-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-SprintCSP.dll.bioc
2 lines (2 loc) · 3.75 KB
/
BIOC-SprintCSP.dll.bioc
1
2
2c823e94e0f46facdbbc0042b90d6755
[{"rule_id":387,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1683118009481,"modify_time":1683797390193,"severity":"SEV_030_MEDIUM","source":"[email protected]","comment":"The StorSvc.dll!SvcRebootToFlashingMode RPC method, calls StorSvc.dll!InitResetPhone which also calls StorSvc.dll!ResetPhoneWorkerCallback, that tries to load SprintCSP.dll. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the StorSvc process runs under NT AUTHORITY\\SYSTEM.","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":{"runOnCGO":false,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"3","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"SprintCSP.dll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"f8103c0bb88607a5d23e9c7d1d9adc30","indicator_text":"File action type = create, rename, write AND file name = SprintCSP.dll","name":"SprintCSP.dll created to disk (StorSvc LPE)","mitre_technique_id_and_name":"T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking","mitre_tactic_id_and_name":"TA0004 - Privilege Escalation","mitre_tactic_id":"TA0004","mitre_technique_id":"T1574.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"}},"btp_rule_name":"file_operation_387","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1683118009481}]