SigmaHQ
Added new rules for Malware abusing grimresource and rtlo techniques
Summary of the Pull Request
Added new rules for Malware abusing grimresource and rtlo techniques
Changelog
new: MMC Loading Script Engines Dlls new: Potentially Suspicious Child Processes Spawned by ConHost new: Scheduled Task Creation Masquerading as System Processes new: Schtasks Curl Download and Powershell Execution Combination new: MMC Executing Files with Reversed Extensions Using RTLO Abuse update: Potential Defense Evasion Via Right-to-Left Override update: Potential File Extension Spoofing Using Right-to-Left Override
Example Log Event
The rules are based on the process tree observed for a malware variant from triage sandbox. reference link: https://tria.ge/241015-l98snsyeje/behavioral2
Fixed Issues
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
HI, For RTLO there is a rule https://github.com/SigmaHQ/sigma/blob/2bfb0935a08c52859f2653bf51dbf9f4bbb5d7aa/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml It is better to update the old one as there are similar.
HI, For RTLO there is a rule https://github.com/SigmaHQ/sigma/blob/2bfb0935a08c52859f2653bf51dbf9f4bbb5d7aa/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml It is better to update the old one as there are similar.
@frack113 , Thank you for reminding me about this pre-existing rule which I overlooked. I have made the changes in these rules as you suggested.