Created
July 7, 2023 14:18
-
-
Save cbecks2/d92f3ec093d90d40edf973ceb332d9dd to your computer and use it in GitHub Desktop.
Crowdstrike - Hunting ProcessRollup2 Events Initiated by a LNK File
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=your_index event_platform=Win event_simpleName=ProcessRollup2 LinkName=* | |
| ```Begin binary inclusion list``` | |
| (ImageFileName="*\\cmd.exe" OR ImageFileName="*\\wscript.exe" OR ImageFileName="*\\cscript.exe" OR ImageFileName="*\\powershell.exe" OR ImageFileName="*\\pwsh.exe" OR ImageFileName="*\\rundll32.exe" OR ImageFileName="*\\regsvr32.exe" OR ImageFileName="*\\msiexec.exe" OR ImageFileName="*\\certutil.exe" OR ImageFileName="*\\bitsadmin.exe" OR ImageFileName="*\\curl.exe" OR ImageFileName="*\\msdt.exe" OR ImageFileName="*\\odbcconf.exe" OR ImageFileName="*\\WindowsTerminal.exe" OR ImageFileName="*\\wt.exe" OR ImageFileName="*\\expand.exe" OR ImageFileName="*\\mshta.exe" OR ImageFileName="*\\forfiles.exe" OR ImageFileName="*\\xcopy.exe" OR ImageFileName="*\\attrib.exe" OR ImageFileName="*\\explorer.exe" OR ImageFileName="*\\msbuild.exe" OR ImageFileName="*\\scriptrunner.exe" OR ImageFileName="*\\java.exe" OR ImageFileName="*\\javaw.exe" OR ImageFileName="*\\python.exe" OR ImageFileName="*\\pythonw.exe" OR ImageFileName="*\\dism.exe") | |
| | eval ShowWindowFlags=case(ShowWindowFlags==0, "SW_HIDE", ShowWindowFlags==1, "SW_SHOWNORMAL", ShowWindowFlags==2, "SW_SHOWMINIMIZED", ShowWindowFlags==3, "SW_SHOWMAXIMIZED", ShowWindowFlags==4, "SW_SHOWNOACTIVATE", ShowWindowFlags==5, "SW_SHOW", ShowWindowFlags==6, "SW_MINIMIZE", ShowWindowFlags==7, "SW_SHOWMINNOACTIVE", ShowWindowFlags==8, "SW_SHOWNA", ShowWindowFlags==9, "SW_RESTORE", ShowWindowFlags==10, "SW_SHOWDEFAULT", ShowWindowFlags==11, "SW_FORCEMINIMIZE", 1=1, ShowWindowFlags) | |
| ~identity enrichment here~ | |
| ~asset enrichment here~ | |
| ```Begin inline scoring``` | |
| | rex field=ImageFileName "(?<FileName>(?!.*(\\/|\\\\)).+exe)" | |
| | eval cmdLength=len(CommandLine) | |
| | `ut_shannon(CommandLine)` | |
| ```Count escapes and normalize``` | |
| | eval carrotCount = mvcount(split(CommandLine,"^"))-1 | |
| | eval tickCount = mvcount(split(CommandLine,"`"))-1 | |
| | eval percentCount = mvcount(split(CommandLine,"%"))-1 | |
| | eval escapeCharacters=tickCount+carrotCount+percentCount | |
| | eval cmdNoEscape=trim(replace(CommandLine, "^", "")) | |
| | eval cmdNoEscape=trim(replace(cmdNoEscape, "`", "")) | |
| | eval cmdNoEscape=trim(replace(cmdNoEscape, "%", "")) | |
| | eval cmdNoEscape=lower(cmdNoEscape) | |
| ```Count and score``` | |
| | eval redirectionCount = mvcount(split(cmdNoEscape,">"))-1 | |
| | eval chainCount = mvcount(split(cmdNoEscape," & "))-1 | |
| | eval chainCount2 = mvcount(split(cmdNoEscape,"&&"))-1 | |
| | eval chainCount = chainCount+chainCount2 | |
| | eval setCount = mvcount(split(cmdNoEscape," set "))-1 | |
| | eval exitCount = mvcount(split(cmdNoEscape," exit "))-1 | |
| | eval copyCount = mvcount(split(cmdNoEscape," copy "))-1 | |
| | eval xcopyCount = mvcount(split(cmdNoEscape," xcopy "))-1 | |
