diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
deleted file mode 100644
index efeff2dc6..000000000
--- a/.github/workflows/pypi-publish.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-name: Upload Sigmatools Package to PyPI
-on:
- release:
- types: [created]
-
-jobs:
- deploy:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Set up Python
- uses: actions/setup-python@v1
- with:
- python-version: '3.x'
- - name: Install dependencies
- run: |
- python -m pip install --upgrade pip
- pip install setuptools wheel twine
- - name: Build and publish
- env:
- TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
- TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
- run: |
- make upload
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
index 28931b92e..a68fc115f 100644
--- a/.github/workflows/sigma-test.yml
+++ b/.github/workflows/sigma-test.yml
@@ -8,7 +8,7 @@ on:
branches:
- "*"
pull_request:
- branches: [ master ]
+ branches: [ master, oscd ]
jobs:
test-sigma:
@@ -22,10 +22,11 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip
- pip install -r tools/requirements.txt -r tools/requirements-devel.txt
+ pip install pipenv
+ pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
run: |
- make test
+ pipenv run make test
- name: Test SQL(ite) Backend
run: |
- make test-backend-sql
+ pipenv run make test-backend-sql
diff --git a/Pipfile b/Pipfile
index d50536fb3..7df1021b1 100644
--- a/Pipfile
+++ b/Pipfile
@@ -10,6 +10,9 @@ elasticsearch = "~=7.6"
elasticsearch-async = "~=6.2"
pytest = "~=5.4"
colorama = "*"
+setuptools = "*"
+stix2 = "*"
+attackcti = "*"
[packages]
requests = "~=2.23"
@@ -19,4 +22,4 @@ pymisp = "~=2.4.123"
PyYAML = "~=5.1"
[requires]
-python_version = "~=3.8.2"
+python_version = "3.8"
diff --git a/Pipfile.lock b/Pipfile.lock
index 6f4696320..ed1329a91 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,11 +1,11 @@
{
"_meta": {
"hash": {
- "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a"
+ "sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687"
},
"pipfile-spec": 6,
"requires": {
- "python_version": "3.6"
+ "python_version": "3.8"
},
"sources": [
{
@@ -21,6 +21,7 @@
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
},
"certifi": {
@@ -32,33 +33,28 @@
},
"chardet": {
"hashes": [
- "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
- "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+ "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
- "version": "==3.0.4"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+ "version": "==4.0.0"
},
"deprecated": {
"hashes": [
- "sha256:471ec32b2755172046e28102cd46c481f21c6036a0ec027521eba8521aa4ef35",
- "sha256:924b6921f822b64ec54f49be6700a126bab0640cfafca78f22c9d429ed590560"
+ "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
+ "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
],
- "version": "==1.2.11"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==1.2.12"
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
},
- "importlib-metadata": {
- "hashes": [
- "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa",
- "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614"
- ],
- "markers": "python_version < '3.8'",
- "version": "==3.7.0"
- },
"jsonschema": {
"hashes": [
"sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
@@ -68,24 +64,25 @@
},
"progressbar2": {
"hashes": [
- "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772",
- "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928"
+ "sha256:ef72be284e7f2b61ac0894b44165926f13f5d995b2bf3cd8a8dedc6224b255a7",
+ "sha256:fe2738e7ecb7df52ad76307fe610c460c52b50f5335fd26c3ab80ff7655ba1e0"
],
"index": "pypi",
- "version": "==3.50.1"
+ "version": "==3.53.1"
},
"pymisp": {
"hashes": [
- "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd",
- "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3"
+ "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a",
+ "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2"
],
"index": "pypi",
- "version": "==2.4.123"
+ "version": "==2.4.141.1"
},
"pyrsistent": {
"hashes": [
"sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
],
+ "markers": "python_version >= '3.5'",
"version": "==0.17.3"
},
"python-dateutil": {
@@ -93,6 +90,7 @@
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.8.1"
},
"python-utils": {
@@ -104,184 +102,233 @@
},
"pyyaml": {
"hashes": [
- "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
- "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
- "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
- "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
- "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
- "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
- "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
- "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
- "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
- "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
- "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+ "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+ "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+ "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+ "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+ "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+ "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+ "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+ "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+ "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+ "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+ "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+ "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+ "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+ "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+ "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+ "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+ "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+ "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+ "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+ "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+ "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+ "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+ "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+ "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+ "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+ "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+ "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+ "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
],
"index": "pypi",
- "version": "==5.1"
+ "version": "==5.4.1"
},
"requests": {
"hashes": [
- "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
- "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
+ "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+ "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
],
"index": "pypi",
- "version": "==2.23.0"
+ "version": "==2.25.1"
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
},
- "typing-extensions": {
- "hashes": [
- "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
- "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
- "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
- ],
- "markers": "python_version < '3.8'",
- "version": "==3.7.4.3"
- },
"urllib3": {
"hashes": [
- "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
- "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+ "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+ "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
],
"index": "pypi",
- "version": "==1.25.8"
+ "version": "==1.26.4"
},
"wrapt": {
"hashes": [
"sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
],
"version": "==1.12.1"
- },
- "zipp": {
- "hashes": [
- "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108",
- "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb"
- ],
- "version": "==3.4.0"
}
},
"develop": {
"aiohttp": {
"hashes": [
- "sha256:119feb2bd551e58d83d1b38bfa4cb921af8ddedec9fad7183132db334c3133e0",
- "sha256:16d0683ef8a6d803207f02b899c928223eb219111bd52420ef3d7a8aa76227b6",
- "sha256:2eb3efe243e0f4ecbb654b08444ae6ffab37ac0ef8f69d3a2ffb958905379daf",
- "sha256:2ffea7904e70350da429568113ae422c88d2234ae776519549513c8f217f58a9",
- "sha256:40bd1b101b71a18a528ffce812cc14ff77d4a2a1272dfb8b11b200967489ef3e",
- "sha256:418597633b5cd9639e514b1d748f358832c08cd5d9ef0870026535bd5eaefdd0",
- "sha256:481d4b96969fbfdcc3ff35eea5305d8565a8300410d3d269ccac69e7256b1329",
- "sha256:4c1bdbfdd231a20eee3e56bd0ac1cd88c4ff41b64ab679ed65b75c9c74b6c5c2",
- "sha256:5563ad7fde451b1986d42b9bb9140e2599ecf4f8e42241f6da0d3d624b776f40",
- "sha256:58c62152c4c8731a3152e7e650b29ace18304d086cb5552d317a54ff2749d32a",
- "sha256:5b50e0b9460100fe05d7472264d1975f21ac007b35dcd6fd50279b72925a27f4",
- "sha256:5d84ecc73141d0a0d61ece0742bb7ff5751b0657dab8405f899d3ceb104cc7de",
- "sha256:5dde6d24bacac480be03f4f864e9a67faac5032e28841b00533cd168ab39cad9",
- "sha256:5e91e927003d1ed9283dee9abcb989334fc8e72cf89ebe94dc3e07e3ff0b11e9",
- "sha256:62bc216eafac3204877241569209d9ba6226185aa6d561c19159f2e1cbb6abfb",
- "sha256:6c8200abc9dc5f27203986100579fc19ccad7a832c07d2bc151ce4ff17190076",
- "sha256:6ca56bdfaf825f4439e9e3673775e1032d8b6ea63b8953d3812c71bd6a8b81de",
- "sha256:71680321a8a7176a58dfbc230789790639db78dad61a6e120b39f314f43f1907",
- "sha256:7c7820099e8b3171e54e7eedc33e9450afe7cd08172632d32128bd527f8cb77d",
- "sha256:7dbd087ff2f4046b9b37ba28ed73f15fd0bc9f4fdc8ef6781913da7f808d9536",
- "sha256:822bd4fd21abaa7b28d65fc9871ecabaddc42767884a626317ef5b75c20e8a2d",
- "sha256:8ec1a38074f68d66ccb467ed9a673a726bb397142c273f90d4ba954666e87d54",
- "sha256:950b7ef08b2afdab2488ee2edaff92a03ca500a48f1e1aaa5900e73d6cf992bc",
- "sha256:99c5a5bf7135607959441b7d720d96c8e5c46a1f96e9d6d4c9498be8d5f24212",
- "sha256:b84ad94868e1e6a5e30d30ec419956042815dfaea1b1df1cef623e4564c374d9",
- "sha256:bc3d14bf71a3fb94e5acf5bbf67331ab335467129af6416a437bd6024e4f743d",
- "sha256:c2a80fd9a8d7e41b4e38ea9fe149deed0d6aaede255c497e66b8213274d6d61b",
- "sha256:c44d3c82a933c6cbc21039326767e778eface44fca55c65719921c4b9661a3f7",
- "sha256:cc31e906be1cc121ee201adbdf844522ea3349600dd0a40366611ca18cd40e81",
- "sha256:d5d102e945ecca93bcd9801a7bb2fa703e37ad188a2f81b1e65e4abe4b51b00c",
- "sha256:dd7936f2a6daa861143e376b3a1fb56e9b802f4980923594edd9ca5670974895",
- "sha256:dee68ec462ff10c1d836c0ea2642116aba6151c6880b688e56b4c0246770f297",
