Exploit Prevention Expert Rules for MITRE - FIN7/Carbanak
Technical Articles ID:
KB93828
Last Modified: 2022-04-18 10:22:26 Etc/GMT
Last Modified: 2022-04-18 10:22:26 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.7.x
Summary
These Exploit Prevention Expert Rules are constructed to protect against a range of MITRE attack techniques. These rules are designed for customers who meet the criteria below:
Enabling Expert Rules Content
For instructions to create Expert Rules, see the "Create Expert Rules" section of the Endpoint Security 10.7.x Product Guide. We recommend adding these rules at "Report" only with a "Medium" severity level.
We tested these rules on the Windows 10 May 2020 Update with the ENS 10.7.0 November 2020 Update. We also tested these rules for false positives in our internal environment, and exclusions have been added accordingly. But, if a false positive occurs in your environment, we recommend creating exclusions to suit your requirements.
Expert Rules
The following is a list of rules, including a description, that we recommend adding to your environment. There's also an explanation of theMITRE techniques they cover.
#1MITRE Technique Explanation: T1089 – Disabling security tools for Fin7
Adversaries might disable security tools to avoid possible detection of their tools and activities. This action can include killing security software or event-logging processes; deleting registry keys so that tools don't start at runtime; or other methods to interfere with security scanning or event reporting.
Rule Name: T1089 – Disabling Security Tools - Link State Advertisement (LSA) Configuration Changes
Rule Description: This rule trigger indicates an attempt to modify the LSA configuration, which is a pre-cursor to credential dumping. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rule to the authentication applications used in their environment, or disable the signature if there are too many false positives.
Rule Class: Registry
Rule:
Rule {
Process {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages" }
Include -access "CREATE WRITE"
}
}
}
#2MITRE Technique Explanation: T1559.001 – Inter-Process Communication: Component Object Model for Fin7
COM is a component of the native Windows Application Programming Interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.
Adversaries might abuse COM for local command or payload execution. Several COM interfaces are exposed that adversaries can abuse to invoke arbitrary execution via several programming languages such as C, C++, Java, and VBScript. Specific COM objects also exist to directly perform functions beyond code execution. These objects include Scheduled Task creation, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.
#2.1 Rule Name: T1559.001 – COM - Word.Application using PowerShell and Python
Rule Description: This rule trigger indicates an attempt to abuse the Windows Component object for code execution locally or remotely through the Word application via Python or PowerShell.
Rule Class: Registry
Rule:
Rule {
Process {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "python.exe"
-v "python3.exe"
}
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKCR\\Word.Application\\CLSID\\**" }
Include OBJECT_NAME { -v "HKCR\\Word.Application.*\\CLSID\\**" }
Include -access "READ"
}
}
}
#2.2 Rule Name: T1559.001 – COM - Word.Application using MSHTA - JScript and VBScript
Rule Description: This rule trigger indicates an attempt to abuse the COM object using MSHTA via JavaScript or VBScript.
Rule Class: Registry
Rule:
Rule {
Process {
Include OBJECT_NAME {
-v "mshta.exe"
}
Include DLL_LOADED -name "jscript9" { -v 0x1 }
Include DLL_LOADED -name "vbscript" { -v 0x1 }
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKCR\\Word.Application\\CLSID\\**" }
Include OBJECT_NAME { -v "HKCR\\Word.Application.*\\CLSID\\**" }
Include -access "READ"
}
}
}
#2.3 Rule Name: T1559.001 – COM -WMI using PowerShell/WMIC/MSHTA/VBScript
Rule Description: This rule trigger indicates an attempt to abuse the COM object using WMI via PowerShell, WMIC, MSHTA, or VBScript. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Rule {
Process {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "mshta.exe"
-v "wscript.exe"
-v "cscript.exe"
}
Include AggregateMatch -xtype "ex1" {
Exclude PROCESS_CMD_LINE { -v "*McAfee\\MAR\\scripts\\*" }
}
Include AggregateMatch -xtype "ex2" {
Exclude PROCESS_CMD_LINE { -v "** **\\Windows\\Temp\"\\lsusers.vbs" }
}
Include AggregateMatch -xtype "ex3" {
Exclude PROCESS_CMD_LINE { -v "*Windows\\Temp\\lsusers.vbs*" }
}
}
Target {
Match SECTION {
Include OBJECT_NAME { -v "wmiutils.dll" }
}
}
}
#3MITRE Technique Explanation: T1138 – Application Shimming
The Microsoft Windows Application Compatibility Infrastructure or Framework (Application Shim) allows for backward compatibility of software as the operating system codebase changes over time. When a program is executed, the Shim cache is referenced to determine whether the program requires the use of the Shim database (.sdb ). If so, the Shim database uses hooking to redirect the code as needed to communicate with the operating system.
