="include"> 
          <Image condition="contains">mshta.exe</Image>
        </ProcessCreate>
      </EventFiltering>
    </Sysmon>
    ```

#### HTA File Execution
- **File Monitoring**:
  - Monitor for the creation or modification of HTA files, especially those with embedded scripts.
  - Look for unusual file behaviors, such as a document file executing mshta.exe.

#### HTA File Execution Tricks
- **File Type Anomaly Detection**:
  - Monitor for mshta.exe executing files with non-standard extensions.
  - Be alert for files that have been appended with HTA content.

#### VBScript in HTA
- **Script Execution Monitoring**:
  - Monitor for the execution of VBScript within HTA files.
  - Look for signs of ActiveX objects being used to execute additional payloads.

### General Recommendations
- **Enable Logging**: Ensure detailed logging is enabled for process creation and script execution.
- **Regular Audits**: Conduct regular audits of system logs for signs of mshta.exe usage.
- **User Education**: Educate users about the risks of enabling macros and running unknown HTA files.
- **Endpoint Protection**: Utilize endpoint protection solutions that can detect and block suspicious script executions.

Detection Techniques

Clearing Logs

• Event Log Monitoring:

  • Look for Event ID 1102 in the Security log and Event ID 104 in the System log.

  • Command to check logs:

    Copy

    Get-WinEvent -ListLog *

Terminate Event Log Process

• Live Analysis:

  • Check if the Event Log service is running.

  • Monitor for absence or termination of the svchost process associated with the Event Log service.

Invoke-Phant0m

• PowerShell Script Block Logging:

  • Enable Script Block Logging to capture PowerShell script execution.

  • Look for specific strings or patterns in the script indicative of Invoke-Phant0m.

Mimikatz event::drop

• Sysmon Process Access Monitoring:

  • Monitor for access to the svchost.exe process associated with the Event Log service.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
      <EventFiltering>
        <ProcessAccess onmatch="include">
          <TargetImage condition="is">C:\Windows\System32\svchost.exe</TargetImage>
        </ProcessAccess>
        <ImageLoad onmatch="include"> 
          <ImageLoaded condition="contains">schannel.dll</ImageLoaded>
          <!-- Additional DLLs -->
        </ImageLoad>
      </EventFiltering>
    </Sysmon>

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for critical events, including process creation and termination, script execution, and registry changes.

• Regular Audits: Conduct regular audits of system logs to identify patterns indicative of tampering.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to event logging.

• Incident Response Plan: Have an incident response plan in place to address scenarios where event logging is compromised.

Detection Techniques

Python Payloads

• Sysmon Process Creation Monitoring:

  • Detect Python command lines with Base64 encoded content.

  • Sigma Rule:

    Copy

    title: Encoded Python Code in cmd
    status: experimental
    logsource:
        category: process_creation
        product: sysmon
    detection:
        selection:
            EventID: 1
        Keywords:
            CommandLine|base64offset|contains: 'exec'
            CommandLine|contains: 'python'
        Filters:
            CommandLine|contains:
              - 'b64decode'
              - 'base64'
        condition: selection AND Keywords AND Filters
    level: critical

PowerShell Payloads

• Sysmon Process Creation Monitoring:

  • Detect PowerShell command lines with encodedCommand parameters or Base64 decoding functions.

  • Sigma Rule:

    Copy

    title: PowerShell Encoded Command
    status: experimental
    logsource:
        product: windows
        service: sysmon
    detection:
        selection:
          CommandLine|contains:
              - ' -enc '
              - ' -EncodedCommand '
              - ' -e '
              - 'FromBase64String'
          CommandLine|contains:
              - 'IEX'
              - 'I.E.'
              - '{'
        condition: selection
    level: high

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for command line process creation, especially for PowerShell and Python.

• Regular Audits: Conduct regular audits of system logs to identify patterns indicative of Base64 encoded payloads.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious command line activities.

• User Education: Educate users about the risks of executing unknown scripts or command lines.