- "sha256:e76e78863a4eaec3aee5722d85d04dcbd9844bc6cd3bfa6aa880ff46ad16bfcb",
- "sha256:eab51036cac2da8a50d7ff0ea30be47750547c9aa1aa2cf1a1b710a1827e7dbe",
- "sha256:f4496d8d04da2e98cc9133e238ccebf6a13ef39a93da2e87146c8c8ac9768242",
- "sha256:fbd3b5e18d34683decc00d9a360179ac1e7a320a5fee10ab8053ffd6deab76e0",
- "sha256:feb24ff1226beeb056e247cf2e24bba5232519efb5645121c4aea5b6ad74c1f2"
+ "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
+ "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
+ "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
+ "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
+ "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
+ "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
+ "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
+ "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
+ "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
+ "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
+ "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
+ "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
+ "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
+ "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
+ "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
+ "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
+ "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
+ "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
+ "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
+ "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
+ "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
+ "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
+ "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
+ "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
+ "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
+ "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
+ "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
+ "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
+ "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
+ "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
+ "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
+ "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
+ "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
+ "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
+ "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
+ "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
+ "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
],
- "index": "pypi",
- "version": "==3.7.4"
+ "markers": "python_version >= '3.6'",
+ "version": "==3.7.4.post0"
+ },
+ "antlr4-python3-runtime": {
+ "hashes": [
+ "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
+ ],
+ "markers": "python_version >= '3'",
+ "version": "==4.8"
},
"async-timeout": {
"hashes": [
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
],
+ "markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
},
+ "attackcti": {
+ "hashes": [
+ "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f",
+ "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9"
+ ],
+ "index": "pypi",
+ "version": "==0.3.4.3"
+ },
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
},
+ "certifi": {
+ "hashes": [
+ "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
+ "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+ ],
+ "version": "==2020.12.5"
+ },
"chardet": {
"hashes": [
- "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
- "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+ "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
- "version": "==3.0.4"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+ "version": "==4.0.0"
},
"colorama": {
"hashes": [
- "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
- "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+ "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
+ "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"
],
"index": "pypi",
- "version": "==0.4.3"
+ "version": "==0.4.4"
},
"coverage": {
"hashes": [
- "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0",
- "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30",
- "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b",
- "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0",
- "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823",
- "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe",
- "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037",
- "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6",
- "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31",
- "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd",
- "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892",
- "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1",
- "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78",
- "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac",
- "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006",
- "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014",
- "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2",
- "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7",
- "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8",
- "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7",
- "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9",
- "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1",
- "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307",
- "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a",
- "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435",
- "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0",
- "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5",
- "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441",
- "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732",
- "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de",
- "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1"
+ "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c",
+ "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6",
+ "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45",
+ "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a",
+ "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03",
+ "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529",
+ "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a",
+ "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a",
+ "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2",
+ "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6",
+ "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759",
+ "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53",
+ "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a",
+ "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4",
+ "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff",
+ "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502",
+ "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793",
+ "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb",
+ "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905",
+ "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821",
+ "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b",
+ "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81",
+ "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0",
+ "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b",
+ "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3",
+ "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184",
+ "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701",
+ "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a",
+ "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82",
+ "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638",
+ "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5",
+ "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083",
+ "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6",
+ "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90",
+ "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465",
+ "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a",
+ "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3",
+ "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e",
+ "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066",
+ "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf",
+ "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b",
+ "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae",
+ "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669",
+ "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873",
+ "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b",
+ "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6",
+ "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb",
+ "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160",
+ "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c",
+ "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079",
+ "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d",
+ "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6"
],
"index": "pypi",
- "version": "==5.0.4"
+ "version": "==5.5"
},
"elasticsearch": {
"hashes": [
- "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8",
- "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81"
+ "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0",
+ "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378"
],
"index": "pypi",
- "version": "==7.6.0"
+ "version": "==7.12.0"
},
"elasticsearch-async": {
"hashes": [
@@ -296,28 +343,15 @@
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
},
- "idna-ssl": {
- "hashes": [
- "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c"
- ],
- "markers": "python_version < '3.7'",
- "version": "==1.1.0"
- },
- "importlib-metadata": {
- "hashes": [
- "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa",
- "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614"
- ],
- "markers": "python_version < '3.8'",
- "version": "==3.7.0"
- },
"more-itertools": {
"hashes": [
"sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced",
"sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713"
],
+ "markers": "python_version >= '3.5'",
"version": "==8.7.0"
},
"multidict": {
@@ -360,6 +394,7 @@
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
],
+ "markers": "python_version >= '3.6'",
"version": "==5.1.0"
},
"packaging": {
@@ -367,6 +402,7 @@
"sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
"sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.9"
},
"pathspec": {
@@ -381,6 +417,7 @@
"sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
"sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.13.1"
},
"py": {
@@ -388,6 +425,7 @@
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
@@ -395,32 +433,147 @@
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
+ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
},
"pytest": {
"hashes": [
- "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172",
- "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970"
+ "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1",
+ "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8"
+ ],
+ "index": "pypi",
+ "version": "==5.4.3"
+ },
+ "pytz": {
+ "hashes": [
+ "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
+ "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
+ ],
+ "version": "==2021.1"
+ },
+ "pyyaml": {
+ "hashes": [
+ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+ "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+ "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+ "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+ "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+ "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+ "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+ "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+ "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+ "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+ "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+ "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+ "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+ "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+ "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+ "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+ "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+ "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+ "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+ "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+ "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+ "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+ "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+ "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+ "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+ "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+ "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+ "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+ "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
],
"index": "pypi",
"version": "==5.4.1"
},
- "pyyaml": {
+ "requests": {
"hashes": [
- "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
- "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
- "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
- "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
- "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
- "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
- "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
- "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
- "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
- "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
- "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+ "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+ "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
],
"index": "pypi",
- "version": "==5.1"
+ "version": "==2.25.1"
+ },
+ "simplejson": {
+ "hashes": [
+ "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667",
+ "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3",
+ "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043",
+ "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb",
+ "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0",
+ "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d",
+ "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8",
+ "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f",
+ "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf",
+ "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748",
+ "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278",
+ "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4",
+ "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a",
+ "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8",
+ "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d",
+ "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971",
+ "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841",
+ "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f",
+ "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b",
+ "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45",
+ "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9",
+ "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6",
+ "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc",
+ "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956",
+ "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d",
+ "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746",
+ "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a",
+ "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0",
+ "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25",
+ "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625",
+ "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995",
+ "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46",
+ "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f",
+ "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a",
+ "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139",
+ "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f",
+ "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da",
+ "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34",
+ "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b",
+ "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94",
+ "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04",
+ "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b",
+ "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396",
+ "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
+ "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
+ ],
+ "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==3.17.2"
+ },
+ "six": {
+ "hashes": [
+ "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
+ "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
+ ],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==1.15.0"
+ },
+ "stix2": {
+ "hashes": [
+ "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938",
+ "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4"
+ ],
+ "index": "pypi",
+ "version": "==2.1.0"
+ },
+ "stix2-patterns": {
+ "hashes": [
+ "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
+ "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
+ ],
+ "version": "==1.3.2"
+ },
+ "taxii2-client": {
+ "hashes": [
+ "sha256:b4212b8a8bab170cd5dc386ca3ea36bc44b53932f1da30db150abeef00bce7b9",
+ "sha256:fb3bf895e2eaff3cd08bb7aad75c9d30682ffc00b9f3add77de3a67dc6b895a3"
+ ],
+ "version": "==2.3.0"
},
"typing-extensions": {
"hashes": [
@@ -433,11 +586,11 @@
},
"urllib3": {
"hashes": [
- "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
- "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+ "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+ "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
],
"index": "pypi",
- "version": "==1.25.8"
+ "version": "==1.26.4"
},
"wcwidth": {
"hashes": [
@@ -448,11 +601,11 @@
},
"yamllint": {
"hashes": [
- "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f",
- "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193"
+ "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637",
+ "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087"
],
"index": "pypi",
- "version": "==1.21.0"
+ "version": "==1.26.0"
},
"yarl": {
"hashes": [
@@ -494,14 +647,8 @@
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
],
+ "markers": "python_version >= '3.6'",
"version": "==1.6.3"
- },
- "zipp": {
- "hashes": [
- "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108",
- "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb"
- ],
- "version": "==3.4.0"
}
}
}
diff --git a/README.md b/README.md
index bd5182d4c..5369ebeea 100644
--- a/README.md
+++ b/README.md
@@ -40,9 +40,9 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
# Why Sigma
-Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
+Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
-Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
## Slides
@@ -52,7 +52,7 @@ See the first slide deck that I prepared for a private conference in mid January
# Specification
-The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).
+The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).
The current specification is a proposal. Feedback is requested.
@@ -62,7 +62,7 @@ The current specification is a proposal. Feedback is requested.
Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
-## Rule Usage
+## Rule Usage
1. Download or clone the repository
2. Check the `./rules` sub directory for an overview on the rule base
@@ -106,7 +106,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
```bash
usage: sigmac [-h] [--recurse] [--filter FILTER]
- [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
+ [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-backend-errors] [--verbose] [--debug]
@@ -172,13 +172,13 @@ Translate a whole rule directory and ignore backend errors (`-I`) in rule conver
```
tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
```
-#### Rule Set Translation with Custom Config
+#### Rule Set Translation with Custom Config
Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
```
tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
```
#### Generic Rule Set Translation
-Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
```
tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
```
@@ -209,6 +209,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [LimaCharlie](https://limacharlie.io)
* [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
+* [LOGIQ](https://www.logiq.ai)
* [uberAgent ESA](https://uberagent.com/)
Current work-in-progress
@@ -228,16 +229,18 @@ It's available on PyPI. Install with:
pip3 install sigmatools
```
-Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with [Pipenv](https://pypi.org/project/pipenv/).