To keep Shims secure, Windows designed them to run in user mode so they can't modify the kernel, and you must have administrator rights to install a Shim. But, certain Shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to hooking, using these Shims might allow an adversary to perform several malicious acts such as elevate permissions, install backdoors, and disable defenses like Windows Defender.
#3.1 Rule Name: T1138 – Application Shimming-Persistence using SDB file - Registry Access
Rule Description: This rule trigger indicates an attempt to abuse application shimming through registry access. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "sdbinst.exe" }
}
Target {
Match KEY {
Include OBJECT_NAME {
-v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom"
}
Include OBJECT_NAME {
-v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB"
}
Include -access "WRITE CREATE"
}
}
}
#3.2 Rule Name: T1138 – Application Shimming-Persistence using SDB File
Rule Description: This rule trigger indicates an attempt to abuse application shimming through SDB file creation and execution via PowerShell.
Rule Class: Processes
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "powershell.exe" }
Include OBJECT_NAME { -v "powershell_ise.exe" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "sdbinst.exe" }
Include -access "CREATE EXECUTE"
}
}
}
#4MITRE Technique Explanation: T1088 – Bypass UAC Fin7
Windows UAC allows a program to elevate its permissions (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement, to allowing the user to perform the action if they are in the local administrators group and click through the prompt, or allowing them to enter an administrator password to complete the action.
An example is use of Rundll32 to load a crafted DLL that loads an auto-elevated Component Object Model object and performs a file operation in a protected directory that would typically require elevated access. Malware might also be injected into a trusted process to gain elevated permissions without prompting a user.
Rule Name: T1088 – BypassUAC-Sysprep DLL Hijack
Rule Description: This rule trigger indicates an attempt to bypass user account control by hijacking system DLLs.
Rule Class: Processes
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "sysprep.exe" }
Include CERT_NAME { -v "*Microsoft Corporation*" }
}
Target {
Match SECTION {
Include OBJECT_NAME { -v "cryptsp.dll" }
Include OBJECT_NAME { -v "cryptbase.dll" }
Include OBJECT_NAME { -v "RpcRtRemote.dll" }
Include OBJECT_NAME { -v "UxTheme.dll" }
Include OBJECT_NAME { -v "dwmapi.dll" }
Include OBJECT_NAME { -v "SHCORE.dll" }
Include OBJECT_NAME { -v "OLEACC.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\cryptsp.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\cryptbase.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\RpcRtRemote.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\UxTheme.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\dwmapi.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\SHCORE.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\OLEACC.dll" }
}
}
}
#5MITRE Technique Explanation: T1053 – Scheduled Task for FIN7
Adversaries might abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malware. There are multiple ways to access the Task Scheduler in Windows. An adversary might use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote execution as part of Lateral Movement or to run a process under the context of a specified account (such as SYSTEM).
Rule Name: T1053 – Scheduled Task for FIN7 usingschtask create/modify/delete
Rule Description: This rule trigger indicates an attempt to abuse the Task Scheduler feature for persistence and execution. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "**" }
Exclude OBJECT_NAME { -v "WSQMCONS.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\program files\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\program files (x86)\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\McAfee\\**" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\McAfee\\**" }
Exclude PROCESS_CMD_LINE { -v "**\\McAfee\\MAR\\scripts\\**" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "schtasks.exe" }
Include PROCESS_CMD_LINE { -v "*/create*" }
Include PROCESS_CMD_LINE { -v "*/delete*" }
Include PROCESS_CMD_LINE { -v "*/change*" }
Include -access "CREATE EXECUTE"
}
}
}
#6MITRE Technique Explanation: T1047 – Windows Management Instrumentation (WMI) for FIN7
WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. WMI relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access.