| | eval echoCount = mvcount(split(cmdNoEscape," echo "))-1 | |
| | eval forCount = mvcount(split(cmdNoEscape," for "))-1 | |
| | eval findstrCount = mvcount(split(cmdNoEscape," findstr "))-1 | |
| | eval callCount = mvcount(split(cmdNoEscape," call "))-1 | |
| | eval attribCount = mvcount(split(cmdNoEscape," attrib "))-1 | |
| | eval clsCount = mvcount(split(cmdNoEscape," cls "))-1 | |
| | eval remCount = mvcount(split(cmdNoEscape," rem "))-1 | |
| | eval gotoCount = mvcount(split(cmdNoEscape," goto "))-1 | |
| | eval msgCount = mvcount(split(cmdNoEscape," msg "))-1 | |
| ```vertical tab character, do not touch``` | |
| | eval verticaltabCount = mvcount(split(cmdNoEscape," | |
| "))-1 | |
| | eval isLongCmd=if(cmdLength>160 AND FileName=="cmd.exe","2","0") | |
| | eval isLongPS=if(cmdLength>932 AND FileName=="powershell.exe","2","0") | |
| | eval isLongPWSH=if(cmdLength>932 AND FileName=="pwsh.exe","2","0") | |
| | eval excessiveEscapeChars=if(escapeCharacters>8 ,"5","0") | |
| | eval redirectionChars=if(redirectionCount>1 ,"3","0") | |
| | eval cmdChaining=if(chainCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval setKeyword=if(setCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval exitKeyword=if(exitCount>1 AND FileName=="cmd.exe","3","0") | |
| | eval copyKeyword=if(copyCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval xcopyKeyword=if(xcopyCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval echoKeyword=if(echoCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval forKeyword=if(forCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval findstrKeyword=if(findstrCount>1 AND FileName=="cmd.exe","3","0") | |
| | eval callKeyword=if(callCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval attribKeyword=if(attribCount>1 AND FileName=="cmd.exe","3","0") | |
| | eval clsKeyword=if(clsCount>1 AND FileName=="cmd.exe","2","0") | |
| | eval remKeyword=if(remCount>1 AND FileName=="cmd.exe","2","0") | |
| | eval gotoKeyword=if(gotoCount>1 AND FileName=="cmd.exe","2","0") | |
| | eval msgKeyword=if(msgCount>1 AND FileName=="cmd.exe","2","0") | |
| | eval verticaltab=if(verticaltabCount>1 AND FileName=="cmd.exe","5","0") | |
| | eval invokeHttp=if(like(cmdNoEscape, "%http%"), "3", "0") | |
| | eval nonCDrive=if(!like(LinkName, "C:\\%"), "15", "0") | |
| | eval appflag=if(like(cmdNoEscape, "%--app=%"), "10", "0") | |
| | eval wsf=if(like(cmdNoEscape, "%.wsf%"), "3", "0") | |
| | eval dotcmd=if(like(cmdNoEscape, "%.cmd%"), "3", "0") | |
| | eval dotjs=if(like(cmdNoEscape, "%.js%"), "5", "0") | |
| | eval msiexecpackage=if(like(cmdNoEscape, "%-package%"), "10", "0") | |
| | eval containshta=if(like(cmdNoEscape, "%.hta%"), "5", "0") | |
| | eval containspipe=if(like(cmdNoEscape, "%|%"), "5", "0") | |
| | eval containsgetcontent=if(like(cmdNoEscape, "%get-content%"), "5", "0") | |
| | eval containscertutil=if(like(cmdNoEscape, "%certutil%"), "10", "0") | |
| | eval containsodbcconf=if(like(cmdNoEscape, "%odbcconf%"), "10", "0") | |
| | eval containsvbscript=if(like(cmdNoEscape, "%vbscript%"), "10", "0") | |
| | eval containsjavascript=if(like(cmdNoEscape, "%javascript%"), "10", "0") | |
| | eval containsmsbuild=if(like(cmdNoEscape, "%msbuild%"), "10", "0") | |
| | eval containscurl=if(like(cmdNoEscape, "%curl%"), "10", "0") | |
| | eval containsregsvr=if(like(cmdNoEscape, "%regsvr%"), "10", "0") | |
| | eval containsscriptrunner=if(like(cmdNoEscape, "%scriptrunner%"), "10", "0") | |
| | eval contains7z=if(like(cmdNoEscape, "%7z%"), "10", "0") | |
| | eval containsrsp=if(like(cmdNoEscape, "%.rsp%"), "10", "0") | |
| | eval containsregisterocx=if(like(cmdNoEscape, "%registerocx%"), "10", "0") | |
| | eval containsadvpack=if(like(cmdNoEscape, "%advpack.dll%"), "10", "0") | |
| | eval containsshellexec=if(like(cmdNoEscape, "%shellexec%"), "10", "0") | |
| | eval containssleep=if(like(cmdNoEscape, "%sleep%"), "10", "0") | |
| | eval containsjava=if(like(cmdNoEscape, "%java%"), "3", "0") | |
| | eval containsdotpy=if(like(cmdNoEscape, "%.py%"), "5", "0") | |
| | eval containstaskkill=if(like(cmdNoEscape, "%taskkill%"), "3", "0") | |
| | eval containspcalua=if(like(cmdNoEscape, "%pcalua%"), "5", "0") | |
| | eval containsexpand=if(like(cmdNoEscape, "%expand%"), "5", "0") | |
| | eval containsconhost=if(like(cmdNoEscape, "%conhost%"), "5", "0") | |
| | eval containsmount=if(like(cmdNoEscape, "%mount%"), "5", "0") | |
| | eval containsunblockfile=if(like(cmdNoEscape, "%unblock-file%"), "15", "0") | |
| | eval containsexpandarchive=if(like(cmdNoEscape, "%expand-archive%"), "15", "0") | |
| ```I had to comment this one out but your mileage may vary``` | |
| ```| eval containsexplorer=if(like(cmdNoEscape, "%explorer%"), "3", "0")``` | |
| | eval pdfdotlnk=if(like(cmdNoEscape, "%.pdf.lnk%"), "10", "0") | |
| | eval iex=if(like(cmdNoEscape, "%iex%"), "5", "0") | |
| | eval cmdScore=isLongCmd+isLongPS+isLongPWSH+excessiveEscapeChars+redirectionChars+cmdChaining+setKeyword+exitKeyword+copyKeyword+xcopyKeyword+echoKeyword+forKeyword+findstrKeyword+callKeyword+attribKeyword+clsKeyword+remKeyword+gotoKeyword+msgKeyword+verticaltab+invokeHttp+nonCDrive+appflag+wsf+dotcmd+msiexecpackage+containshta+containscertutil+pdfdotlnk+dotjs+iex+containspipe+containsgetcontent+containsvbscript+containsjavascript+containsmsbuild+containsrsp+containsodbcconf+containsregisterocx+containsadvpack+contains7z+containsshellexec+containsregsvr+containsscriptrunner+containssleep+containsjava+containsdotpy+containstaskkill+containscurl+containspcalua+containsexpand+containsconhost+containsmount+containsunblockfile+containsexpandarchive | |
| | fillnull index ParentBaseFileName LinkName ShowWindowFlags ImageFileName CommandLine cmdLength ut_shannon escapeCharacters setCount chainCount cmdScore value="0" | |
| | stats dc(user) AS uniqusers dc(dest) AS uniqhosts by ParentBaseFileName LinkName ShowWindowFlags ImageFileName CommandLine cmdScore cmdLength ut_shannon escapeCharacters setCount chainCount nonCDrive| where uniqusers < 10 | where uniqhosts < 10 | sort -cmdScore -cmdLength |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment