Windows Malware Detection

Windows.Detection.ProcessMemory

Scanning process memory for signals is powerful technique. This artifact scans processes for a yara signature and when detected, the process memory is dumped and uploaded to the server.

Arg Default Description
processRegex notepad
yaraRule rule Process {\n strings:\n $a = “this is a secret” nocase wide\n $b = “this is a secret” nocase\n condition:\n any of them\n}\n
View Artifact Source

Windows.Detection.PsexecService

PSExec works by installing a new service in the system. The service can be renamed using the -r flag and therefore it is not enough to just watch for a new service called psexecsvc.exe. This artifact improves on this by scanning the service binary to detect the original psexec binary.

Arg Default Description
yaraRule rule PsExec {\n strings:\n $a = “psexec” nocase\n $b = “psexec” nocase wide\n\n condition:\n any of them\n}\n
View Artifact Source

Windows.Detection.Thumbdrives.List

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact watches for any removable drives and provides a complete file listing to the server for any new drive inserted. It also provides information about any addition to the thumb drive (e.g. a new file copied onto the drive).

We exclude very large removable drives since they might have too many files.

Arg Default Description
maxDriveSize 32000000000 We ignore removable drives larger than this size in bytes.
View Artifact Source

Windows.Detection.Thumbdrives.OfficeKeywords

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact automatically scans any office files copied to a removable drive for keywords. This could be useful to detect exfiltration attempts of restricted documents.

We exclude very large removable drives since they might have too many files.

Arg Default Description
officeExtensions \.(xls xlsm
yaraRule rule Hit {\n strings:\n $a = “this is my secret” wide nocase\n $b = “this is my secret” nocase\n\n condition:\n any of them\n}\n This yara rule will be run on document contents.
View Artifact Source

Windows.Detection.Thumbdrives.OfficeMacros

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact watches for any removable drives and scans any added office documents for VBA macros.

We exclude very large removable drives since they might have too many files.

Arg Default Description
officeExtensions \.(xls xlsm
View Artifact Source

Windows.Detection.WMIProcessCreation

WMI Process creation is a common lateral movement technique. The attacker simply uses WMI to call the Create() method on the Win32_Process WMI object.

This can be easily done via the wmic.exe command or via powershell:

wmic process call create cmd.exe
View Artifact Source

Windows.Persistence.Debug

Windows allows specific configuration of various executables via a registry key. Some keys allow defining a debugger to attach to a program as it is run. If this debugger is launched for commonly used programs (e.g. notepad) then another program can be launched at the same time (with the same privileges).

Arg Default Description
imageFileExecutionOptions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
View Artifact Source

Windows.Persistence.PermanentWMIEvents

Malware often registers a permanent event listener within WMI. When the event fires, the WMI system itself will invoke the consumer to handle the event. The malware does not need to be running at the time the event fires. Malware can use this mechanism to re-infect the machine for example.

Arg Default Description
namespace root/subscription
View Artifact Source

Windows.Persistence.PowershellRegistry

A common way of persistence is to install a hook into a user profile registry hive, using powershell. When the user logs in, the powershell script downloads a payload and executes it.

This artifact searches the user’s profile registry hive for signatures related to general Powershell execution. We use a yara signature specifically targeting the user’s profile which we extract using raw NTFS parsing (in case the user is currently logged on and the registry hive is locked).

Arg Default Description
yaraRule rule PowerShell {\n strings:\n $a = /ActiveXObject.{,500}eval/ wide nocase\n\n condition:\n any of them\n}\n
View Artifact Source