proc_creation_win_dump64_defender_av_bypass_rename Scenario

« proc_creation_win_dump64_defender_av_bypass_rename »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1

Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.

Installation

cscli scenarios install sigmahq/proc_creation_win_dump64_defender_av_bypass_rename

YAML Configuration

1type: trigger
2name: sigmahq/proc_creation_win_dump64_defender_av_bypass_rename
3description: |
4  Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. 
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.Image startsWith ':\\Program Files' && evt.Parsed.Image contains '\\Microsoft Visual Studio\\' && evt.Parsed.Image endsWith '\\dump64.exe' && (evt.Parsed.OriginalFileName == 'procdump' || evt.Parsed.CommandLine contains ' -ma ' || evt.Parsed.CommandLine contains ' -mp '))
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1003.001
15
16  label: "Potential Windows Defender AV Bypass Via Dump64.EXE Rename"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24

Hub configuration

« proc_creation_win_dump64_defender_av_bypass_rename »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1

« proc_creation_win_dump64_defender_av_bypass_rename »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1003confidence:1