Comments (3)
@YamatoSecurity
Thanks for your issue.
I will check it.
from hayabusa.
But shouldn't this not match because
\s
!=/s
?
Now that I think of it, it may be intentional that we are treating them the same because it is possible to use both forward and backward slashes in paths to prevent signature bypass. Please forget about this one
from hayabusa.
I think this is a separate issue, but when I use this test rule:
title: File Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021/12/13
modified: 2024/03/06
tags:
- attack.discovery
- attack.t1217
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'dir*/s'
condition: all of selection*
falsepositives:
- Likely
level: low
I get the following result:
2021-08-08 08:33:15.303 +09:00 · File Enumeration Via Dir Command · low · MSEDGEWIN10 · Sysmon · 1 · Disc · T1217 · · 557006 · Cmdline: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe ¦ Proc: C:\Windows\System32\cmd.exe ¦ User: MSEDGEWIN10\IEUser ¦ ParentCmdline: ? ¦ LID: 0x7a857 ¦ LGUID: 747F3D96-1231-610F-0000-002057A80700 ¦ PID: 11324 ¦ PGUID: 747F3D96-183B-610F-0000-0010DC6CD400 ¦ ParentPID: 1108 ¦ ParentPGUID: 00000000-0000-0000-0000-000000000000 ¦ Description: Windows Command Processor ¦ Product: Microsoft® Windows® Operating System ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 · CurrentDirectory: C:\Windows\system32\ ¦ FileVersion: 10.0.17763.592 (WinBuild.160101.0800) ¦ IntegrityLevel: Medium ¦ OriginalFileName: Cmd.Exe ¦ RuleName: ¦ TerminalSessionId: 1 ¦ UtcTime: 2021-08-07 23:33:15.285 · test.yml · ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
It seems that it is matching on dir
in windir
and \s
from cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe
But shouldn't this not match because \s
!= /s
?
from hayabusa.
Related Issues (20)
- computer-metrics usage is different
- Only enable rule files that are applicable to the loaded evtx files
- Only load and scan evtx files based on loaded rules
- Support `windash` pipe modifier HOT 5
- Investigate chances to reduce memory, refactor code, etc...
- [bug] `-T(--visualize-timeline)` option does not work
- Can't get hayabusa to use JSON as input HOT 3
- Enhancement: Duplicate detections for logon-summary HOT 5
- Check out WatchAD2.0 by Qihoo360 HOT 1
- aarch64 musl binary can't run HOT 1
- Consistent output for Timeline Explorer HOT 5
- Allow `-d` to be specified multiple times HOT 1
- Sigma correlations support: Event Count HOT 3
- Sigma correlations support: Value Count HOT 1
- Support multiple grouping by in `count` HOT 1
- Improving count rule's output HOT 6
- [bug] Nothing is detected when using the `-J, --JSON-input` option with the timeline command because of `Channel` filter HOT 4
- Enable overflow checks in release mode
- Support for `Provider_name` and `Data[x]` notation to the field mapping HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hayabusa.