Skip to content

Instantly share code, notes, and snippets.

@embee-research
Last active September 13, 2022 04:33
Show Gist options
  • Save embee-research/14ab9d309f25a05fc9305a8e7f351089 to your computer and use it in GitHub Desktop.
Save embee-research/14ab9d309f25a05fc9305a8e7f351089 to your computer and use it in GitHub Desktop.
title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
references:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- 'msdt.exe'
selection2:
CommandLine|contains:
- 'PCWDiagnostic'
selection3:
CommandLine|contains:
- 'ms-msdt:-id'
- 'ms-msdt:/id'
selection4:
CommandLine|contains:
- 'invoke'
condition: selection1 and (selection4 or (selection2 and selection3))
falsepositives:
- Unknown
level: high
@RyanMBess
Copy link

Ah, So sigma will only provide the search fields for sysmon logs?

@LeJonLozada
Copy link

Not for all Sigma Rules but in this case yes. Also this can be translated into a query for EDR tools as well. You can check https://uncoder.io/ to help translate yaml or sigma into queries for other SIEMs/EDRs.
https://socprime.com/blog/sigma-rules-the-beginners-guide/

@embee-research
Copy link
Author

Thank you @mbabinski for the heads up on the "OR". I've fixed that up now

@embee-research
Copy link
Author

@RyanMBess I think @LeJonLozada is right in that sigma will default to sysmon search fields.
If you replace "CommandLine" with any field name you have available that contains command line parameters, then the query should still work.

@RyanMBess
Copy link

@matthewB-huntress @LeJonLozada thanks for the info. Appreciate it.

@thomaspatzke
Copy link

Thanks for the rule! Just a heads up, the upper case "OR" condition on line 30 will prevent pySigma from parsing this rule successfully. Changing it to a lower-case "or" makes it work. @thomaspatzke, do you know if this is by design? It looks like legacy sigma can parse it either way.

Hi @mbabinski! Thanks for clarifying this!

It was more an accident than intention that sigmac tolerates different cases of conditional operators. They should be lower-cased.

in splunk i have no fields called Image or CommandLine. What am I to do with the above?

@RyanMBess You have to define a mapping between the Sigma field naming (for endpoints we use the Sysmon taxonomy as convention) and your target system. Depending on the used conversion tool this is done with:

  • Processing pipelines in Sigma CLI. Sigma CLI comes already with some pipelines. You can list them with sigma list pipelines and use then with the -p parameter of the sigma convert command. Currenty, these pipelines are defined:
+----------------------------+----------+--------------------------------------------------------------------------------+
| Identifier                 | Priority | Processing Pipeline                                                            |
+----------------------------+----------+--------------------------------------------------------------------------------+
| sysmon                     | 10       | Generic Log Sources to Sysmon Transformation                                   |
| crowdstrike_fdr            | 10       | Generic Log Sources to CrowdStrike Falcon Data Replicator (FDR) Transformation |
| splunk_windows             | 20       | Splunk Windows log source conditions                                           |
| splunk_sysmon_acceleration | 25       | Splunk Windows Sysmon search acceleration keywords                             |
| splunk_cim                 | 20       | Splunk CIM Data Model Mapping                                                  |
| windows                    | 10       | Generic Log Sources to windows Transformation                                  |
+----------------------------+----------+--------------------------------------------------------------------------------+
  • The mapping configuration in sigmac, which is quite restricted compared to Sigma CLI. Sigmac also has some mappings defined, you can list them with sigmac -l.

@izysec
Copy link

izysec commented Jun 2, 2022

I ran the yaml file through sigma and since my siem is splunk it gave the below.

((Image="*msdt.exe") ((CommandLine="invoke") OR ((CommandLine="PCWDiagnostic") (CommandLine="ms-msdt:-id" OR CommandLine="ms-msdt:/id"))))

in splunk i have no fields called Image or CommandLine. What am I to do with the above?

Just FYI, Splunk should know these fields from Windows ETW logs too, you just have to ingest the logs in the XML format (how it should be). Splunk messed up with it initially but corrected it from Splunk 6.2 onwards. More info here: https://www.splunk.com/en_us/blog/platform/splunk-6-2-feature-overview-xml-event-logs.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment