proc_creation_win_cmd_mklink_osk_cmd Scenario

« proc_creation_win_cmd_mklink_osk_cmd »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1546confidence:1

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Installation

cscli scenarios install sigmahq/proc_creation_win_cmd_mklink_osk_cmd

YAML Configuration

1type: trigger
2name: sigmahq/proc_creation_win_cmd_mklink_osk_cmd
3description: |
4  Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.OriginalFileName == 'Cmd.Exe') && evt.Parsed.CommandLine contains 'mklink' && evt.Parsed.CommandLine contains '\\osk.exe' && evt.Parsed.CommandLine contains '\\cmd.exe')
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1546.008
15
16  label: "Potential Privilege Escalation Using Symlink Between Osk and Cmd"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24

Hub configuration

« proc_creation_win_cmd_mklink_osk_cmd »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1546confidence:1

« proc_creation_win_cmd_mklink_osk_cmd »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1546confidence:1