sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Test EDRSilencer

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

I try EDRSilencer and search for artefact

Changelog

new: FWPUCLNT.DLL Loaded Via Uncommon Process new: Potential WFP Filters to Block Security Tools

Example Log Event

{
  "Company": "Microsoft Corporation",
  "Computer": "Win11",
  "Correlation_ActivityID": "{00000000-0000-0000-0000-000000000000}",
  "DefaultBase": "0x7FFE66CB0000",
  "Description": "FWP/IPsec User-Mode API",
  "EventID": "5",
  "Execution_ProcessID": "9236",
  "Execution_ThreadID": "9672",
  "FileAge": "70d17h50m50s",
  "FileCreationDate": "2024-09-27T18:26:09",
  "FileVersion": "10.0.22621.4249 (WinBuild.160101.0800)",
  "Hashes": "MD5=24B32FC11A638F35276B585E0D7880E5,SHA1=CE7A376C978BC28AE50B2BDBEA47AADDE07AA682,SHA256=1804C88B8A894E4BC63580CD93C2E19D4C40FA9B0E1DB4EB66A7593110CD1EF4,IMPHASH=0CA254034305A3720D197B3D4A52CBBB",
  "Image": "C:\\Users\\frack113\\Downloads\\EDRSilencer.exe",
  "ImageBase": "0x7FFE66CB0000",
  "ImageCheckSum": "575689",
  "ImageLoaded": "C:\\Windows\\System32\\FWPUCLNT.DLL",
  "ImageName": "\\Device\\HarddiskVolume3\\Windows\\System32\\FWPUCLNT.DLL",
  "ImageSize": "0x83000",
  "Keywords": "0x8000000000000040",
  "Level": "4",
  "Match_Strings": "\\FWPUCLNT.DLL in ImageLoaded",
  "Module": "Sigma",
  "Opcode": "0",
  "OriginalFileName": "fwpuclnt.dll",
  "ProcessId": "9236",
  "Product": "Microsoft® Windows® Operating System",
  "Provider_Guid": "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}",
  "Provider_Name": "Microsoft-Windows-Kernel-Process",
  "Rule_Author": "Frack113",
  "Rule_Description": "Detects loading of \"FWPUCLNT.dll\" by a uncommon process",
  "Rule_FalsePositives": "Unknown",
  "Rule_Id": "c6292f94-4f20-4155-ac75-b387ee6562dc",
  "Rule_Level": "medium",
  "Rule_Modified": "2024-12-07",
  "Rule_Path": "sigma-rules\\image_load_dll_fwpuclnt_suspicious_process.yml",
  "Rule_References": "Internal Research, https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c",
  "Rule_Sigtype": "custom",
  "Rule_Title": "FWPUCLNT.DLL Loaded Via Uncommon Process",
  "Security_UserID": "S-1-5-21-888117185-644776935-3477416708-1104",
  "Task": "5",
  "TimeCreated_SystemTime": "2024-12-07T12:03:06.2175739+01:00",
  "TimeDateStamp": "2256540336",
  "Timestamp": "2041-07-04T10:45:36",
  "Version": "0",
  "Winversion": "22631",
  "aurora_eventid": 7,
  "level": "notice",
  "msg": "Sigma match found",
  "time": "2024-12-07T12:03:06+01:00",
  "_Match": [
    "\\FWPUCLNT.DLL in ImageLoaded"
  ],
  "_Description": [
    "Detects loading of \"FWPUCLNT.dll\" by a uncommon process"
  ],
  "_Author": "Frack113"
}

{
  "Computer": "Win11",
  "Correlation_ActivityID": "{00000000-0000-0000-0000-000000000000}",
  "Details": "Binary Data",
  "EventID": "13",
  "EventType": "SetValue",
  "Execution_ProcessID": "3028",
  "Execution_ThreadID": "3580",
  "Image": "C:\\WINDOWS\\system32\\svchost.exe",
  "Keywords": "0x8000000000000000",
  "Level": "4",
  "Match_Strings": "\\System\\CurrentControlSet\\Services\\BFE\\Parameters\\Policy\\Persistent\\Filter\\ in TargetObject",
  "Module": "Sigma",
  "Opcode": "0",
  "ProcessGuid": "{095b1fc8-1e81-6754-2100-000000004700}",
  "ProcessId": "1488",
  "Provider_Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Provider_Name": "Microsoft-Windows-Sysmon",
  "RuleName": "-",
  "Rule_Author": "Frack113",
  "Rule_Description": "Detects when an attacker registers a new Add WFP filters to block Security tools",
  "Rule_FalsePositives": "Unknown",
  "Rule_Id": "1f1d8209-636e-4c6c-a137-781cca8b82f9",
  "Rule_Level": "medium",
  "Rule_Modified": "2024-12-07",
  "Rule_Path": "sigma-rules\\registry_add_persistence_amsi_providers.yml",
  "Rule_References": "Internal Research, https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c",
  "Rule_Sigtype": "custom",
  "Rule_Title": "Potential WFP filters to Block Security Tools",
  "Security_UserID": "S-1-5-18",
  "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\BFE\\Parameters\\Policy\\Persistent\\Filter\\{0ae23bf5-87c4-4ac9-ac15-a187b41af53d}",
  "Task": "13",
  "TimeCreated_SystemTime": "2024-12-07T11:58:12.7135863+01:00",
  "User": "AUTORITE NT\\SERVICE LOCAL",
  "UtcTime": "2024-12-07 10:58:12.705",
  "Version": "2",
  "Winversion": "22631",
  "aurora_eventid": 99,
  "level": "notice",
  "msg": "Sigma match found",
  "time": "2024-12-07T11:58:14+01:00",
  "_Match": [
    "\\System\\CurrentControlSet\\Services\\BFE\\Parameters\\Policy\\Persistent\\Filter\\ in TargetObject"
  ],
  "_Description": [
    "Detects when an attacker registers a new Add WFP filters to block Security tools"
  ],
  "_Author": "Frack113"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar Dec 07 '24 13:12 frack113