Detection Techniques

Conhost.exe Misuse

• Sysmon Process Creation Monitoring:

  • Detect process creation events where conhost.exe is the parent image.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
        <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
        <EventFiltering>
            <ProcessCreate default="include">
                <ParentImage condition="contains">conhost.exe</ParentImage>
            </ProcessCreate>    
        </EventFiltering>
    </Sysmon>

  • Note: This rule is for demonstration purposes. In a production environment, it's important to include all process creation events and exclude only specific, known legitimate processes.

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on parent-child process relationships.

• Regular Audits: Conduct regular audits of system logs to identify unusual parent-child process relationships involving conhost.exe.

• Threat Hunting: Apply targeted queries to system logs based on specific hypotheses about potential misuse of conhost.exe.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious process execution patterns.

Detection Techniques

Malicious CHM Files

• Sysmon Process Creation Monitoring:

  • Detect hh.exe process creation with command lines referring to CHM files.

  • Monitor for subsequent cmd.exe or PowerShell process creations with hh.exe as the parent process.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
        <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
        <EventFiltering>
            <ProcessCreate default="include">
                <Image condition="contains">hh.exe</Image>
                <ParentImage condition="contains">cmd.exe</ParentImage>
                <ParentImage condition="contains">powershell.exe</ParentImage>
            </ProcessCreate>    
        </EventFiltering>
    </Sysmon>

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on hh.exe and its child processes.

• Regular Audits: Conduct regular audits of system logs to identify unusual process creation patterns involving CHM files.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to CHM file execution.

• User Education: Educate users about the risks of opening unknown CHM files and the potential security warnings they should heed.

Detection Techniques

CMSTP Executing DLLs

• Sysmon Process Creation and Image Load Monitoring:

  • Detect cmstp.exe process creation events.

  • Monitor for subsequent loading of DLLs, especially from unusual paths.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
        <EventFiltering>
            <ProcessCreate default="include">
                <Image condition="contains">cmstp.exe</Image>
            </ProcessCreate>
            <ImageLoad onmatch="include">
                <Image condition="image">cmstp.exe</Image>
            </ImageLoad>    
        </EventFiltering>
    </Sysmon>

CMSTP Executing SCT Files

• Sysmon Process Creation Monitoring:

  • Detect cmstp.exe process creation with command lines referencing SCT files.

  • Monitor for network connections or file creations following cmstp.exe execution.

Privilege Escalation via CMSTP

• Behavioral Analysis:

  • Monitor for unusual command-line arguments or behaviors associated with cmstp.exe.

  • Look for signs of privilege escalation, such as cmstp.exe spawning processes with higher privileges.

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for process creation, image load, and command-line execution.

• Regular Audits: Conduct regular audits of system logs to identify unusual patterns involving cmstp.exe.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to cmstp.exe execution.

• User Education: Educate users about the risks of executing unknown INF or SCT files and the potential security implications.

Detection Techniques

BITS for Malicious Downloads

• Sysmon Process Creation Monitoring:

  • Detect bitsadmin.exe or PowerShell process creation with BITS-related commands.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
        <EventFiltering>
            <ProcessCreate default="include">
                <Image condition="contains">bitsadmin.exe</Image>
                <CommandLine condition="contains">start-BitsTransfer</CommandLine>
            </ProcessCreate>
        </EventFiltering>
    </Sysmon>

• Event Viewer Monitoring:

  • Monitor BITS-Client events under Microsoft-Windows-Bits-Client/Operational.

  • Look for events showing URL downloads, especially from suspicious or unknown sources.

• Network Intrusion Detection Systems (NIDS):

  • Monitor for network traffic with Microsoft-Bits as the User Agent.

  • Analyze traffic patterns that suggest BITS usage for downloading files from external sources.

• Analysis of BITS Database:

  • For Windows versions prior to Windows 10, use bits_parser to parse qmgr[0-9].dat files.

  • For Windows 10, use tools like ESEDatabaseViewer to view the BITS database.

