diff --git a/rules/defense_evasion_suspicious_virtual_path_redirection.yml b/rules/defense_evasion_suspicious_virtual_path_redirection.yml deleted file mode 100644 index d2b15738b..000000000 --- a/rules/defense_evasion_suspicious_virtual_path_redirection.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Suspicious virtual path redirection -id: 71a7ba01-a7a9-428a-8704-72b200f9b43c -version: 1.0.0 -description: | - Detects attempts to create files in user-writable or system-temporary locations - where the thread call stack shows use of APIs commonly involved in virtual-path - redirection / bind filter registration. - Attackers sometimes abuse virtual-path redirection, filter drivers, or cloud-sync - registration to place malicious payloads in locations that are later resolved or - served via trusted paths to evade detection or gain persistence. -labels: - tactic.id: TA0005 - tactic.name: Defense Evasion - tactic.ref: https://attack.mitre.org/tactics/TA0005/ - technique.id: T1562 - technique.name: Impair Defenses - technique.ref: https://attack.mitre.org/techniques/T1562/ - subtechnique.id: T1562.001 - subtechnique.name: Disable or Modify Tools - subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 -references: - - https://github.com/TwoSevenOneT/EDR-Redir - - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html - -condition: > - create_file and - evt.pid != 4 and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile') and - thread.callstack.symbols imatches ('bindfltapi.dll!BfSetupFilter', 'cldapi.dll!CfRegisterSyncRoot') and - file.path imatches - ( - '?:\\Users\\*\\AppData\\Local\\Temp\\*', - '?:\\Users\\*\\AppData\\Local\\VirtualStore\\*', - '?:\\Users\\*\\AppData\\Roaming\\*', - '?:\\Users\\Public\\*', - '?:\\Users\\*\\Pictures\\*', - '?:\\Users\\*\\Music\\*', - '?:\\ProgramData\\*', - '?:\\Windows\\Tasks\\*', - '?:\\Windows\\System32\\Tasks\\*', - '?:\\Windows\\Temp\\*', - '?:\\Windows\\tracing\\*', - '?:\\Temp\\*', - '?:\\Tmp\\*', - '?:\\PerfLogs\\*', - '?:\\$Recycle.Bin\\*', - '?:\\Intel\\*', - '?:\\AMD\\Temp\\*' - ) - -output: > - Suspicious virtual path redirection mapped to %file.path by process %ps.exe -severity: high - -min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml b/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml new file mode 100644 index 000000000..ca9c5b87a --- /dev/null +++ b/rules/defense_evasion_suspicious_virtual_path_redirection_via_bind_filter.yml @@ -0,0 +1,71 @@ +name: Suspicious virtual path redirection via bind filter +id: 71a7ba01-a7a9-428a-8704-72b200f9b43c +version: 2.0.0 +description: | + Detects attempts to open files or directories under security software parent paths + where the calling thread's stack shows active use of the Bind Filter API + (BfSetupFilter) or Cloud Filter API (CfRegisterSyncRoot) routed through a kernel + DeviceIoControlFile call. This combination is the precise behavioural fingerprint + of EDR redirection attacks, which enumerate and mirror subdirectories under parent + directories such as Program Files or ProgramData to construct bind link loops that + blind security products without disrupting other software. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1562 + technique.name: Impair Defenses + technique.ref: https://attack.mitre.org/techniques/T1562/ + subtechnique.id: T1562.001 + subtechnique.name: Disable or Modify Tools + subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 +references: + - https://github.com/TwoSevenOneT/EDR-Redir + - https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html + +condition: > + open_file and + evt.pid != 4 and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile') and + thread.callstack.symbols imatches ('bindfltapi.dll!BfSetupFilter', 'cldapi.dll!CfRegisterSyncRoot') and + file.path imatches + ( + '?:\\Temp\\*', + '?:\\Program Files\\*', + '?:\\Windows', + '?:\\Windows\\System32', + '?:\\Windows\\SysWOW64', + '?:\\Program Files (x86)\\*', + '?:\\ProgramData\\Microsoft\\*' + ) and + ps.exe not imatches + ( + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\Windows\\System32\\SearchProtocolHost.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\sihost.exe', + '?:\\Windows\\System32\\explorer.exe', + '?:\\Windows\\System32\\ShellHost.exe', + '?:\\Windows\\System32\\FileSyncConfig.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\wsl.exe', + '?:\\Windows\\System32\\wslhost.exe', + '?:\\Windows\\System32\\wslservice.exe', + '?:\\Windows\\System32\\vmcompute.exe', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\CExecSvc.exe', + '?:\\Windows\\System32\\WindowsSandboxClient.exe', + '?:\\Windows\\System32\\WindowsSandboxRemoteSession.exe', + '?:\\Windows\\System32\\ContainerManager.exe', + '?:\\Windows\\System32\\HvHost.exe', + '?:\\Windows\\System32\\msixmgr.exe', + '?:\\Program Files\\Microsoft OneDrive\\*\\OneDrive.exe', + '?:\\Program Files\\Microsoft OneDrive\\*\\FileCoAuth.exe' + ) +action: + - name: kill + +output: > + Suspicious virtual path redirection targeting %file.path by process %ps.exe +severity: high + +min-engine-version: 3.0.0