From 6d886618eac69f3cbec897854c1f6ef61487e9f3 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel <swachchhandashrawan@gmail.com>
Date: Thu, 9 Nov 2023 13:34:26 +0545
Subject: [PATCH] Added a generic rule that detect usage of windows in-built
 tools for ingress tool transfer

---
 ...in_susp_binaries_ingress_tool_transfer.yml | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_binaries_ingress_tool_transfer.yml

diff --git a/rules/windows/process_creation/proc_creation_win_susp_binaries_ingress_tool_transfer.yml b/rules/windows/process_creation/proc_creation_win_susp_binaries_ingress_tool_transfer.yml
new file mode 100644
index 000000000000..67b710ad520d
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_binaries_ingress_tool_transfer.yml
@@ -0,0 +1,79 @@
+title: Suspicious Windows Binaries Usage For Ingress Tool Transfer
+id: 8762a1ab-7013-44cc-8e75-1e2823bb16fc
+status: experimental
+description: Detects usage of windows native binaries for ingress tool transfer from referened url.
+author: Swachchhanda Shrawan Poudel
+date: 2023/11/09
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
+    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
+    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+    - https://lolbas-project.github.io/lolbas/Binaries/Desktopimgdownldr/
+    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
+    - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
+    - https://lolbas-project.github.io/lolbas/Binaries/Installutil/
+    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
+    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
+    - https://lolbas-project.github.io/lolbas/Binaries/Mshta/
+    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
+    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
+    - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/MsoHtmEd/
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Update/
+tags:
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image:
+        - Image|endswith:
+            - '\AppInstaller.exe'
+            - '\CertOC.exe'
+            - '\certutil.exe'
+            - '\Desktopimgdownldr.exe'
+            - '\IMEWDBLD.exe'
+            - '\ieexec.exe'
+            - '\InstallUtil.exe'
+            - '\MpCmdRun.exe'
+            - '\msedge.exe'
+            - '\Mshta.exe'
+            - '\Presentationhost.exe'
+            - '\regsvr32.exe'
+            - '\msedge_proxy.exe'
+            - '\MsoHtmEd.exe'
+            - '\Mspub.exe'
+            - '\msxsl.exe'
+            - '\ProtocolHandler.exe'
+            - '\squirrel.exe'
+            - '\update.exe'
+        - CommandLine|contains:
+            -'appinstaller'
+            -'certoc'
+            -'certutil'
+            -'Desktopimgdownldr'
+            -'IMEWDBLD'
+            -'ieexec'
+            -'InstallUtil'
+            -'MpCmdRun'
+            -'msedge'
+            -'Mshta'
+            -'Presentationhost'
+            -'regsvr32'
+            -'msedge_proxy'
+            -'MsoHtmEd'
+            -'Mspub'
+            -'msxsl'
+            -'ProtocolHandler.exe"
+            -'squirrel'
+            -'update.exe'
+            -'download'
+    selection_http:
+        CommandLine|contains: 'http'
+    condition: all of selection_*
+falsepositives:
+     - Unknown
+level: medium