• PowerShell BITS Transfer Monitoring:

  • Monitor for PowerShell commands involving start-BitsTransfer.

  • Similar to bitsadmin.exe, look for BITS job creation and file download activities.

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for process creation, BITS activities, and network traffic.

• Regular Audits: Conduct regular audits of BITS logs and network traffic to identify unusual download patterns.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious BITS activities.

• User Education: Educate users about the risks of unauthorized file downloads and the potential misuse of BITS.

Detection Techniques

Malicious Use of ADS

• Sysmon File Stream Creation Monitoring:

  • Detect creation of alternate data streams, especially for executable file types.

  • Sysmon Rule:

    Copy

    <Sysmon schemaversion="4.00">
        <EventFiltering>
            <FileCreateStreamHash onmatch="include">
                <TargetFilename condition="end with">.bat</TargetFilename> 
                <TargetFilename condition="end with">.cmd</TargetFilename> 
                <TargetFilename condition="end with">.hta</TargetFilename> 
                <TargetFilename condition="end with">.lnk</TargetFilename> 
                <TargetFilename condition="end with">.ps1</TargetFilename> 
                <TargetFilename condition="end with">.ps2</TargetFilename> 
                <TargetFilename condition="end with">.reg</TargetFilename> 
                <TargetFilename condition="end with">.jse</TargetFilename>
                <TargetFilename condition="end with">.vb</TargetFilename>
                <TargetFilename condition="end with">.vbe</TargetFilename> 
                <TargetFilename condition="end with">.vbs</TargetFilename> 
                <TargetFilename condition="end with">.exe</TargetFilename>
                <TargetFilename condition="end with">.dll</TargetFilename>
                <TargetFilename condition="end with">.js</TargetFilename>
            </FileCreateStreamHash>
        </EventFiltering>
    </Sysmon>

  • Note: Exclude known legitimate ADS like Zone.Identifier.

• Execution Monitoring:

  • Monitor for execution of files from ADS, such as using wmic, wscript, or rundll32.

  • Look for command-line patterns that indicate execution from an ADS.

• Behavioral Analysis:

  • Analyze file behavior for signs of ADS usage, especially for files with unusual stream data.

  • Monitor for tools commonly used to manipulate ADS, like makecab and extrac32.

General Recommendations

• Enable Detailed Logging: Ensure that logging is enabled for file creation, especially focusing on alternate data streams.

• Regular Audits: Conduct regular audits of system logs to identify unusual file stream activities.

• Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious file activities related to ADS.

• User Education: Educate users about the risks of ADS and the potential for hidden malicious content.

YARA Rule for XOR Detection

Rule: xor_detection

• Purpose:

  • Detects common XOR encryption patterns in files or network traffic.

• YARA Rule:

  Copy

  rule xor_detection
  {
      strings:
          $xor1 = { 31 d2 f7 e2 89 c2 }
          $xor2 = { 31 c9 f7 f9 99 c0 }
          $xor3 = { 31 f6 f7 e6 99 d0 }
  
      condition:
          any of them
  }
  
  
  
  

Detection Rules

CAPA for Hook Injection

• Rule: set global application hook

  • Scope: Basic block

  • Features:

    • API: user32.SetWindowsHookEx

    • Number: 0x3 = WM_GETMESSAGE

    • Number: 0x0 = dwThreadId

• Rule: set application hook

  • Scope: Function

  • Features:

    • API: user32.SetWindowsHookEx

    • API: user32.UnhookWindowsHookEx

SIGMA for Hook Injection

• Rule: Hook Injection Detection

  • Description: Detects instances of hook injection in Windows.

  • Strings:

    • SetWindowsHookExA

    • SetWindowsHookExW

    • UnhookWindowsHookEx

    • CallNextHookEx

YARA for Hook Injection

• Rule: HookInjection

  • Condition:

    • Detects use of SetWindowsHookEx, UnhookWindowsHookEx, and CallNextHookEx functions.

