Open frack113 opened 1 month ago
setup16.exe as lolbin https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
Potential Command Line Path Traversal Evasion Attempt cover by Rule_Id 1327381e-6ab0-4f38-b583-4c1b8346a56b
setup16 NEED a .lst file but as I don't know about false positives, I haven't written a rule about creating lst files
.lst
add: Suspicius Setup16 Parent
{ "CommandLine": "C:\\~MSSETUP.T\\foo.t\\..\\..\\..\\windows\\system32\\calc.exe", "Company": "Microsoft Corporation", "Computer": "Win11", "Correlation_ActivityID": "{00000000-0000-0000-0000-000000000000}", "Description": "Windows Calculator", "DirectoryTableBase": "0x5500C000", "EventID": "1", "Execution_ProcessID": "4552", "Execution_ThreadID": "2716", "ExitStatus": "259", "FileAge": "890d02h04m58s", "FileCreationDate": "2022-05-07T07:20:18", "FileVersion": "10.0.22621.1 (WinBuild.160101.0800)", "Flags": "2", "GrandparentCommandLine": "C:\\WINDOWS\\System32\\cmd.exe", "GrandparentImage": "C:\\Windows\\System32\\cmd.exe", "GrandparentProcessId": "740", "Hashes": "MD5=302021D31F2D0BCE01D7AFC26BFE2BA2,SHA1=8A1C6E08700B39C943FFE5521997D36EF60E7786,SHA256=E5C9058319C82EC44BB881FCC84D51D6F9E56CCE2931D5B6F4519157953CF572,IMPHASH=BA072A972FE6C47C8CF7A0347BB0AF7A", "Image": "C:\\Windows\\SysWOW64\\calc.exe", "ImageFileName": "calc.exe", "IntegrityLevel": "High", "Keywords": "0x0", "Level": "0", "Match_Strings": "' -m ' in ParentCommandLine, -QT in ParentCommandLine, C:\\Windows\\SysWOW64\\setup16.exe in ParentImage", "Module": "Sigma", "Opcode": "1", "OriginalFileName": "CALC.EXE", "ParentCommandLine": "c:\\windows\\SysWOW64\\setup16.exe -m c:\\temp\\test2.lst -QT", "ParentId": "0x11C8", "ParentImage": "C:\\Windows\\SysWOW64\\setup16.exe", "ParentProcessId": "4552", "ParentUser": "LAB\\admin", "ProcessId": "7672", "ProcessTree": "C:\\Windows\\explorer.exe|C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.20.11781.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe|C:\\Windows\\System32\\cmd.exe|C:\\Windows\\SysWOW64\\setup16.exe|C:\\Windows\\SysWOW64\\calc.exe", "Product": "Microsoft® Windows® Operating System", "Provider_Guid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}", "Provider_Name": "SystemTraceProvider-Process", "Rule_Author": "frack113", "Rule_Description": "An adversary may use setup16 as lolbin", "Rule_FalsePositives": "Old setup application", "Rule_Id": "99c8be4f-3087-4f9f-9c24-8c7e257b442e", "Rule_Level": "medium", "Rule_Modified": "2024-10-13", "Rule_Path": "sigma-rules\\proc_creation_win_susp_setup16.yml", "Rule_References": "https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/", "Rule_Sigtype": "custom", "Rule_Title": "Suspicius Setup16 Parent", "SessionId": "1", "Task": "0", "TimeCreated_SystemTime": "2024-10-13T09:44:59.7504512+02:00", "Timestamp": "1975-06-29T10:43:26", "UniqueProcessKey": "0xFFFF800EFE9790C0", "User": "LAB\\admin", "UserSID": "\\\\LAB\\admin", "UtcTime": "2024-10-13 07:44:59", "Version": "4", "Winversion": "22631", "aurora_eventid": 1, "level": "notice", "msg": "Sigma match found", "time": "2024-10-13T09:45:01+02:00", "_Match": [ "' -m ' in ParentCommandLine", "-QT in ParentCommandLine", "C:\\Windows\\SysWOW64\\setup16.exe in ParentImage" ], "_Description": [ "An adversary may use setup16 as lolbin" ], "_Author": "frack113" }
Summary of the Pull Request
setup16.exe as lolbin https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
Potential Command Line Path Traversal Evasion Attempt cover by Rule_Id 1327381e-6ab0-4f38-b583-4c1b8346a56b
setup16 NEED a
.lstfile but as I don't know about false positives, I haven't written a rule about creating lst filesChangelog
add: Suspicius Setup16 Parent
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions