-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2019-04-003.yaml
62 lines (61 loc) · 2.6 KB
/
CAR-2019-04-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
title: Squiblydoo
submission_date: 2019/04/24
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2019-04-003
description: |
Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
coverage:
- technique: T1218
tactics:
- TA0005
subtechniques:
- T1218.010
coverage: Moderate
implementations:
- description: This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.
code: |
index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
type: splunk
data_model: Sysmon native
- description: EQL version of the above Splunk search.
code: |
process where subtype.create and
(process_path == "*regsvr32.exe" and command_line == "*scrobj.dll")
type: EQL
data_model: EQL native
- description: Pseudocode version of the above Splunk search.
code: |
processes = search Process:Create
squiblydoo_processes = filter processes where (
image_path == "*regsvr32.exe" and command_line == "*scrobj.dll"
)
output squiblydoo_processes
type: psuedocode
data_model: CAR
- description: LogPoint version of the above pseudocode.
code: |
norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
type: LogPoint
data_model: LogPoint native
unit_tests:
- description: |
The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this.
data_model_references:
- process/create/exe
- process/create/command_line
references:
- As usual, credit to Roberto Rodriguez and the [ThreatHunter Playbook](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/platforms/windows/05_defense_evasion/regsvr32/variants/bypass_whitelisting_regsvr32.md).
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis