title: Powershell Install a DLL in System Directory
id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
status: test
description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2024-01-22
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmdline:
        CommandLine|contains|all:
            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
            - 'scecli\0*'
            - 'reg add'
    condition: selection_cmdline
falsepositives:
    - Unknown
level: medium

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium