Skip to content

feat(rules): New Embedded script execution via shortcut file rule #584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rabbitstack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(rules): New Embedded script execution via shortcut file rule #584

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions rules/execution_embedded_script_execution_via_shortcut_file.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Embedded script execution via shortcut file
id: 2d94a68b-03fe-4ece-9a99-f4de8ff7261d
version: 1.0.0
description: |
Detects execution of embedded scripts delivered via Windows shortcut (.lnk) files.
Adversaries can exploit the attack chain where a shortcut file is accessed by a
scripting or command interpreter, followed by the creation of a payload in
user-writable locations and the subsequent execution of a script.
labels:
tactic.id: TA0002
tactic.name: Execution
tactic.ref: https://attack.mitre.org/tactics/TA0002/
technique.id: T1204
technique.name: User Execution
technique.ref: https://attack.mitre.org/techniques/T1204/
subtechnique.id: T1204.002
subtechnique.name: Malicious File
subtechnique.ref: https://attack.mitre.org/techniques/T1204/002/
references:
- https://unit42.paloaltonetworks.com/lnk-malware/
- https://github.com/knight0x07/Lnk2Vbs/blob/main/lnk2vbs.py

condition: >
sequence
maxspan 1m
by ps.sessionid
|open_file and
ps.name iin ('cmd.exe', 'findstr.exe', 'find.exe', 'powershell.exe', 'pwsh.exe') and
file.path imatches '?:\\*.lnk'
|
|create_file and
ps.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe') and
file.path imatches
(
'?:\\Users\\*\\AppData\\Local\\*',
'?:\\Users\\*\\AppData\\LocalLow\\*',
'?:\\Users\\*\\AppData\\Roaming\\*',
'?:\\Users\\Public\\*'
)
|
|spawn_process and
ps.name iin
(
'wscript.exe',
'mshta.exe',
'powershell.exe',
'pwsh.exe',
'cmd.exe',
'connhost.exe',
'rundll32.exe',
'forfiles.exe',
'wmic.exe',
'msbuild.exe'
)
|
action:
- name: kill

severity: high

min-engine-version: 3.0.0
Loading