An adversary can use WMI to interact with local and remote systems and use it to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement.
Rule Name: T1047 – Execute a program using WMIC
Rule Description: This rule trigger indicates an attempt to abuse the WMI feature for persistence. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Rule {
Target {
Match PROCESS {
Include DESCRIPTION { -v "WMI Commandline Utility" }
Include PROCESS_CMD_LINE { -v "* process */FORMAT:*" }
Include PROCESS_CMD_LINE { -v "* process *call *create *" }
Include -access "CREATE"
}
}
}
#7MITRE Technique Explanation: T1503 – Credentials from Web Browsers - Chrome/Firefox/Opera Credentials
Adversaries might acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they don’t need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. But, methods exist to extract plaintext credentials from web browsers. Adversaries might also acquire credentials by searching web browser process memory for patterns that commonly match credentials. After acquiring credentials from web browsers, adversaries might try to recycle the credentials across different systems or accounts to expand access.
Rule Name: T1503 – Credentials from Web Browsers - Chrome/Firefox/Opera Credentials
Rule Description: This rule trigger indicates an attempt to access files used to store credentials in browsers. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Rule {
Process {
Include AggregateMatch -xtype "not_excluded_path" {
Include OBJECT_NAME { -v "**" }
Exclude OBJECT_NAME {
-v "**\\Google\\Chrome\\Application\\chrome.exe"
-v "**\\Mozilla Firefox\\firefox.exe"
-v "**\\Windows\\System32\\browserexport.exe"
-v "**\\chrome-win\\chrome.exe"
-v "**\\Microsoft\\Edge\\Application\\msedge.exe"
-v "**\\Opera\\*\\opera.exe"
-v "**\\Vivaldi\\Application\\vivaldi.exe"
-v "**\\Chromium\\Application\\chrome.exe"
-v "ir_agent.exe"
}
}
Include AggregateMatch -xtype "not_trusted" {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
}
Target {
Match FILE {
Include OBJECT_NAME {
-v "**\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Google\\Chrome\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Chromium\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Microsoft\\Edge\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data"
-v "**\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Vivaldi\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\logins.json"
}
Include -access "READ WRITE DELETE RENAME"
}
}
}
#8MITRE Technique Explanation: T1060 – Registry Run Keys / Startup Folder for FIN7
Adding an entry to the "run keys" in the registry or startup folder causes the program referenced to be executed when a user logs in. These programs are executed under the context of the user and have the account's associated permissions level.
#8.1 Rule Name: T1060 – Registry autorun of.lnk/.vbs/.vba files
Rule Description: This rule trigger indicates an attempt to execute programs at user logon. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Rule {
Target {
Match VALUE {
Include OBJECT_NAME {
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKLM\\SOFTWARE\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKLM\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKLM\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKCU\\SOFTWARE\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKCU\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKCU\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
}
Include REGVAL_DATA -type STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include REGVAL_DATA -type EXPANDABLE_STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include REGVAL_DATA -type MULTI_STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include -access "CREATE WRITE"
}
}
}
#8.2 Rule Name: T1060 – Startup Folder - Files in startup folders
Rule Description: This rule trigger indicates an attempt to create files in the startup folder. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Rule {
Process {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemdrive%\\Users\\*\\appdata\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\**.exe" }
Include OBJECT_NAME { -v "%systemdrive%\\Users\\*\\Start Menu\\Programs\\Startup\\**.exe" }
Include -access "CREATE"
}
}
}
#9MITRE Technique Explanation: T1204 – User Execution for Fin7
An adversary might rely on specific actions by a user to gain execution. This action might be direct code execution, such as when a user opens a malicious executable delivered via a spear phishing attachment with the icon and apparent extension of a document file. It also might lead to other execution techniques, such as when a user clicks a link delivered via a spear phishing link that leads to exploitation of a browser or application vulnerability via exploitation for client execution. Adversaries might use several types of files that require a user to execute them, including.doc , .pdf , .xls , .rtf , .scr , .exe , .lnk , .pif , and .cpl .
Rule Name: T1204 – Payload execution through LNK file embedded in Office document
Rule Description: This rule trigger indicates an attempt to create a.lnk file from a Word application. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "winword.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\temp\\*.lnk" }
Include -access "CREATE"
}
}
}
#10MITRE Technique Explanation: T1003 – Credential Dumping for FIN7
Monitoring for unexpected processes interacting withlsass.exe . Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers might also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
#10.1 Rule Name: T1003 – Export SAM from registry or LSA Export Registry entry
Rule Description: This rule trigger indicates an attempt to export SAM from the registry. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Rule {
Process {
Include AggregateMatch -xtype "1" {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Include AggregateMatch -xtype "2" {
Exclude OBJECT_NAME { -v "TIWORKER.EXE" }
Exclude OBJECT_NAME { -v "DEVICECENSUS.EXE" }
Exclude OBJECT_NAME { -v "TRUSTEDINSTALLER.EXE" }
Exclude OBJECT_NAME { -v "TASKHOSTW.EXE" }
Exclude OBJECT_NAME { -v "OMADMCLIENT.EXE" }
Exclude OBJECT_NAME { -v "SERVICES.EXE" }
Exclude OBJECT_NAME { -v "CSRSS.EXE" }
Exclude OBJECT_NAME { -v "SVCHOST.EXE" }
Exclude OBJECT_NAME { -v "WINLOGON.EXE" }
Exclude OBJECT_NAME { -v "SCHTASKS.EXE" }
Exclude OBJECT_NAME { -v "REGEDIT.EXE" }
Exclude OBJECT_NAME { -v "UpdateNotificationMgr.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\program files\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\program files (x86)\\microsoft office\\**.exe" }
}
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKLM\\SAM" }
Include OBJECT_NAME { -v "HKLM\\SAM\\Domain\\Account" }
Include OBJECT_NAME { -v "HKLM\\SECURITY\\Policy\\Secrets"}
Include -access "READ"
}
}
}
#10.2 Rule Name: T1003 – Copy SAM file using Volume Shadow Copy Service tools
Rule Description: This rule trigger indicates an attempt to copy the SAM file using volume shadow copy service tools. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "esentutl.exe" }
Include DLL_LOADED -name "vssapi" { -v 0x1 }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\sam" }
Include -access "READ"
}
}
}
#11MITRE Technique Explanation: T1055 – Process Injection
Adversaries might inject code into processes to evade process-based defenses and possibly elevate permissions. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process might allow access to the process's memory, system or network resources, and possibly elevated permissions. Execution via process injection might also evade detection from security products since the execution is masked under a legitimate process.
Rule Name: T1055 –ODBCconf DLL injection - DefenseEvasion for FIN7
Rule Description: This rule trigger indicates an attempt to abuseodbcconf.exe to inject a potentially malicious DLL.
Rule Class: Processes
Rule:
Rule {
Process {
Include OBJECT_NAME { -v "**" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "odbcconf.exe" }
Include PROCESS_CMD_LINE { -v "*REGSVR*" }
Include PROCESS_CMD_LINE { -v "*-encodedcommand*" }
Include -access "CREATE"
}
}
}
#12MITRE Technique Explanation:T1569 – System Services: Service Execution
Adversaries might abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services. Many services are set to run at boot, which can aid in achieving persistence (create or modify the System process), but adversaries can also abuse services for one-time or temporary execution.
Rule Name: T1569 – Service execution usingPSExec
Rule Description: This rule trigger indicates an attempt to abusePSExec by using named pipes to transfer standard output, input, and error. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Rule {
Process {
Include OBJECT_NAME {
-v *.exe
}
}
Target {
Match FILE {
Include OBJECT_NAME {
-v "**pipe\\psexesvc*"
}
Include OBJECT_NAME {
-v "**pipe\\remcom*"
}
Include OBJECT_NAME {
-v "**pipe\\PAExec*"
}
Include OBJECT_NAME {
-v "**pipe\\csexec*"
}
Include -access "CONNECT_NAMED_PIPE"
}
}
}
- Want to tighten up their defenses.
- Are willing to use features that need to be tweaked and monitored.
Enabling Expert Rules Content
For instructions to create Expert Rules, see the "Create Expert Rules" section of the Endpoint Security 10.7.x Product Guide. We recommend adding these rules at "Report" only with a "Medium" severity level.
We tested these rules on the Windows 10 May 2020 Update with the ENS 10.7.0 November 2020 Update. We also tested these rules for false positives in our internal environment, and exclusions have been added accordingly. But, if a false positive occurs in your environment, we recommend creating exclusions to suit your requirements.
Expert Rules
The following is a list of rules, including a description, that we recommend adding to your environment. There's also an explanation of the
- T1089 – Disabling security tools for Fin7
- T1559.001 – Inter-Process Communication: Component Object Model for Fin7
- T1138 – Application Shimming
- T1088 – Bypass User Account Control Fin7
- T1053 – Scheduled Task for FIN7
- T1047 – Windows Management Instrumentation for FIN7
- T1503 – Credentials from Web Browsers - Chrome/Firefox/Opera Credentials
- T1060 – Registry Run Keys / Startup Folder for FIN7
- T1204 – User Execution for Fin7
- T1003 – Credential Dumping for FIN7
- T1055 – Process Injection
- T1569 – System Services: Service Execution
#1
Adversaries might disable security tools to avoid possible detection of their tools and activities. This action can include killing security software or event-logging processes; deleting registry keys so that tools don't start at runtime; or other methods to interfere with security scanning or event reporting.
Rule Name: T1089 – Disabling Security Tools -
Rule Description: This rule trigger indicates an attempt to modify the LSA configuration, which is a pre-cursor to credential dumping. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rule to the authentication applications used in their environment, or disable the signature if there are too many false positives.
Rule Class: Registry
Rule:
Process {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Notification Packages" }
Include -access "CREATE WRITE"
}
}
}
#2
COM is a component of the native Windows Application Programming Interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.
Adversaries might abuse COM for local command or payload execution. Several COM interfaces are exposed that adversaries can abuse to invoke arbitrary execution via several programming languages such as C, C++, Java, and VBScript. Specific COM objects also exist to directly perform functions beyond code execution. These objects include Scheduled Task creation, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.
#2.1 Rule Name: T1559.001 – COM - Word.Application using PowerShell and Python
Rule Description: This rule trigger indicates an attempt to abuse the Windows Component object for code execution locally or remotely through the Word application via Python or PowerShell.
Rule Class: Registry
Rule:
Process {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "python.exe"
-v "python3.exe"
}
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKCR\\Word.Application\\CLSID\\**" }
Include OBJECT_NAME { -v "HKCR\\Word.Application.*\\CLSID\\**" }
Include -access "READ"
}
}
}
#2.2 Rule Name: T1559.001 – COM - Word.Application using MSHTA - JScript and VBScript
Rule Description: This rule trigger indicates an attempt to abuse the COM object using MSHTA via JavaScript or VBScript.
Rule Class: Registry
Rule:
Process {
Include OBJECT_NAME {
-v "mshta.exe"
}
Include DLL_LOADED -name "jscript9" { -v 0x1 }
Include DLL_LOADED -name "vbscript" { -v 0x1 }
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKCR\\Word.Application\\CLSID\\**" }
Include OBJECT_NAME { -v "HKCR\\Word.Application.*\\CLSID\\**" }
Include -access "READ"
}
}
}
#2.3 Rule Name: T1559.001 – COM -
Rule Description: This rule trigger indicates an attempt to abuse the COM object using WMI via PowerShell, WMIC, MSHTA, or VBScript. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Process {
Include OBJECT_NAME {
-v "powershell.exe"
-v "powershell_ise.exe"
-v "mshta.exe"
-v "wscript.exe"
-v "cscript.exe"
}
Include AggregateMatch -xtype "ex1" {
Exclude PROCESS_CMD_LINE { -v "*McAfee\\MAR\\scripts\\*" }
}
Include AggregateMatch -xtype "ex2" {
Exclude PROCESS_CMD_LINE { -v "** **\\Windows\\Temp\"\\lsusers.vbs" }
}
Include AggregateMatch -xtype "ex3" {
Exclude PROCESS_CMD_LINE { -v "*Windows\\Temp\\lsusers.vbs*" }
}
}
Target {
Match SECTION {
Include OBJECT_NAME { -v "wmiutils.dll" }
}
}
}
#3
The Microsoft Windows Application Compatibility Infrastructure or Framework (Application Shim) allows for backward compatibility of software as the operating system codebase changes over time. When a program is executed, the Shim cache is referenced to determine whether the program requires the use of the Shim database (
To keep Shims secure, Windows designed them to run in user mode so they can't modify the kernel, and you must have administrator rights to install a Shim. But, certain Shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to hooking, using these Shims might allow an adversary to perform several malicious acts such as elevate permissions, install backdoors, and disable defenses like Windows Defender.
