SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe

[msnriggs]

sagan-rules/windows-sysmon.rules

Line 86 in 6f87a80

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd(.*)/i"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)

Seems to detect
1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges

What would be the best way to tighten that rule up? Maybe something like this?

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)

[beave]

Let me look closer... I need to compare between the two rules. I don't really see what you did. I'll get back with you in the AM. From: "msnriggs" <notifications@github.com> To: "beave/sagan-rules" <sagan-rules@noreply.github.com> Cc: "Subscribed" <subscribed@noreply.github.com> Sent: Monday, January 7, 2019 2:32:22 PM Subject: [beave/sagan-rules] SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe (#25) [ https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 | https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 ] Seems to detect 1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges What would be the best way to tighten that rule up? Maybe something like this? alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon ; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;) — You are receiving this because you are subscribed to this thread. Reply to this email directly, [ #25 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/AAT-4LKLUNSBZW7B18-0g68f7nETqypYks5vA6DGgaJpZM4Z0JeO | mute the thread ] .

[beave]

We ended up going with this after some experimentation.....

(note the "OriginalFileName":"Cmd.Exe")

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.)cmd(.)/i"; content: "OriginalFileName|22|:|22|Cmd.Exe|22|"; nocase; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:2;)

The only issue I see is that your sysmon output doesn't contact the "OriginalFileName"? Are you running the latest version of Sysmon? We might need to adjust this to us the "image name". Hmm...

[msnriggs]

It's sysmon 8.4 - getting ready to deploy 10 and play with it