I added most of the missing LOLBAS for downloading executables in the Event id 3 section for network connections. I also removed a bit of noise coming from missing windows process exclusions.
Here are the in-depth changes :
Process Launch (Event ID 1)
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation was excluded, but not C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p. On a fresh Windows Server 2016 install, a lot of logs were received for the later
C:\Windows\system32\svchost.exe -k networkService was excluded, but not C:\Windows\system32\svchost.exe -k networkService -p. On a fresh Windows Server 2016 install, a lot of logs were received for the later
Changed the ParentCommandLine condition for C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe from contain to begin with. Otherwise, this rule can help bypass detection by adding the string to random commands
Added ngentask.exe to the excluded process list.
Network Connection (Event ID 3)
Added powershell_ise.exe - Network connections in powershell.exe were tracked, but the same command in powershell_ise.exe was missed.
SwiftOnSecurity
commented
2 years ago
I added most of the missing LOLBAS for downloading executables in the Event id 3 section for network connections. I also removed a bit of noise coming from missing windows process exclusions.
Here are the in-depth changes : Process Launch (Event ID 1)
C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonationwas excluded, but notC:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p. On a fresh Windows Server 2016 install, a lot of logs were received for the laterC:\Windows\system32\svchost.exe -k networkServicewas excluded, but notC:\Windows\system32\svchost.exe -k networkService -p. On a fresh Windows Server 2016 install, a lot of logs were received for the laterC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exefromcontaintobegin with. Otherwise, this rule can help bypass detection by adding the string to random commandspowershell_ise.exe- Network connections in powershell.exe were tracked, but the same command in powershell_ise.exe was missed.bitsadminsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download)esentutlsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Esentutl/#download)expandsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Expand/#download)extrac32since it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Extrac32/#download)findstrsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Findstr/#download)GfxDownloadWrappersince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/#download)ieexecsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Ieexec/#download)makecabsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Makecab/#download)replacesince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Replace/#download)excelsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/#download)powerpntsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/#download)winwordsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/#download)squirrelsince it can be used to download payloads (https://lolbas-project.github.io/lolbas/Binaries/Squirrel/#download)I did not add
update.exefrom Teams since it would generate too many false positives.Do not hesitate to comment this issue if you feel like some of those items are unclear or should be removed / modified.
Thank you for the great work, Have a good day.