#3.1 Rule Name: T1138 – Application Shimming-Persistence using SDB file - Registry Access
Rule Description: This rule trigger indicates an attempt to abuse application shimming through registry access. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Process {
Include OBJECT_NAME { -v "sdbinst.exe" }
}
Target {
Match KEY {
Include OBJECT_NAME {
-v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom"
}
Include OBJECT_NAME {
-v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB"
}
Include -access "WRITE CREATE"
}
}
}
#3.2 Rule Name: T1138 – Application Shimming-Persistence using SDB File
Rule Description: This rule trigger indicates an attempt to abuse application shimming through SDB file creation and execution via PowerShell.
Rule Class: Processes
Rule:
Process {
Include OBJECT_NAME { -v "powershell.exe" }
Include OBJECT_NAME { -v "powershell_ise.exe" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "sdbinst.exe" }
Include -access "CREATE EXECUTE"
}
}
}
#4
Windows UAC allows a program to elevate its permissions (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement, to allowing the user to perform the action if they are in the local administrators group and click through the prompt, or allowing them to enter an administrator password to complete the action.
An example is use of Rundll32 to load a crafted DLL that loads an auto-elevated Component Object Model object and performs a file operation in a protected directory that would typically require elevated access. Malware might also be injected into a trusted process to gain elevated permissions without prompting a user.
Rule Name: T1088 – Bypass
Rule Description: This rule trigger indicates an attempt to bypass user account control by hijacking system DLLs.
Rule Class: Processes
Rule:
Process {
Include OBJECT_NAME { -v "sysprep.exe" }
Include CERT_NAME { -v "*Microsoft Corporation*" }
}
Target {
Match SECTION {
Include OBJECT_NAME { -v "cryptsp.dll" }
Include OBJECT_NAME { -v "cryptbase.dll" }
Include OBJECT_NAME { -v "RpcRtRemote.dll" }
Include OBJECT_NAME { -v "UxTheme.dll" }
Include OBJECT_NAME { -v "dwmapi.dll" }
Include OBJECT_NAME { -v "SHCORE.dll" }
Include OBJECT_NAME { -v "OLEACC.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\cryptsp.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\cryptbase.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\RpcRtRemote.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\UxTheme.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\dwmapi.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\SHCORE.dll" }
Exclude OBJECT_NAME { -v "%windir%\\system32\\OLEACC.dll" }
}
}
}
#5
Adversaries might abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malware. There are multiple ways to access the Task Scheduler in Windows. An adversary might use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote execution as part of Lateral Movement or to run a process under the context of a specified account (such as SYSTEM).
Rule Name: T1053 – Scheduled Task for FIN7 using
Rule Description: This rule trigger indicates an attempt to abuse the Task Scheduler feature for persistence and execution. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Process {
Include OBJECT_NAME { -v "**" }
Exclude OBJECT_NAME { -v "WSQMCONS.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\program files\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\program files (x86)\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\McAfee\\**" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\McAfee\\**" }
Exclude PROCESS_CMD_LINE { -v "**\\McAfee\\MAR\\scripts\\**" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "schtasks.exe" }
Include PROCESS_CMD_LINE { -v "*/create*" }
Include PROCESS_CMD_LINE { -v "*/delete*" }
Include PROCESS_CMD_LINE { -v "*/change*" }
Include -access "CREATE EXECUTE"
}
}
}
#6
WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. WMI relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access.
