earlier replies
This tweet is unavailable
Renamed rundll32 execution should be a critical alert that rises to the top of the SOC queue. Don't wait for correlation to trip, respond ASAP.🚨 Sigma Rule from @cyb3rops : github.com/SigmaHQ/sigma/blo…
Kelsey @k3dg3
Jan 10
#TA580 pretty active today. Dropping more #CobaltStrike Benign Conversations -> (separate email thread) URL -> Password-Protected Zip -> IMG -> LNK -> BAT -> DLL CS config: tria.ge/230110-v3r11sgg49/be…

Jan 10, 2023 · 6:12 PM UTC

6
86
4
290
Replying to @SecurePeacock @cyb3rops
We need a Venn diagram of orgs having the capabilities to detect this, but still allowing Rob & Bob to mount .img or .iso files on their machines
1
4
Often MSSPs have no control over blocks, so alerting is the best they can do. And most orgs use an MSSP, so sadly, most orgs still probably allow mounting. If they have an excellent MSSP though, it shouldn't get passed the first host.
1
more replies
Replying to @SecurePeacock @cyb3rops
Unfortunately, many orgs do not have Sysmon
1
Many have EDRs though that gather the telemetry.
1
Replying to @SecurePeacock @cyb3rops
Wait, "rename in place"? or "copy then rename"? or "move c:\temp\something.exe"?
1
3
more replies
Replying to @SecurePeacock @cyb3rops
Not shilling, just sharing in the event anyone is using Elastic. github.com/elastic/protectio…

protections-artifacts/defense_evasion_execution_via_renamed_signed_binary_proxy.toml at 505d147e6...

Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.

github.com
3
Replying to @SecurePeacock @cyb3rops
If anyone wants the Sentinel/Defender KQL, you can use the Defender file creation logs: DeviceFileEvents | where ActionType == 'FileRenamed' | where PreviousFileName =~ 'rundll32.exe'