+Run the following command to get a shell with the installed requirements:
```bash
-pip3 install -r tools/requirements.txt
+pipenv shell
```
For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
```bash
-pip3 install -r tools/requirements-devel.txt
+pipenv install --dev
+pipenv shell
```
## Sigma2MISP
@@ -251,7 +254,7 @@ Example:
*misp.conf*:
```
url https://host
-key foobarfoobarfoobarfoobarfoobarfoobarfoo
+key foobarfoobarfoobarfoobarfoobarfoobarfoo
```
Load Sigma rule into MISP event 1234:
@@ -266,7 +269,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
## Evt2Sigma
-[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.
## Sigma2attack
@@ -291,7 +294,7 @@ Result once imported in the MITRE ATT&CK® Navigator ([online version](https://m
## S2AN
-Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules.
+Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules.
S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies.
@@ -317,11 +320,11 @@ These tools are not part of the main toolchain and maintained separately by thei
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
* [Joe Sandbox](https://www.joesecurity.org/)
-* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
-* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
+* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
Sigma is available in some Linux distribution repositories:
@@ -333,10 +336,10 @@ If you want to contribute, you are more then welcome. There are numerous ways to
## Use it and provide feedback
-If you use it, let us know what works and what does not work.
+If you use it, let us know what works and what does not work.
E.g.
-- Tell us about false positives (issues section)
+- Tell us about false positives (issues section)
- Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule
## Work on open issues
@@ -345,7 +348,7 @@ The github issue tracker is a good place to start tackling some issues others ra
## Provide Backends / Backend Features / Bugfixes
-Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions.
+Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions.
## Spread the word
diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
new file mode 100644
index 000000000..bcd2772a3
--- /dev/null
+++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
@@ -0,0 +1,42 @@
+title: Always Install Elevated Parent Child Correlated
+id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
+description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
+#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
+#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ system_integrity:
+ IntegrityLevel: 'System'
+ system_user:
+ User: 'NT AUTHORITY\SYSTEM'
+ image_1:
+ Image|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ Image|endswith:
+ - 'tmp'
+ image_2:
+ Image|endswith: '\msiexec.exe'
+ child_of_suspicious_guid:
+ ParentProcessGuid: '%suspicious_guid%'
+ condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert
+fields:
+ - EventID
+ - IntegrityLevel
+ - User
+ - Image
+ ParentProcessGuid
+falsepositives:
+ - System administrator usage
+ - Penetration test
+level: high
\ No newline at end of file
diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
new file mode 100644
index 000000000..c8f95ed78
--- /dev/null
+++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml
@@ -0,0 +1,29 @@
+title: Stored Credentials in Fake Files
+id: 692b979c-f747-41dc-ad72-1f11c01b110e
+description: Search for accessing of fake files with stored credentials
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
+tags:
+ - attack.credential_access
+ - attack.t1555
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4663
+ AccessList|contains: '%%4416'
+ ObjectName|endswith:
+ - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+ - '\%FOLDER_NAME%\Unattend.xml'
+ condition: selection
+fields:
+ - EventID
+ - AccessList
+ - ObjectName
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml
new file mode 100644
index 000000000..5730b930e
--- /dev/null
+++ b/rules-unsupported/win_remote_schtask.yml
@@ -0,0 +1,44 @@
+title: Remote Schtasks Creation
+id: cf349c4b-99af-40fa-a051-823aa2307a84
+status: experimental
+description: Detects remote execution via scheduled task creation or update on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.persistence
+ - attack.execution
+ - attack.t1053.005
+logsource:
+ product: windows
+ service: security
+ definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'
+detection:
+ selection1:
+ EventID: 4624
+ Logon_Type: 3
+ selection2:
+ EventID:
+ - 4698
+ - 4702
+ filter1:
+ Source_Network_Address:
+ - '::1'
+ - '127.0.0.1'
+ filter2:
+ Source_Network_Address: '-'
+ timeframe: 30d
+ condition: (selection1 and not filter1) or selection2 and not filter2
+ # where:
+ # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+ # Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+ # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe.
+ # This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+ # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time.
+ # By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+ # Rule logic is currently not supported by SIGMA.
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml
new file mode 100644
index 000000000..75654260c
--- /dev/null
+++ b/rules-unsupported/win_remote_service.yml
@@ -0,0 +1,50 @@
+action: global
+title: Remote Service Creation
+id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
+status: experimental
+description: Detects remote execution via service creation on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.persistence
+ - attack.execution
+ - attack.t1543.003
+detection:
+ selection1:
+ EventID: 4624
+ Logon_Type: 3
+ filter1:
+ Source_Network_Address:
+ - '::1'
+ - '127.0.0.1'
+ timeframe: 30s
+ condition: (selection1 and not filter1) or selection2
+ # where:
+ # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+ # Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+ # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe.
+ # This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+ # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time.
+ # By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+ # Rule logic is currently not supported by SIGMA.
+
+falsepositives:
+ - Unknown
+level: medium
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection2:
+ EventID: 4697
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection2:
+ EventID: 7045
\ No newline at end of file
diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml
index 2d5a32657..dff7a078e 100644
--- a/rules/cloud/aws_ec2_vm_export_failure.yml
+++ b/rules/cloud/aws_ec2_vm_export_failure.yml
@@ -18,7 +18,7 @@ detection:
errorCode: '*'
filter3:
eventName: 'ConsoleLogin'
- responseElements: '*Failure*'
+ responseElements|contains: 'Failure'
condition: selection and (filter1 or filter2 or filter3)
level: low
tags:
diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml
new file mode 100644
index 000000000..81e3802ea
--- /dev/null
+++ b/rules/linux/at_command.yml
@@ -0,0 +1,23 @@
+title: Scheduled Task/Job At
+id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
+status: stable
+description: Detects the use of at/atd
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ ProcessName|endswith:
+ - '/at'
+ - '/atd'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.persistence
+ - attack.t1053.001
diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml
index 872398f62..4c1d6f6ba 100644
--- a/rules/linux/auditd/lnx_auditd_create_account.yml
+++ b/rules/linux/auditd/lnx_auditd_create_account.yml
@@ -12,7 +12,7 @@ logsource:
detection:
selection:
type: 'SYSCALL'
- exe: '*/useradd'
+ exe|endswith: '/useradd'
condition: selection
falsepositives:
- Admin activity
@@ -20,4 +20,4 @@ level: medium
tags:
- attack.t1136 # an old one
- attack.t1136.001
- - attack.persistence
\ No newline at end of file
+ - attack.persistence
diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
index 0dfbfe404..c76769bc9 100644
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -16,9 +16,9 @@ detection:
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
- a3: '*/crond'
+ a3|endswith: '/crond'
condition: selection
level: medium
tags:
- attack.defense_evasion
- - attack.t1036.003
\ No newline at end of file
+ - attack.t1036.003
diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
index 64175ef8a..4cbc91f86 100644
--- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
@@ -12,26 +12,26 @@ logsource:
detection:
selection:
type: 'SYSCALL'
- exe:
+ exe|startswith:
# Temporary folder
- - '/tmp/*'
+ - '/tmp/'
# Web server
- - '/var/www/*' # Standard
- - '/home/*/public_html/*' # Per-user
- - '/usr/local/apache2/*' # Classical Apache
- - '/usr/local/httpd/*' # Old SuSE Linux 6.* Apache
- - '/var/apache/*' # Solaris Apache
- - '/srv/www/*' # SuSE Linux 9.*
- - '/home/httpd/html/*' # Redhat 6 or older Apache
- - '/srv/http/*' # ArchLinux standard
- - '/usr/share/nginx/html/*' # ArchLinux nginx
+ - '/var/www/' # Standard
+ - '/home/*/public_html/' # Per-user
+ - '/usr/local/apache2/' # Classical Apache
+ - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
+ - '/var/apache/' # Solaris Apache
+ - '/srv/www/' # SuSE Linux 9.*
+ - '/home/httpd/html/' # Redhat 6 or older Apache
+ - '/srv/http/' # ArchLinux standard
+ - '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- - '/var/lib/pgsql/data/*'
- - '/usr/local/mysql/data/*'
- - '/var/lib/mysql/*'
- - '/var/vsftpd/*'
- - '/etc/bind/*'
- - '/var/named/*'
+ - '/var/lib/pgsql/data/'
+ - '/usr/local/mysql/data/'
+ - '/var/lib/mysql/'
+ - '/var/vsftpd/'
+ - '/etc/bind/'
+ - '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml
new file mode 100644
index 000000000..62620cf4b
--- /dev/null
+++ b/rules/linux/lnx_base64_decode.yml
@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: e2072cab-8c9a-459b-b63c-40ae79e27031
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ base64_execution:
+ Image|endswith: '/base64'
+ CommandLine|contains: '-d'
+ condition: base64_execution
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1027
\ No newline at end of file
diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml
new file mode 100644
index 000000000..cba357572
--- /dev/null
+++ b/rules/linux/lnx_binary_padding.yml
@@ -0,0 +1,35 @@
+title: 'Binary Padding'
+id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+ # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains|all:
+ - 'truncate'
+ - '-s'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains|all:
+ - 'dd'
+ - 'if='
+ filter:
+ keywords|contains: 'of='
+ condition: selection1 or (selection2 and not filter)
+falsepositives:
+ - 'Legitimate script work'
+level: high
+tags:
+ - attack.defense_evasion
+ - attack.t1027.001
diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml
new file mode 100644
index 000000000..22763a8cf
--- /dev/null
+++ b/rules/linux/lnx_change_file_time_attr.yml
@@ -0,0 +1,33 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains: 'touch'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains:
+ - '-t'
+ - '-acmr'
+ - '-d'
+ - '-r'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.006
diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml
new file mode 100644
index 000000000..39899711a
--- /dev/null
+++ b/rules/linux/lnx_clear_logs.yml
@@ -0,0 +1,26 @@
+title: Clear Linux Logs
+id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
+status: stable
+description: Detects clear logs
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/rm' # covers /rmdir as well
+ - '/shred'
+ CommandLine|contains:
+ - '/var/log'
+ - '/var/spool/mail'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.002
diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml
new file mode 100644
index 000000000..af52c7765
--- /dev/null
+++ b/rules/linux/lnx_file_and_directory_discovery.yml
@@ -0,0 +1,29 @@
+title: File and Directory Discovery
+id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ file_with_asterisk:
+ Image|endswith: '/file'
+ CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+ recursive_ls:
+ Image|endswith: '/ls'
+ CommandLine|contains: '-R'
+ find_execution:
+ Image|endswith: '/find'
+ tree_execution:
+ Image|endswith: '/tree'
+ condition: 1 of them
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1083
\ No newline at end of file
diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml
index 028476447..2a0509c6f 100644
--- a/rules/linux/lnx_file_copy.yml
+++ b/rules/linux/lnx_file_copy.yml
@@ -11,18 +11,20 @@ logsource:
detection:
keywords:
- Scp|contains:
- - 'scp * *@*:*'
- - 'scp *@*:* *'
+ - 'scp'
- Rsync|contains:
- - 'rsync -r *@*:* *'
- - 'rsync -r * *@*:*'
+ - 'rsync -r'
- Sftp|contains:
- - 'sftp *@*:* *'
- condition: keywords
+ - 'sftp'
+ filter:
+ message|contains|all:
+ - '@'
+ - ':'
+ condition: keywords and filter
falsepositives:
- Legitimate administration activities
level: low
tags:
- attack.command_and_control
- attack.lateral_movement
- - attack.t1105
\ No newline at end of file
+ - attack.t1105
diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml
new file mode 100644
index 000000000..391975730
--- /dev/null
+++ b/rules/linux/lnx_file_deletion.yml
@@ -0,0 +1,23 @@
+title: File Deletion
+id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
+status: stable
+description: Detects file deletion commands
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/rm' # covers /rmdir as well
+ - '/shred'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
diff --git a/rules/linux/lnx_find_cred_in_files.yml b/rules/linux/lnx_find_cred_in_files.yml
new file mode 100644
index 000000000..71b908273
--- /dev/null
+++ b/rules/linux/lnx_find_cred_in_files.yml
@@ -0,0 +1,29 @@
+title: 'Credentials In Files'
+id: df3fcaea-2715-4214-99c5-0056ea59eb35
+status: experimental
+description: 'Detecting attempts to extract passwords with grep'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains: 'grep'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains: 'password'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: high
+tags:
+ - attack.credential_access
+ - attack.t1552.001
diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml
new file mode 100644
index 000000000..b1a9f61ee
--- /dev/null
+++ b/rules/linux/lnx_install_root_certificate.yml
@@ -0,0 +1,22 @@
+title: Install Root Certificate
+id: 78a80655-a51e-4669-bc6b-e9d206a462ee
+description: Detects installed new certificate
+author: Ömer Günal, oscd.community
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1553.004
+level: low
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/update-ca-certificates'
+ - '/update-ca-trust'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml
new file mode 100644
index 000000000..2e31f466d
--- /dev/null
+++ b/rules/linux/lnx_local_account.yml
@@ -0,0 +1,39 @@
+title: Local System Accounts Discovery
+id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
+status: experimental
+description: Detects enumeration of local systeam accounts
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith:
+ - '/lastlog'
+ selection_2:
+ CommandLine|contains:
+ - "'x:0:'"
+ selection_3:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/passwd'
+ - '/etc/sudoers'
+ selection_4:
+ Image|endswith:
+ - '/id'
+ selection_5:
+ Image|endswith:
+ - '/lsof'
+ CommandLine|contains:
+ - '-u'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1087.001
diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml
new file mode 100644
index 000000000..8df8a8157
--- /dev/null
+++ b/rules/linux/lnx_local_groups.yml
@@ -0,0 +1,27 @@
+title: Local Groups Discovery
+id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith:
+ - '/groups'
+ selection_2:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/group'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1069.001
diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml
new file mode 100644
index 000000000..831c1dac9
--- /dev/null
+++ b/rules/linux/lnx_network_service_scanning.yml
@@ -0,0 +1,47 @@
+action: global
+title: Linux Network Service Scanning
+id: 3e102cd9-a70d-4a7a-9508-403963092f31
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1046
+---
+logsource:
+ category: process_creation
+ product: linux
+ definition: 'Detect netcat and filter our listening mode'
+detection:
+ netcat:
+ Image|endswith:
+ - '/nc'
+ - '/netcat'
+ network_scanning_tools:
+ Image|endswith:
+ - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
+ - '/nmap'
+ netcat_listen_flag:
+ CommandLine|contains: 'l'
+ condition: (netcat and not netcat_listen_flag) or network_scanning_tools
+---
+logsource:
+ product: linux
+ service: auditd
+ definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183'
+detection:
+ selection:
+ type: 'SYSCALL'
+ exe|endswith:
+ - '/telnet'
+ - '/nmap'
+ - '/netcat'
+ - '/nc'
+ key: 'network_connect_4'
+ condition: selection
diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml
new file mode 100644
index 000000000..eccbff04f
--- /dev/null
+++ b/rules/linux/lnx_password_policy_discovery.yml
@@ -0,0 +1,25 @@
+title: Password Policy Discovery
+id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
+status: stable
+description: Detects password policy discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
+logsource:
+ service: auditd
+detection:
+ selection:
+ type: 'PATH'
+ name:
+ - '/etc/pam.d/common-password'
+ - '/etc/security/pwquality.conf'
+ - '/etc/pam.d/system-auth'
+ - '/etc/login.defs'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1201
diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml
new file mode 100644
index 000000000..1785e7ef8
--- /dev/null
+++ b/rules/linux/lnx_process_discovery.yml
@@ -0,0 +1,23 @@
+title: Process Discovery
+id: 4e2f5868-08d4-413d-899f-dc2f1508627b
+status: stable
+description: Detects process discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
+logsource:
+ product: linux
+ category: process_creation
+detection:
+ selection:
+ - Image|endswith:
+ - '/ps'
+ - '/top'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1057
diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
new file mode 100644
index 000000000..218053e15
--- /dev/null
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -0,0 +1,45 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection_1:
+ Image|endswith: '/arp'
+ CommandLine|contains: '-a'
+ selection_2:
+ Image|endswith: '/ping'
+ CommandLine|contains:
+ - ' 10.' #10.0.0.0/8
+ - ' 192.168.' #192.168.0.0/16
+ - ' 172.16.' #172.16.0.0/12
+ - ' 172.17.'
+ - ' 172.18.'
+ - ' 172.19.'
+ - ' 172.20.'
+ - ' 172.21.'
+ - ' 172.22.'
+ - ' 172.23.'
+ - ' 172.24.'
+ - ' 172.25.'
+ - ' 172.26.'
+ - ' 172.27.'
+ - ' 172.28.'
+ - ' 172.29.'
+ - ' 172.30.'
+ - ' 172.31.'
+ - ' 127.' #127.0.0.0/8
+ - ' 169.254.' #169.254.0.0/16
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1018
diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml
new file mode 100644
index 000000000..cd2540f96
--- /dev/null
+++ b/rules/linux/lnx_schedule_task_job_cron.yml
@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 6b14bac8-3e3a-4324-8109-42f0546a347f
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection:
+ Image|endswith:
+ - 'crontab'
+ CommandLine|contains:
+ - '/tmp/'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1053.003
diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml
new file mode 100644
index 000000000..37a7f7871
--- /dev/null
+++ b/rules/linux/lnx_security_software_discovery.yml
@@ -0,0 +1,31 @@
+title: Security Software Discovery
+id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ grep_execution:
+ Image|endswith: '/grep'
+ security_services_and_processes:
+ CommandLine|contains:
+ - 'nessusd' # nessus vulnerability scanner
+ - 'td-agent' # fluentd log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'osqueryd' # facebook osquery
+ - 'cbagentd' # carbon black
+ - 'falcond' # crowdstrike falcon
+ condition: grep_execution and security_services_and_processes
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1518.001
\ No newline at end of file
diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml
index 206c9a490..8d1f16177 100644
--- a/rules/linux/lnx_security_tools_disabling.yml
+++ b/rules/linux/lnx_security_tools_disabling.yml
@@ -1,34 +1,97 @@
+action: global
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
-author: Ömer Günal
+author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/06/17
references:
- - https://attack.mitre.org/techniques/T1089/
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
-logsource:
- product: linux
-detection:
- keywords:
- - Command|contains:
- - 'service iptables stop'
- - 'chkconfig off iptables'
- - 'service ip6tables stop'
- - 'chkconfig off ip6tables'
- - CarbonBlack|contains:
- - 'service cbdaemon stop'
- - 'chkconfig off cbdaemon'
- - 'systemctl stop cbdaemon'
- - 'systemctl disable cbdaemon'
- - SELinux:
- - 'setenforce 0'
- - Crowdstrike|contains:
- - 'systemctl stop falcon-sensor.service'
- - 'systemctl disable falcon-sensor.service'
- condition: keywords
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
falsepositives:
- Legitimate administration activities
level: medium
tags:
- - attack.defense_evasion
\ No newline at end of file
+ - attack.defense_evasion
+ - attack.t1562.004
+ - attack.t1089
+---
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ iptables_1:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'iptables'
+ - 'stop'
+ iptables_2:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'ip6tables'
+ - 'stop'
+ iptables_3:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'iptables'
+ - 'stop'
+ iptables_4:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'ip6tables'
+ - 'stop'
+ firewall_1:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'firewalld'
+ - 'stop'
+ firewall_2:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'firewalld'
+ - 'disable'
+ carbonblack_1:
+ Image|endswith: '/service'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'stop'
+ carbonblack_2:
+ Image|endswith: '/chkconfig'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'off'
+ carbonblack_3:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'stop'
+ carbonblack_4:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'cbdaemon'
+ - 'disable'
+ selinux:
+ Image|endswith: '/setenforce'
+ CommandLine|contains: '0'
+ crowdstrike_1:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'stop'
+ - 'falcon-sensor'
+ crowdstrike_2:
+ Image|endswith: '/systemctl'
+ CommandLine|contains|all:
+ - 'disable'
+ - 'falcon-sensor'
+ condition: 1 of them
+---
+logsource:
+ product: linux
+ service: syslog
+detection:
+ keywords:
+ - '*stopping iptables*'
+ - '*stopping ip6tables*'
+ - '*stopping firewalld*'
+ - '*stopping cbdaemon*'
+ - '*stopping falcon-sensor*'
+ condition: keywords
diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml
new file mode 100644
index 000000000..36b1a82db
--- /dev/null
+++ b/rules/linux/lnx_split_file_into_pieces.yml
@@ -0,0 +1,26 @@
+title: 'Split A File Into Pieces'
+id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+ # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: 'SYSCALL'
+ comm: 'split'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: low
+tags:
+ - attack.exfiltration
+ - attack.t1030
diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml
index ff20897bb..bbd9d785d 100644
--- a/rules/linux/lnx_sudo_cve_2019_14287.yml
+++ b/rules/linux/lnx_sudo_cve_2019_14287.yml
@@ -30,4 +30,4 @@ detection:
USER:
- '#-*'
- '#*4294967295'
- condition: selection_user
\ No newline at end of file
+ condition: selection_user
diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml
new file mode 100644
index 000000000..453bad916
--- /dev/null
+++ b/rules/linux/lnx_susp_histfile_operations.yml
@@ -0,0 +1,42 @@
+title: 'Suspicious History File Operations'
+id: eae8ce9f-bde9-47a6-8e79-f20d18419910
+status: experimental
+description: 'Detects commandline operations on shell history files'
+ # Rule detects presence of various shell history files in process commandline
+ # Normally user expected to view own history with dedicated 'history' command and not some other tools
+ # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: EXECVE
+ keywords|contains:
+ - '.bash_history'
+ - '.zsh_history'
+ - '.zhistory'
+ - '.history'
+ - '.sh_history'
+ - 'fish_history'
+ condition: selection
+fields:
+ - a0
+ - a1
+ - a2
+ - a3
+ - key
+falsepositives:
+ - 'Legitimate administrative activity'
+ - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1552.003
diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml
index 2fc43980a..128300cc2 100644
--- a/rules/linux/lnx_susp_named.yml
+++ b/rules/linux/lnx_susp_named.yml
@@ -20,4 +20,4 @@ falsepositives:
level: high
tags:
- attack.initial_access
- - attack.t1190
\ No newline at end of file
+ - attack.t1190
diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml
index b84992387..c5ea7448e 100644
--- a/rules/linux/lnx_susp_ssh.yml
+++ b/rules/linux/lnx_susp_ssh.yml
@@ -30,4 +30,4 @@ falsepositives:
level: medium
tags:
- attack.initial_access
- - attack.t1190
\ No newline at end of file
+ - attack.t1190
diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml
new file mode 100644
index 000000000..43f8f6563
--- /dev/null
+++ b/rules/linux/lnx_system_info_discovery.yml
@@ -0,0 +1,48 @@
+action: global
+title: System Information Discovery
+id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
+status: stable
+description: Detects system information discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1082
+---
+logsource:
+ product: linux
+ categories: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/uname'
+ - '/hostname'
+ - '/uptime'
+ - '/lspci'
+ - '/dmidecode'
+ - '/lscpu'
+ - '/lsmod'
+ condition: selection
+---
+logsource:
+ product: linux
+ categories: auditd
+detection:
+ selection:
+ type: 'PATH'
+ name:
+ - '/sys/class/dmi/id/bios_version'
+ - '/sys/class/dmi/id/product_name'
+ - '/sys/class/dmi/id/chassis_vendor'
+ - '/proc/scsi/scsi'
+ - '/proc/ide/hd0/model'
+ - '/proc/version'
+ - '/etc/*version'
+ - '/etc/*release'
+ - '/etc/issue'
+ condition: selection
diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml
new file mode 100644
index 000000000..5f9642370
--- /dev/null
+++ b/rules/linux/lnx_system_network_connections_discovery.yml
@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection:
+ Image|endswith:
+ - '/who'
+ - '/w'
+ - '/last'
+ - '/lsof'
+ - '/netstat'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1049
\ No newline at end of file
diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml
new file mode 100644
index 000000000..fa5c6f748
--- /dev/null
+++ b/rules/linux/lnx_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - Linux
+id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
+status: experimental
+description: Detects enumeration of local network configuration
+author: Ömer Günal and remotephone, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+ category: process_creation
+ product: linux
+detection:
+ selection1:
+ Image|endswith:
+ - '/firewall-cmd'
+ - '/ufw'
+ - '/iptables'
+ - '/netstat'
+ - '/ss'
+ - '/ip'
+ - '/ifconfig'
+ - '/systemd-resolve'
+ - '/route'
+ selection2:
+ CommandLine|contains: '/etc/resolv.conf'
+ condition: selection1 or selection2
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1016
diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml
new file mode 100644
index 000000000..88c476d4b
--- /dev/null
+++ b/rules/linux/lnx_system_shutdown_reboot.yml
@@ -0,0 +1,40 @@
+title: 'System Shutdown/Reboot'
+id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+ # For this rule to work execve auditing must be configured
+ # Example config (place it at the bottom of audit.rules)
+ # -a always,exit -F arch=b32 -S execve -k execve
+ # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+ - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection1:
+ type: 'EXECVE'
+ keywords|contains:
+ - 'shutdown'
+ - 'reboot'
+ - 'halt'
+ - 'poweroff'
+ selection2:
+ type: 'EXECVE'
+ keywords|contains:
+ - 'init'
+ - 'telinit'
+ selection3:
+ type: 'EXECVE'
+ keywords|contains:
+ - '0'
+ - '6'
+ condition: selection1 or (selection2 and selection3)
+falsepositives:
+ - 'Legitimate administrative activity'
+level: informational
+tags:
+ - attack.impact
+ - attack.t1529
diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml
new file mode 100644
index 000000000..38daf676a
--- /dev/null
+++ b/rules/linux/macos_applescript.yml
@@ -0,0 +1,24 @@
+title: MacOS Scripting Interpreter AppleScript
+id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
+status: experimental
+description: Detects execution of AppleScript of the macOS scripting language AppleScript.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/osascript'
+ CommandLine|contains|all:
+ - '-e'
+ condition: selection
+falsepositives:
+ - Application installers might contain scripts as part of the installation process.