An adversary can use WMI to interact with local and remote systems and use it to perform many tactic functions, such as gathering information for discovery and remote execution of files as part of Lateral Movement.
Rule Name: T1047 – Execute a program using WMIC
Rule Description: This rule trigger indicates an attempt to abuse the WMI feature for persistence. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Processes
Rule:
Target {
Match PROCESS {
Include DESCRIPTION { -v "WMI Commandline Utility" }
Include PROCESS_CMD_LINE { -v "* process */FORMAT:*" }
Include PROCESS_CMD_LINE { -v "* process *call *create *" }
Include -access "CREATE"
}
}
}
#7
Adversaries might acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they don’t need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. But, methods exist to extract plaintext credentials from web browsers. Adversaries might also acquire credentials by searching web browser process memory for patterns that commonly match credentials. After acquiring credentials from web browsers, adversaries might try to recycle the credentials across different systems or accounts to expand access.
Rule Name: T1503 – Credentials from Web Browsers - Chrome/Firefox/Opera Credentials
Rule Description: This rule trigger indicates an attempt to access files used to store credentials in browsers. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Process {
Include AggregateMatch -xtype "not_excluded_path" {
Include OBJECT_NAME { -v "**" }
Exclude OBJECT_NAME {
-v "**\\Google\\Chrome\\Application\\chrome.exe"
-v "**\\Mozilla Firefox\\firefox.exe"
-v "**\\Windows\\System32\\browserexport.exe"
-v "**\\chrome-win\\chrome.exe"
-v "**\\Microsoft\\Edge\\Application\\msedge.exe"
-v "**\\Opera\\*\\opera.exe"
-v "**\\Vivaldi\\Application\\vivaldi.exe"
-v "**\\Chromium\\Application\\chrome.exe"
-v "ir_agent.exe"
}
}
Include AggregateMatch -xtype "not_trusted" {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
}
Target {
Match FILE {
Include OBJECT_NAME {
-v "**\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Google\\Chrome\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Chromium\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Microsoft\\Edge\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data"
-v "**\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data"
-v "**\\AppData\\Local\\Vivaldi\\User Data\\Profile *\\Login Data"
-v "**\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\logins.json"
}
Include -access "READ WRITE DELETE RENAME"
}
}
}
#8
Adding an entry to the "run keys" in the registry or startup folder causes the program referenced to be executed when a user logs in. These programs are executed under the context of the user and have the account's associated permissions level.
#8.1 Rule Name: T1060 – Registry autorun of
Rule Description: This rule trigger indicates an attempt to execute programs at user logon. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Target {
Match VALUE {
Include OBJECT_NAME {
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKLM\\SOFTWARE\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKLM\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKLM\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
-v "HKCU\\SOFTWARE\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
-v "HKCU\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\**"
-v "HKCU\\Software\\WOW6432node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\**"
}
Include REGVAL_DATA -type STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include REGVAL_DATA -type EXPANDABLE_STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include REGVAL_DATA -type MULTI_STRING {
-v "**.lnk"
-v "**.vba"
-v "**.vbs"
}
Include -access "CREATE WRITE"
}
}
}
#8.2 Rule Name: T1060 – Startup Folder - Files in startup folders
Rule Description: This rule trigger indicates an attempt to create files in the startup folder. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Process {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemdrive%\\Users\\*\\appdata\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\**.exe" }
Include OBJECT_NAME { -v "%systemdrive%\\Users\\*\\Start Menu\\Programs\\Startup\\**.exe" }
Include -access "CREATE"
}
}
}
#9
