Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Sigma rule (View on GitHub)
1title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
2id: a7c3d773-caef-227e-a7e7-c2f13c622329
3related:
4 - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
5 type: obsolete
6status: experimental
7description: |
8 Detects attackers using tooling with bad opsec defaults.
9 E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
10 One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
11references:
12 - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
13 - https://www.cobaltstrike.com/help-opsec
14 - https://twitter.com/CyberRaiju/status/1251492025678983169
15 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
16 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
17 - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
18 - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
19author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
20date: 2020-10-23
21modified: 2024-08-15
22tags:
23 - attack.defense-evasion
24 - attack.t1218.011
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_werfault:
30 Image|endswith: '\WerFault.exe'
31 CommandLine|endswith: 'WerFault.exe'
32 selection_rundll32:
33 Image|endswith: '\rundll32.exe'
34 CommandLine|endswith: 'rundll32.exe'
35 selection_regsvcs:
36 Image|endswith: '\regsvcs.exe'
37 CommandLine|endswith: 'regsvcs.exe'
38 selection_regasm:
39 Image|endswith: '\regasm.exe'
40 CommandLine|endswith: 'regasm.exe'
41 selection_regsvr32:
42 Image|endswith: '\regsvr32.exe'
43 CommandLine|endswith: 'regsvr32.exe'
44 filter_optional_edge_update:
45 ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
46 Image|endswith: '\rundll32.exe'
47 CommandLine|endswith: 'rundll32.exe'
48 filter_optional_chromium_installer:
49 # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
50 ParentImage|contains:
51 - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
52 - '\AppData\Local\Google\Chrome\Application\'
53 ParentImage|endswith: '\Installer\setup.exe'
54 ParentCommandLine|contains: '--uninstall '
55 Image|endswith: '\rundll32.exe'
56 CommandLine|endswith: 'rundll32.exe'
57 condition: 1 of selection_* and not 1 of filter_optional_*
58falsepositives:
59 - Unlikely
60level: high
References
-
Beacon Command Behavior and OPSEC Considerations A good operator knows their tools and has an idea of how the tool is accomplishing its objectives on their behalf. This document surveys Beacon's co...
Read More -
Use Regasm.exe, the Assembly Registration tool. Read assembly metadata and add the needed entries to the registry, allowing COM clients to create .NET classes.
Read More -
Use Regsvcs.exe, the .NET Services Installation tool. Load and register an assembly, configure services you've added programmatically to a class, and more.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load