SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe #25
Comments
|
Let me look closer... I need to compare between the two rules. I don't really see what you did. I'll get back with you in the AM.
From: "msnriggs" <[email protected]>
To: "beave/sagan-rules" <[email protected]>
Cc: "Subscribed" <[email protected]>
Sent: Monday, January 7, 2019 2:32:22 PM
Subject: [beave/sagan-rules] SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe (#25)
[ https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 | https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 ]
Seems to detect
1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges
What would be the best way to tighten that rule up? Maybe something like this?
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon ; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, [ #25 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/AAT-4LKLUNSBZW7B18-0g68f7nETqypYks5vA6DGgaJpZM4Z0JeO | mute the thread ] .
|
|
We ended up going with this after some experimentation..... (note the "OriginalFileName":"Cmd.Exe") alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.)cmd(.)/i"; content: "OriginalFileName|22|:|22|Cmd.Exe|22|"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:2;) The only issue I see is that your sysmon output doesn't contact the "OriginalFileName"? Are you running the latest version of Sysmon? We might need to adjust this to us the "image name". Hmm... |
|
It's sysmon 8.4 - getting ready to deploy 10 and play with it |
sagan-rules/windows-sysmon.rules
Line 86 in 6f87a80
Seems to detect
1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges
What would be the best way to tighten that rule up? Maybe something like this?
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)
The text was updated successfully, but these errors were encountered: