New Rule : Load Of RstrtMgr DLL From Suspicious Process

[EzLucky]

Summary of the Pull Request

Adds a new rule concerning the load of the library RstrtMgr.dll, seen used by ransomwares, and more recently in a wiper.

The Restart Manager enables processes to release the locks on targeted files by terminating processes that are using them if required conditions are met. However, this mechanism can be hijacked to serve malicious purposes. crowdstrike.com

Changelog

new: Load Of RstrtMgr DLL From Suspicious Process
new: Load Of RstrtMgr.DLL By An Uncommon Process

Example Log Event

False positive example (here installing vscode), filtered out in the yaml.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
        <EventID>7</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>7</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime='2023-11-22T13:13:13.7490898Z'/>
        <EventRecordID>270</EventRecordID>
        <Correlation/>
        <Execution ProcessID='7696' ThreadID='6052'/>
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>win10.test.fr</Computer>
        <Security UserID='S-1-5-18'/>
    </System>
    <EventData>
        <Data Name='RuleName'>RstrtMgr</Data>
        <Data Name='UtcTime'>2023-11-22 13:12:58.686</Data>
        <Data Name='ProcessGuid'>{ab4f5939-fe5a-655d-6003-000000000700}</Data>
        <Data Name='ProcessId'>6708</Data>
        <Data Name='Image'>C:\Users\user\AppData\Local\Temp\is-B9I22.tmp\VSCodeSetup-x64-1.84.2.tmp</Data>
        <Data Name='ImageLoaded'>C:\Windows\SysWOW64\RstrtMgr.dll</Data>
        <Data Name='FileVersion'>10.0.19041.1 (WinBuild.160101.0800)</Data>
        <Data Name='Description'>Restart Manager</Data>
        <Data Name='Product'>Microsoft® Windows® Operating System</Data>
        <Data Name='Company'>Microsoft Corporation</Data>
        <Data Name='OriginalFileName'>RstrtMgr.dll</Data>
        <Data Name='Hashes'>SHA1=E91DE95656FA2C900502F518249911B611D668E9,MD5=766E48E14C31E8CC5582526A9062B33C,SHA256=CEBECB11278CC1ABF66E0084EB4C05EEF2092C0BB4E5267B0C1B4982732D289C,IMPHASH=B599AD2C53C16A483B33915298E8064E</Data>
        <Data Name='Signed'>true</Data>
        <Data Name='Signature'>Microsoft Windows</Data>
        <Data Name='SignatureStatus'>Valid</Data>
        <Data Name='User'>WIN10\user</Data>
    </EventData>
</Event>

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[nasbench]

Thanks for the contribution @EzLucky

I made reduced the original rule to a low just because in practice a lot of location in program files and ProgramData from updaters and other software will use this. I also included other locations used by windows update/upgrade/recovery itself.

I created another rule that's focused on suspicious locations instead with a higher level.