UNC2452 Process Creation Patterns

 1title: UNC2452 Process Creation Patterns
 2id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
 3status: test
 4description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
 5references:
 6    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 7author: Florian Roth (Nextron Systems)
 8date: 2021-01-22
 9modified: 2024-09-12
10tags:
11    - attack.execution
12    - attack.t1059.001
13    - detection.emerging-threats
14    # - sunburst
15    # - unc2452
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
21    selection_generic_1:
22        CommandLine|contains:
23            - '7z.exe a -v500m -mx9 -r0 -p'
24            - '7z.exe a -mx9 -r0 -p'
25        CommandLine|contains|all:
26            - '.zip'
27            - '.txt'
28    selection_generic_2:
29        CommandLine|contains:
30            - '7z.exe a -v500m -mx9 -r0 -p'
31            - '7z.exe a -mx9 -r0 -p'
32        CommandLine|contains|all:
33            - '.zip'
34            - '.log'
35    selection_generic_3:
36        ParentCommandLine|contains|all:
37            - 'wscript.exe'
38            - '.vbs'
39        CommandLine|contains|all:
40            - 'rundll32.exe'
41            - 'C:\Windows'
42            - '.dll,Tk_'
43    selection_generic_4:
44        ParentImage|endswith: '\rundll32.exe'
45        ParentCommandLine|contains|all:
46            - 'C:\Windows'
47            - '.dll'
48        CommandLine|contains: 'cmd.exe /C '
49    selection_generic_5:
50        ParentImage|endswith: '\rundll32.exe'
51        Image|endswith: '\dllhost.exe'
52        CommandLine: ''
53    condition: 1 of selection_generic_*
54falsepositives:
55    - Unknown
56level: high