sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Create proc_creation_win_lolbin_agentexecutor.yml

Open memory-shards opened this issue 3 years ago • 2 comments

Proposed rule for Windows lolbin AgentExecutor that doesn't have much coverage. Rule created as final project for Detection Engineering with Sigma course with @defensivedepth

memory-shards avatar Jul 31 '22 16:07 memory-shards

Hello, it is yaml do not use tab but space. The fisrt line must be title.

frack113 avatar Jul 31 '22 17:07 frack113

Hello, sorry for those two errors. Fixed.

memory-shards avatar Jul 31 '22 17:07 memory-shards

I've taken a look at agent executor a little bit and it seems we need access to intune or the binary itself to be able to improve the rule as there are a couple more flags that seem interesting and we need to filter out the legitimate process that launches it from intune.

nasbench avatar Dec 18 '22 14:12 nasbench

Hi,

I've reversed the binary and reworked the rules. Added some new flags I found that could enable execution.

There is the executeWinGet param that seems that could be used to install packages via Winget. This could be interesting but haven't looked at it in-depth yet. There is also the -detect flag that expects some kind of Base64 input. (Maybe a task for a future me or someone interested in finding new LOLBINs)

Here is the hash for the AgentExecutor I looked at 55acc88ee71eaddc9052251e500de0cdbe32582785fc797d8e6bc8025f720d49

nasbench avatar Dec 24 '22 13:12 nasbench