sagan-rules icon indicating copy to clipboard operation
sagan-rules copied to clipboard
verified publisher icon beave

SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe

Open msnriggs opened this issue 7 years ago • 3 comments

https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86

Seems to detect 1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges

What would be the best way to tighten that rule up? Maybe something like this?

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)

msnriggs avatar Jan 07 '19 19:01 msnriggs

Let me look closer... I need to compare between the two rules. I don't really see what you did. I'll get back with you in the AM.

From: "msnriggs" [email protected] To: "beave/sagan-rules" [email protected] Cc: "Subscribed" [email protected] Sent: Monday, January 7, 2019 2:32:22 PM Subject: [beave/sagan-rules] SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe (#25)

[ https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 | https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 ]

Seems to detect 1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges

What would be the best way to tighten that rule up? Maybe something like this?

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon ; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, [ https://github.com/beave/sagan-rules/issues/25 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/AAT-4LKLUNSBZW7B18-0g68f7nETqypYks5vA6DGgaJpZM4Z0JeO | mute the thread ] .

beave avatar Jan 10 '19 04:01 beave

We ended up going with this after some experimentation.....

(note the "OriginalFileName":"Cmd.Exe")

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.)cmd(.)/i"; content: "OriginalFileName|22|:|22|Cmd.Exe|22|"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:2;)

The only issue I see is that your sysmon output doesn't contact the "OriginalFileName"? Are you running the latest version of Sysmon? We might need to adjust this to us the "image name". Hmm...

beave avatar Jul 15 '19 19:07 beave

It's sysmon 8.4 - getting ready to deploy 10 and play with it

msnriggs avatar Jul 16 '19 13:07 msnriggs