Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Sigma rule (View on GitHub)

 1title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
 2id: a7c3d773-caef-227e-a7e7-c2f13c622329
 3related:
 4    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
 5      type: obsolete
 6status: experimental
 7description: |
 8    Detects attackers using tooling with bad opsec defaults.
 9    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
10    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.    
11references:
12    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
13    - https://www.cobaltstrike.com/help-opsec
14    - https://twitter.com/CyberRaiju/status/1251492025678983169
15    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
16    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
17    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
18    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
19author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
20date: 2020-10-23
21modified: 2024-08-15
22tags:
23    - attack.defense-evasion
24    - attack.t1218.011
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_werfault:
30        Image|endswith: '\WerFault.exe'
31        CommandLine|endswith: 'WerFault.exe'
32    selection_rundll32:
33        Image|endswith: '\rundll32.exe'
34        CommandLine|endswith: 'rundll32.exe'
35    selection_regsvcs:
36        Image|endswith: '\regsvcs.exe'
37        CommandLine|endswith: 'regsvcs.exe'
38    selection_regasm:
39        Image|endswith: '\regasm.exe'
40        CommandLine|endswith: 'regasm.exe'
41    selection_regsvr32:
42        Image|endswith: '\regsvr32.exe'
43        CommandLine|endswith: 'regsvr32.exe'
44    filter_optional_edge_update:
45        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
46        Image|endswith: '\rundll32.exe'
47        CommandLine|endswith: 'rundll32.exe'
48    filter_optional_chromium_installer:
49        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
50        ParentImage|contains:
51            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
52            - '\AppData\Local\Google\Chrome\Application\'
53        ParentImage|endswith: '\Installer\setup.exe'
54        ParentCommandLine|contains: '--uninstall '
55        Image|endswith: '\rundll32.exe'
56        CommandLine|endswith: 'rundll32.exe'
57    condition: 1 of selection_* and not 1 of filter_optional_*
58falsepositives:
59    - Unlikely
60level: high

References

Related rules

to-top