Skip to content

Commit

Permalink
Add new artifacts to detect abusing of Windows Utilities
Browse files Browse the repository at this point in the history
  • Loading branch information
@para0x0dise
para0x0dise committed Oct 28, 2024
1 parent 7650eaa commit da15180
Showing 1 changed file with 99 additions and 0 deletions.
99 changes: 99 additions & 0 deletions modules/signatures/windows/windows_utilities.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -895,3 +895,102 @@ def run(self):
return True

return False

class UsesMicrosoftHTMLHelpExecutable(Signature):
name = "uses_Microsoft_HTML_Help_Executable"
description = "Uses Microsoft HTML Help Executable for executing PE files"
severity = 3
categories = ["evasion", "execution"]
authors = ["@para0x0dise"]
minimum = "0.5"
evented = True
ttps = ["T1566", "T1218.001"]
references = ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/"]

filter_apinames = set(["NtCreateFile", "CreateProcessInternalW"])
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.detected = False

def on_call(self, call, process):
pname = process["process_name"].lower()
if pname == "hh.exe":
if call["api"] == "NtCreateFile":
fileName = self.get_argument(call, "FileName")
if ".exe" in fileName:
self.detected = True
return
if call["api"] == "CreateProcessInternalW":
cmdline = self.get_argument(call, "CommandLine")
lower = cmdline.lower()
if ".exe" in lower:
self.detected = True
return

def on_complete(self):
if self.detected:
return True
return False

class PotentialWebShellViaScreenConnectServer(Signature):
name = "potential_WebShell_Via_ScreenConnectServer"
description = "Uses ScreenConnect for executing scripts"
severity = 3
categories = ["evasion", "execution"]
authors = ["@para0x0dise"]
minimum = "0.5"
evented = True
ttps = ["T1566", "T1218.001"]
references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/initial_access_potential_webshell_via_screenconnect_server.toml"]

filter_apinames = set(["CreateProcessInternalW"])
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.detected = False

def on_call(self, call, process):
pname = process["process_name"].lower()
if pname == "screenConnect.service.exe":
if call["api"] == "CreateProcessInternalW":
cmdline = self.get_argument(call, "CommandLine")
lower = cmdline.lower()
if any(process in lower for process in ["cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe"]):
self.detected = True
return

def on_complete(self):
if self.detected:
return True
return False

class PotentialLateralMovementViaSMBEXEC(Signature):
name = "Potential_Lateral_Movement_Via_SMBEXEC"
description = "Attempts to execute a service via Windows Command Shell which may indicate lateral movement attempt"
severity = 3
categories = ["evasion", "execution"]
authors = ["@para0x0dise"]
minimum = "0.5"
evented = True
ttps = ["T1059"]
references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows\lateral_movement_potential_lateral_movement_via_smbexec.toml"]

filter_apinames = set(["CreateProcessInternalW"])
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.detected = False

def on_call(self, call, process):
pname = process["process_name"].lower()
if pname == "services.exe":
if call["api"] == "CreateProcessInternalW":
cmdline = self.get_argument(call, "CommandLine")
lower = cmdline.lower()
if any(process in lower for process in ["cmd.exe"]) and any(arg in lower for arg in ["/q", "echo", ".bat", "del"]):
self.detected = True
return

def on_complete(self):
if self.detected:
return True
return False

0 comments on commit da15180

Please sign in to comment.