-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…Potential Abuse new: Load Of RstrtMgr DLL From Suspicious Process new: Load Of RstrtMgr.DLL By An Uncommon Process --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: phantinuss <[email protected]>
- Loading branch information
3 people
authored
Nov 28, 2023
1 parent
42a8da8
commit 588ad3e
Showing
2 changed files
with
105 additions
and
0 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| title: Load Of RstrtMgr.DLL By A Suspicious Process | ||
| id: b48492dc-c5ef-4572-8dff-32bc241c15c8 | ||
| related: | ||
| - id: 3669afd2-9891-4534-a626-e5cf03810a61 | ||
| type: derived | ||
| status: experimental | ||
| description: | | ||
| Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. | ||
| This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. | ||
| It could also be used for anti-analysis purposes by shut downing specific processes. | ||
| references: | ||
| - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ | ||
| - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ | ||
| - https://www.swascan.com/cactus-ransomware-malware-analysis/ | ||
| - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html | ||
| author: Luc Génaux | ||
| date: 2023/11/28 | ||
| tags: | ||
| - attack.impact | ||
| - attack.defense_evasion | ||
| - attack.t1486 | ||
| - attack.t1562.001 | ||
| logsource: | ||
| category: image_load | ||
| product: windows | ||
| detection: | ||
| selection_img: | ||
| - ImageLoaded|endswith: '\RstrtMgr.dll' | ||
| - OriginalFileName: 'RstrtMgr.dll' | ||
| selection_folders_1: | ||
| Image|contains: | ||
| # Note: increase coverage by adding more suspicious paths | ||
| - ':\Perflogs\' | ||
| - ':\Users\Public\' | ||
| - '\Temporary Internet' | ||
| selection_folders_2: | ||
| - Image|contains|all: | ||
| - ':\Users\' | ||
| - '\Favorites\' | ||
| - Image|contains|all: | ||
| - ':\Users\' | ||
| - '\Favourites\' | ||
| - Image|contains|all: | ||
| - ':\Users\' | ||
| - '\Contacts\' | ||
| condition: selection_img and 1 of selection_folders_* | ||
| falsepositives: | ||
| - Processes related to software installation | ||
| level: high |
56 changes: 56 additions & 0 deletions
56
rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| title: Load Of RstrtMgr.DLL By An Uncommon Process | ||
| id: 3669afd2-9891-4534-a626-e5cf03810a61 | ||
| related: | ||
| - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 | ||
| type: derived | ||
| status: experimental | ||
| description: | | ||
| Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. | ||
| This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. | ||
| It could also be used for anti-analysis purposes by shut downing specific processes. | ||
| references: | ||
| - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ | ||
| - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ | ||
| - https://www.swascan.com/cactus-ransomware-malware-analysis/ | ||
| - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html | ||
| author: Luc Génaux | ||
| date: 2023/11/28 | ||
| tags: | ||
| - attack.impact | ||
| - attack.defense_evasion | ||
| - attack.t1486 | ||
| - attack.t1562.001 | ||
| logsource: | ||
| category: image_load | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| - ImageLoaded|endswith: '\RstrtMgr.dll' | ||
| - OriginalFileName: 'RstrtMgr.dll' | ||
| filter_main_generic: | ||
| Image|contains: | ||
| - ':\$WINDOWS.~BT\' | ||
| - ':\$WinREAgent\' | ||
| - ':\Program Files (x86)\' | ||
| - ':\Program Files\' | ||
| - ':\ProgramData\' | ||
| - ':\Windows\explorer.exe' | ||
| - ':\Windows\SoftwareDistribution\' | ||
| - ':\Windows\SysNative\' | ||
| - ':\Windows\System32\' | ||
| - ':\Windows\SysWOW64\' | ||
| - ':\Windows\WinSxS\' | ||
| - ':\WUDownloadCache\' | ||
| filter_main_user_software_installations: | ||
| Image|contains|all: | ||
| - ':\Users\' | ||
| - '\AppData\Local\Temp\is-' | ||
| - '.tmp\' | ||
| Image|endswith: '.tmp' | ||
| filter_main_admin_software_installations: | ||
| Image|contains: ':\Windows\Temp\' | ||
| condition: selection and not 1 of filter_main_* | ||
| falsepositives: | ||
| - Other legitimate Windows processes not currently listed | ||
| - Processes related to software installation | ||
| level: low |