diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml new file mode 100644 index 000000000..fa77389e1 --- /dev/null +++ b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml @@ -0,0 +1,37 @@ +name: Suspicious object symbolic link creation +id: f9306355-1f5f-4a06-9779-195aa681db80 +version: 1.0.0 +description: | + Identifies the creation of the object symbolic link inside the object manager namespace + by untrusted or unusual processes. + Adversaries may exploit object symbolic links to trick system processes into executing + malicious payloads. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1211 + technique.name: Exploitation for Defense Evasion + technique.ref: https://attack.mitre.org/techniques/T1211/ +references: + - https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease + - https://www.elastic.co/kr/blog/detect-block-unknown-knowndlls-windows-acl-hardening-attacks-cache-poisoning-escalation + +condition: > + create_symbolic_link_object and kevt.pid != 4 + and + (pe.is_signed = false or pe.is_trusted = false or not ps.exe imatches + ( + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\WINDOWS\\system32\\svchost.exe', + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*', + '?:\\Windows\\System32\\vmwp.exe' + ) + ) + +output: > + Suspicious object symbolic link %kevt.arg[target] created by process %ps.exe +severity: high + +min-engine-version: 2.4.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index ac8c9ec75..a56b1ce14 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -103,6 +103,9 @@ - macro: reply_dns expr: kevt.name = 'ReplyDns' +- macro: create_symbolic_link_object + expr: kevt.name = 'CreateSymbolicLinkObject' and kevt.arg[status] = 'Success' + - macro: inbound_network expr: > (recv_socket or accept_socket)