An adversary might rely on specific actions by a user to gain execution. This action might be direct code execution, such as when a user opens a malicious executable delivered via a spear phishing attachment with the icon and apparent extension of a document file. It also might lead to other execution techniques, such as when a user clicks a link delivered via a spear phishing link that leads to exploitation of a browser or application vulnerability via exploitation for client execution. Adversaries might use several types of files that require a user to execute them, including
Rule Name: T1204 – Payload execution through LNK file embedded in Office document
Rule Description: This rule trigger indicates an attempt to create a
Rule Class: Files
Rule:
Process {
Include OBJECT_NAME { -v "winword.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\temp\\*.lnk" }
Include -access "CREATE"
}
}
}
#10
Monitoring for unexpected processes interacting with
#10.1 Rule Name: T1003 – Export SAM from registry or LSA Export Registry entry
Rule Description: This rule trigger indicates an attempt to export SAM from the registry. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Registry
Rule:
Process {
Include AggregateMatch -xtype "1" {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Include AggregateMatch -xtype "2" {
Exclude OBJECT_NAME { -v "TIWORKER.EXE" }
Exclude OBJECT_NAME { -v "DEVICECENSUS.EXE" }
Exclude OBJECT_NAME { -v "TRUSTEDINSTALLER.EXE" }
Exclude OBJECT_NAME { -v "TASKHOSTW.EXE" }
Exclude OBJECT_NAME { -v "OMADMCLIENT.EXE" }
Exclude OBJECT_NAME { -v "SERVICES.EXE" }
Exclude OBJECT_NAME { -v "CSRSS.EXE" }
Exclude OBJECT_NAME { -v "SVCHOST.EXE" }
Exclude OBJECT_NAME { -v "WINLOGON.EXE" }
Exclude OBJECT_NAME { -v "SCHTASKS.EXE" }
Exclude OBJECT_NAME { -v "REGEDIT.EXE" }
Exclude OBJECT_NAME { -v "UpdateNotificationMgr.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\*.exe" }
Exclude OBJECT_NAME { -v "**\\program files\\microsoft office\\**.exe" }
Exclude OBJECT_NAME { -v "**\\program files (x86)\\microsoft office\\**.exe" }
}
}
Target {
Match KEY {
Include OBJECT_NAME { -v "HKLM\\SAM" }
Include OBJECT_NAME { -v "HKLM\\SAM\\Domain\\Account" }
Include OBJECT_NAME { -v "HKLM\\SECURITY\\Policy\\Secrets"}
Include -access "READ"
}
}
}
#10.2 Rule Name: T1003 – Copy SAM file using Volume Shadow Copy Service tools
Rule Description: This rule trigger indicates an attempt to copy the SAM file using volume shadow copy service tools. This rule is for monitoring or telemetry. Customers are advised to fine-tune the rules to the applications used in their environment or disable the signature if there are false positives.
Rule Class: Files
Rule:
Process {
Include OBJECT_NAME { -v "esentutl.exe" }
Include DLL_LOADED -name "vssapi" { -v 0x1 }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\sam" }
Include -access "READ"
}
}
}
#11
Adversaries might inject code into processes to evade process-based defenses and possibly elevate permissions. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process might allow access to the process's memory, system or network resources, and possibly elevated permissions. Execution via process injection might also evade detection from security products since the execution is masked under a legitimate process.
Rule Name: T1055 –
Rule Description: This rule trigger indicates an attempt to abuse
Rule Class: Processes
Rule:
Process {
Include OBJECT_NAME { -v "**" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "odbcconf.exe" }
Include PROCESS_CMD_LINE { -v "*REGSVR*" }
Include PROCESS_CMD_LINE { -v "*-encodedcommand*" }
Include -access "CREATE"
}
}
}
#12
Adversaries might abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services. Many services are set to run at boot, which can aid in achieving persistence (create or modify the System process), but adversaries can also abuse services for one-time or temporary execution.
Rule Name: T1569 – Service execution using
Rule Description: This rule trigger indicates an attempt to abuse
Rule Class: Files
Rule:
Process {
Include OBJECT_NAME {
-v *.exe
}
}
Target {
Match FILE {
Include OBJECT_NAME {
-v "**pipe\\psexesvc*"
}
Include OBJECT_NAME {
-v "**pipe\\remcom*"
}
Include OBJECT_NAME {
-v "**pipe\\PAExec*"
}
Include OBJECT_NAME {
-v "**pipe\\csexec*"
}
Include -access "CONNECT_NAMED_PIPE"
}
}
}
Affected Products
Languages:
This article is available in the following languages: