forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrundll32_lockworkstation.yml
67 lines (67 loc) · 2.39 KB
/
rundll32_lockworkstation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Rundll32 LockWorkStation
id: fa90f372-f91d-11eb-816c-acde48001122
version: 1
date: '2021-08-09'
author: Teoderick Contreras, Splunk
type: Investigation
datamodel:
- Endpoint
description: This search is to detect a suspicious rundll32 commandline to lock the
workstation through command line. This technique was seen in CONTI leak tooling
and script as part of its defense evasion. This technique is not a common practice
to lock a screen and maybe a good indicator of compromise.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe
Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user
Processes.parent_process Processes.process_name Processes.process Processes.process_id
Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.
known_false_positives: unknown
references:
- https://threadreaderapp.com/thread/1423361119926816776.html
tags:
analytic_story:
- Ransomware
automated_detection_testing: passed
confidence: 50
context:
- Source:Endpoint
- Stage:Execution
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log
impact: 50
kill_chain_phases:
- Exploitation
message: process $process_name$ with cmdline $process$ in host $dest$
mitre_attack_id:
- T1218
- T1218.011
observable:
- name: dest
type: Hostname
role:
- Victim
- name: SourceImage
type: process name
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process
- Processes.parent_process_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_id
risk_score: 25
security_domain: endpoint