feat(rules): Suspicious object symbolic link creation

rabbitstack · rabbitstack · commit b17a36cc0b5e · 2025-03-19T19:56:53.000+01:00
Identifies the creation of the object symbolic link inside the object manager namespace by untrusted or unusual processes. Adversaries may exploit object symbolic links to trick system processes into executing
  malicious payloads.
diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml
@@ -0,0 +1,37 @@
+name: Suspicious object symbolic link creation
+id: f9306355-1f5f-4a06-9779-195aa681db80
+version: 1.0.0
+description: |
+  Identifies the creation of the object symbolic link inside the object manager namespace
+  by untrusted or unusual processes.
+  Adversaries may exploit object symbolic links to trick system processes into executing
+  malicious payloads.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1211
+  technique.name: Exploitation for Defense Evasion
+  technique.ref: https://attack.mitre.org/techniques/T1211/
+references:
+  - https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease
+  - https://www.elastic.co/kr/blog/detect-block-unknown-knowndlls-windows-acl-hardening-attacks-cache-poisoning-escalation
+
+condition: >
+  create_symbolic_link_object and kevt.pid != 4 
+    and 
+  (pe.is_signed = false or pe.is_trusted = false or not ps.exe imatches
+    (
+      '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+      '?:\\WINDOWS\\system32\\svchost.exe',
+      '?:\\Program Files\\*',
+      '?:\\Program Files (x86)\\*',
+      '?:\\Windows\\System32\\vmwp.exe'
+    )
+  )
+
+output: >
+  Suspicious object symbolic link %kevt.arg[target] created by process %ps.exe
+severity: high
+
+min-engine-version: 2.4.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -103,6 +103,9 @@
 - macro: reply_dns
   expr: kevt.name = 'ReplyDns'
 
+- macro: create_symbolic_link_object
+  expr: kevt.name = 'CreateSymbolicLinkObject' and kevt.arg[status] = 'Success'
+
 - macro: inbound_network
   expr: >
     (recv_socket or accept_socket)