    • Looks for specific patterns in binary files indicating hook function usage.

Implementation and Usage

• Scanning Files and Traffic:

  • Use CAPA, SIGMA, and YARA to scan files or network traffic for the presence of the defined hook injection patterns.

  • This can be integrated into automated scanning systems or used for manual analysis.

• Integration with Security Tools:

  • These rules can be integrated into various security tools and platforms for real-time monitoring and alerting.

• Threat Hunting and Forensics:

  • Use these rules as part of a broader threat hunting or forensic analysis to identify potentially malicious files or network activities.

YARA Rule for DLL Search Order Hijacking Detection

Rule: DLLHijacking

• Purpose:

  • Detects patterns in DLL files that are commonly associated with DLL Search Order Hijacking.

• YARA Rule:

  rule DLLHijacking {
    condition:
      // Check for presence of DLL_PROCESS_ATTACH in DllMain function
      uint16(0) == 0x6461 and (
        // Check for the presence of CreateThread, which is used to start the main function
        uint32(2) == 0x74006872 and uint32(6) == 0x00006563 and uint32(10) == 0x74616843 and
        
        // Check for the presence of Main function
        uint32(14) == 0x6E69006D and uint32(18) == 0x0064614D
      )
      // Check for presence of dllexport attribute
      and (pe.exports("DnsFreeConfigStructure") or pe.exports("DnsFreeConfigStructure@0"))
  }

YARA Rule for DLL Export Name Modification Detection

Rule: ModifyDLLExportName

• Purpose:

  • Detects patterns in DLL files that are commonly associated with modifications to DLL export names.

• YARA Rule:

  rule ModifyDLLExportName {
    strings:
      $map_and_load = "MapAndLoad"
      $entry_to_data = "ImageDirectoryEntryToData"
      $rva_to_va = "ImageRvaToVa"
      $modify = "ModifyDLLExportName"
      $virtual_protect = "VirtualProtect"
      $virtual_alloc = "VirtualAlloc"
    condition:
      all of them
  }

YARA Rule for DLL Proxying Detection

Rule: DLLProxying

• Purpose:

  • Detects patterns in DLL files that are commonly associated with DLL Proxying.

• YARA Rule:

  rule DLLProxying {
    condition:
      // Check for presence of DLL_PROCESS_ATTACH in DllMain function
      uint16(0) == 0x6461 and (
        // Check for the presence of LoadLibrary, which is used to load the legitimate DLL
        uint32(2) == 0x6C6C6100 and uint32(6) == 0x6574726F and
        
        // Check for the presence of GetProcAddress, which is used to retrieve the addresses of the functions in the legitimate DLL
        uint32(10) == 0x72630067 and uint32(14) == 0x61647079 and uint32(18) == 0x61636F00 and uint32(22) == 0x0072696E and
        
        // Check for the presence of a function that will be used to redirect function calls to the legitimate DLL
        // This example uses a function named "ProxyFunction", but the function name can be anything
        uint32(26) == 0x646E6900 and uint32(30) == 0x00667379
      )
      // Check for presence of dllexport attribute on the function that redirects calls to the legitimate DLL
      // This example uses a function named "ProxyFunction", but the function name can be anything
      and (pe.exports("ProxyFunction") or pe.exports("ProxyFunction@0"))
  }

Attack Method: Unloading Sysmon Driver

Description

• Technique: Malware attempts to unload the Sysmon driver to prevent Sysmon from recording system events.

• APIs Used:

  • GetProcAddress

• Attack Code:

  • Command: fltMC.exe unload SysmonDrv

  • Author: Unprotect

YARA Rule for Detecting Unloading of Sysmon Driver

Rule: SysmonEvasion

• Purpose:

  • Detects code patterns associated with attempts to unload the Sysmon driver.

