Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
Sigma rule (View on GitHub)
1title: Loading Diagcab Package From Remote Path
2id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
3status: test
4description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
5references:
6 - https://twitter.com/nas_bench/status/1539679555908141061
7 - https://twitter.com/j00sean/status/1537750439701225472
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-14
10tags:
11 - attack.execution
12logsource:
13 product: windows
14 service: diagnosis-scripted
15detection:
16 selection:
17 EventID: 101
18 PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
19 condition: selection
20falsepositives:
21 - Legitimate package hosted on a known and authorized remote location
22level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change