Sigma rules for CVE-2013-6141
2 rules · scoped to cve · back to CVE-2013-6141
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Process Monitor Driver Creation By Non-Sysinternals Binary
id: a05baa88-e922-4001-bc4d-8738135f27de
status: test
description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\procmon'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procmon.exe'
- '\procmon64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process monitor binaries
level: medium
title: Add Port Monitor Persistence in Registry
id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
status: test
description: |
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
author: frack113
date: 2021-12-30
modified: 2024-03-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Control\Print\Monitors\'
Details|endswith: '.dll'
filter_optional_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
Details: 'cpwmon64_v40.dll'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_monvnc:
TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
filter_optional_vnc:
TargetObject|contains|all:
- 'Control\Print\Environments\'
- '\Drivers\'
- '\VNC Printer'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml
simulation:
- type: atomic-red-team
name: Add Port Monitor persistence in Registry
technique: T1547.010
atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50