• YARA Rule:

  Copy

  rule SysmonEvasion
  {
      strings:
          // Check for the LoadLibrary() function call
          $load_library = "LoadLibrary"
  
          // Check for the GetProcAddress() function call
          $get_proc_address = "GetProcAddress"
  
          // Check for the Unload() function call
          $unload = "Unload"
  
          // Check for the sysmondrv string
          $sysmondrv = "sysmondrv"
  
      condition:
          // Check if all the required strings are present in the code
          all of them
  }

Attack Method: Shortcut Hiding

Description

• Technique: Embedding malicious code in Windows shortcuts to evade detection by antivirus software.

• Attack Code:

  • Python script to create a Windows shortcut with an embedded file.

  • Author: Jean-Pierre LESUEUR

Python Script

#!/usr/bin/env python3
# ... [Python script details] ...

YARA Rule for Detecting Shortcut Hiding

Rule: YARA_Detect_ShortcutHiding

• Purpose:

  • Detects patterns in Windows shortcut files that are commonly associated with Shortcut Hiding.

• YARA Rule:

rule YARA_Detect_ShortcutHiding
{
    meta:
        author = "Unprotect"
        status = "Experimental"
        description = "YARA rule for detecting Windows shortcuts with embedded malicious code"
    strings:
        $payload_start = "&(for %i in (*.lnk) do certutil -decode %i"
        $payload_end = "&start"
        $encoded_content = "BEGIN CERTIFICATE"
    condition:
        all of them
}

Attack Method: NtQueryInformationProcess for Anti-Debugging

Description

• Technique: Using NtQueryInformationProcess to detect if the process is currently being debugged.

• Attack Code:

  • Delphi and C# examples to check for debugging environment.

  • Author: Jean-Pierre LESUEUR

Delphi Code Snippet

// Delphi code to check if a process is being debugged using NtQueryInformationProcess
// ... [Delphi code details] ...

Detection Rules

YARA Rule: Detect_NtQueryInformationProcess

• Purpose:

  • Detects the presence of NtQueryInformationProcess in code, which is often used for anti-debugging.

• YARA Rule:

rule Detect_NtQueryInformationProcess: AntiDebug {
    meta: 
        description = "Detect NtQueryInformationProcess as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtQueryInformationProcess" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and $1
}

Attack Method: NtSetInformationThread for Anti-Debugging

Description

• Technique: Using NtSetInformationThread to hide threads from debuggers.

• Attack Code:

  • Delphi example to hide a thread from the debugger.

  • Author: Jean-Pierre LESUEUR

Delphi Code Snippet

// Delphi code to hide a thread from the debugger using NtSetInformationThread
// ... [Delphi code details] ...

Detection Rules

YARA Rule: Detect_NtSetInformationThread

• Purpose:

  • Detects the presence of NtSetInformationThread in code, which is often used for anti-debugging.

• YARA Rule:

rule Detect_NtSetInformationThread: AntiDebug {
    meta: 
        description = "Detect NtSetInformationThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtSetInformationThread" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and $1
}

Attack Method: Checking Mouse Activity for Sandbox Evasion

Description

• Technique: Some sandboxes lack mouse movement or a lively desktop background, so malware checks for mouse activity to evade detection.

• Attack Code:

  • Delphi example to check for mouse movement.

  • Author: Jean-Pierre LESUEUR

Delphi Code Snippet

// Delphi code to check for mouse movement as a sandbox evasion technique
// ... [Delphi code details] ...

Detection Rules

CAPA Rule: Detect Unmoving Mouse Cursor

• Purpose:

  • Detects the presence of specific patterns in code related to checking mouse activity, a common sandbox evasion technique.

• CAPA Rule:

rule:
  meta:
    name: check for unmoving mouse cursor
    namespace: anti-analysis/anti-vm/vm-detection
    author: BitsOfBinary
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
    references:
      - https://www.joesecurity.org/blog/5852460122427342172
    examples:
      - 7E17F0F35D50F49407841372F24FBD38:0x4010f6
  features:
    - and:
      - count(api(user32.GetCursorPos)): 2 or more

References

https://github.com/karemfaisal/SMUC/ https://unprotect.it/