-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathATD-cdpsgshims.dll.bioc
2 lines (2 loc) · 3.52 KB
/
ATD-cdpsgshims.dll.bioc
1
2
9bb4cab82da739620bb1e54af0cc9d6a
[{"rule_id":379,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1742377058044,"modify_time":1742377058044,"severity":"SEV_040_HIGH","source":"[email protected]","comment":"cdpsgshims.dll file created to disk","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":{"runOnCGO":true,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"2","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"3","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"cdpsgshims.dll","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"1767d03009b9052475a528306e7b66d2","indicator_text":"File action type = create, read, rename, write AND file name = cdpsgshims.dll","name":"ATD-cdpsgshims.dll","mitre_technique_id_and_name":"T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking","mitre_tactic_id_and_name":"TA0004 - Privilege Escalation","mitre_tactic_id":"TA0004","mitre_technique_id":"T1574.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"}},"btp_rule_name":"file_operation_379","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1742377058044,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}]