-
-
Save embee-research/14ab9d309f25a05fc9305a8e7f351089 to your computer and use it in GitHub Desktop.
title: Suspicious msdt.exe execution - Office Exploit | |
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b | |
status: experimental | |
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation. | |
references: | |
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e | |
- https://twitter.com/MalwareJake/status/1531019243411623939 | |
author: 'Matthew Brennan' | |
tags: | |
- attack.execution | |
logsource: | |
category: process_creation | |
product: windows | |
detection: | |
selection1: | |
Image|endswith: | |
- 'msdt.exe' | |
selection2: | |
CommandLine|contains: | |
- 'PCWDiagnostic' | |
selection3: | |
CommandLine|contains: | |
- 'ms-msdt:-id' | |
- 'ms-msdt:/id' | |
selection4: | |
CommandLine|contains: | |
- 'invoke' | |
condition: selection1 and (selection4 or (selection2 and selection3)) | |
falsepositives: | |
- Unknown | |
level: high |
Not for all Sigma Rules but in this case yes. Also this can be translated into a query for EDR tools as well. You can check https://uncoder.io/ to help translate yaml or sigma into queries for other SIEMs/EDRs.
https://socprime.com/blog/sigma-rules-the-beginners-guide/
Thank you @mbabinski for the heads up on the "OR". I've fixed that up now
@RyanMBess I think @LeJonLozada is right in that sigma will default to sysmon search fields.
If you replace "CommandLine" with any field name you have available that contains command line parameters, then the query should still work.
@matthewB-huntress @LeJonLozada thanks for the info. Appreciate it.
Thanks for the rule! Just a heads up, the upper case "OR" condition on line 30 will prevent pySigma from parsing this rule successfully. Changing it to a lower-case "or" makes it work. @thomaspatzke, do you know if this is by design? It looks like legacy sigma can parse it either way.
Hi @mbabinski! Thanks for clarifying this!
It was more an accident than intention that sigmac tolerates different cases of conditional operators. They should be lower-cased.
in splunk i have no fields called Image or CommandLine. What am I to do with the above?
@RyanMBess You have to define a mapping between the Sigma field naming (for endpoints we use the Sysmon taxonomy as convention) and your target system. Depending on the used conversion tool this is done with:
- Processing pipelines in Sigma CLI. Sigma CLI comes already with some pipelines. You can list them with
sigma list pipelines
and use then with the-p
parameter of thesigma convert
command. Currenty, these pipelines are defined:
+----------------------------+----------+--------------------------------------------------------------------------------+
| Identifier | Priority | Processing Pipeline |
+----------------------------+----------+--------------------------------------------------------------------------------+
| sysmon | 10 | Generic Log Sources to Sysmon Transformation |
| crowdstrike_fdr | 10 | Generic Log Sources to CrowdStrike Falcon Data Replicator (FDR) Transformation |
| splunk_windows | 20 | Splunk Windows log source conditions |
| splunk_sysmon_acceleration | 25 | Splunk Windows Sysmon search acceleration keywords |
| splunk_cim | 20 | Splunk CIM Data Model Mapping |
| windows | 10 | Generic Log Sources to windows Transformation |
+----------------------------+----------+--------------------------------------------------------------------------------+
- The mapping configuration in sigmac, which is quite restricted compared to Sigma CLI. Sigmac also has some mappings defined, you can list them with
sigmac -l
.
I ran the yaml file through sigma and since my siem is splunk it gave the below.
((Image="*msdt.exe") ((CommandLine="invoke") OR ((CommandLine="PCWDiagnostic") (CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id"))))
in splunk i have no fields called Image or CommandLine. What am I to do with the above?
Just FYI, Splunk should know these fields from Windows ETW logs too, you just have to ingest the logs in the XML format (how it should be). Splunk messed up with it initially but corrected it from Splunk 6.2 onwards. More info here: https://www.splunk.com/en_us/blog/platform/splunk-6-2-feature-overview-xml-event-logs.html
Ah, So sigma will only provide the search fields for sysmon logs?