From b17a36cc0b5e374e082ba7259521a919864e9a2f Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Wed, 19 Mar 2025 18:54:21 +0100 Subject: [PATCH] feat(rules): Suspicious object symbolic link creation Identifies the creation of the object symbolic link inside the object manager namespace by untrusted or unusual processes. Adversaries may exploit object symbolic links to trick system processes into executing malicious payloads. --- ...spicious_object_symbolic_link_creation.yml | 37 +++++++++++++++++++ rules/macros/macros.yml | 3 ++ 2 files changed, 40 insertions(+) create mode 100644 rules/defense_evasion_suspicious_object_symbolic_link_creation.yml diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml new file mode 100644 index 000000000..fa77389e1 --- /dev/null +++ b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml @@ -0,0 +1,37 @@ +name: Suspicious object symbolic link creation +id: f9306355-1f5f-4a06-9779-195aa681db80 +version: 1.0.0 +description: | + Identifies the creation of the object symbolic link inside the object manager namespace + by untrusted or unusual processes. + Adversaries may exploit object symbolic links to trick system processes into executing + malicious payloads. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1211 + technique.name: Exploitation for Defense Evasion + technique.ref: https://attack.mitre.org/techniques/T1211/ +references: + - https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease + - https://www.elastic.co/kr/blog/detect-block-unknown-knowndlls-windows-acl-hardening-attacks-cache-poisoning-escalation + +condition: > + create_symbolic_link_object and kevt.pid != 4 + and + (pe.is_signed = false or pe.is_trusted = false or not ps.exe imatches + ( + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\WINDOWS\\system32\\svchost.exe', + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*', + '?:\\Windows\\System32\\vmwp.exe' + ) + ) + +output: > + Suspicious object symbolic link %kevt.arg[target] created by process %ps.exe +severity: high + +min-engine-version: 2.4.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index ac8c9ec75..a56b1ce14 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -103,6 +103,9 @@ - macro: reply_dns expr: kevt.name = 'ReplyDns' +- macro: create_symbolic_link_object + expr: kevt.name = 'CreateSymbolicLinkObject' and kevt.arg[status] = 'Success' + - macro: inbound_network expr: > (recv_socket or accept_socket)