Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_werfault:
Image|endswith: '\WerFault.exe'
CommandLine|endswith: 'WerFault.exe'
selection_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
selection_regsvcs:
Image|endswith: '\regsvcs.exe'
CommandLine|endswith: 'regsvcs.exe'
selection_regasm:
Image|endswith: '\regasm.exe'
CommandLine|endswith: 'regasm.exe'
selection_regsvr32:
Image|endswith: '\regsvr32.exe'
CommandLine|endswith: 'regsvr32.exe'
filter_optional_edge_update:
ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
filter_optional_chromium_installer:
# As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
ParentImage|contains:
- '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
- '\AppData\Local\Google\Chrome\Application\'
ParentImage|endswith: '\Installer\setup.exe'
ParentCommandLine|contains: '--uninstall '
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
condition: 1 of selection_* and not 1 of filter_optional_*False positives are unlikely for most environments. High confidence detection.
Tactics
Sub-techniques
f5647edc-a7bf-4737-ab50-ef8c60dc3add