+level: medium
+tags:
+ - attack.execution
+ - attack.t1059.002
diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml
new file mode 100644
index 000000000..4afeec596
--- /dev/null
+++ b/rules/linux/macos_base64_decode.yml
@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ base64_execution:
+ Image: '/usr/bin/base64'
+ CommandLine|contains: '-d'
+ condition: base64_execution
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1027
\ No newline at end of file
diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml
new file mode 100644
index 000000000..843b2aa61
--- /dev/null
+++ b/rules/linux/macos_binary_padding.yml
@@ -0,0 +1,33 @@
+title: 'Binary Padding'
+id: 95361ce5-c891-4b0a-87ca-e24607884a96
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith:
+ - '/truncate'
+ CommandLine|contains:
+ - '-s'
+ selection2:
+ Image|endswith:
+ - '/dd'
+ CommandLine|contains:
+ - 'if='
+ filter:
+ CommandLine|contains: 'of='
+ condition: selection1 or (selection2 and not filter)
+falsepositives:
+ - 'Legitimate script work'
+level: high
+tags:
+ - attack.defense_evasion
+ - attack.t1027.001
diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml
new file mode 100644
index 000000000..f30750331
--- /dev/null
+++ b/rules/linux/macos_change_file_time_attr.yml
@@ -0,0 +1,29 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith: '/touch'
+ selection2:
+ CommandLine|contains:
+ - '-t'
+ - '-acmr'
+ - '-d'
+ - '-r'
+ condition: selection1 and selection2
+falsepositives:
+ - 'Unknown'
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.006
diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml
new file mode 100644
index 000000000..33ce525a3
--- /dev/null
+++ b/rules/linux/macos_clear_system_logs.yml
@@ -0,0 +1,27 @@
+title: Indicator Removal on Host - Clear Mac System Logs
+id: acf61bd8-d814-4272-81f0-a7a269aa69aa
+status: experimental
+description: Detects deletion of local audit logs
+author: remotephone, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ - Image|endswith: '/rm'
+ selection2:
+ CommandLine|contains: '/var/log'
+ selection3:
+ Commandline|contains|all:
+ - '/Users/'
+ - '/Library/Logs/'
+ condition: selection1 and (selection2 or selection3)
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1070.002
diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml
new file mode 100644
index 000000000..42d1d4931
--- /dev/null
+++ b/rules/linux/macos_create_account.yml
@@ -0,0 +1,25 @@
+title: Creation Of A Local User Account
+id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
+status: experimental
+description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains:
+ - 'create'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.t1136 # an old one
+ - attack.t1136.001
+ - attack.persistence
diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml
new file mode 100644
index 000000000..56cf55fdf
--- /dev/null
+++ b/rules/linux/macos_create_hidden_account.yml
@@ -0,0 +1,33 @@
+title: Hidden User Creation
+id: b22a5b36-2431-493a-8be1-0bae56c28ef3
+status: experimental
+description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/10
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ dscl_create:
+ Image|endswith: '/dscl'
+ CommandLine|contains: 'create'
+ id_below_500:
+ CommandLine|contains: UniqueID
+ CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
+ ishidden_option_declaration:
+ CommandLine|contains: 'IsHidden'
+ ishidden_option_confirmation:
+ CommandLine|contains:
+ - 'true'
+ - 'yes'
+ - '1'
+ condition: dscl_create and id_below_500 or
+ dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1564.002
\ No newline at end of file
diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml
new file mode 100644
index 000000000..e8d3d1302
--- /dev/null
+++ b/rules/linux/macos_creds_from_keychain.yml
@@ -0,0 +1,29 @@
+title: Credentials from Password Stores - Keychain
+id: b120b587-a4c2-4b94-875d-99c9807d6955
+status: experimental
+description: Detects passwords dumps from Keychain
+author: Tim Ismilyaev, oscd.community, Florian Roth
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
+ - https://gist.github.com/Capybara/6228955
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection1:
+ Image: '/usr/bin/security'
+ CommandLine|contains:
+ - 'find-certificate'
+ - ' export '
+ selection2:
+ CommandLine|contains:
+ - ' dump-keychain '
+ - ' login-keychain '
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1555.001
diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml
new file mode 100644
index 000000000..0f843c789
--- /dev/null
+++ b/rules/linux/macos_disable_security_tools.yml
@@ -0,0 +1,42 @@
+title: Disable Security Tools
+id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
+status: experimental
+description: Detects disabling security tools
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ launchctl_unload:
+ Image: '/bin/launchctl'
+ CommandLine|contains: 'unload'
+ security_plists:
+ CommandLine|contains:
+ - 'com.objective-see.lulu.plist' # Objective-See firewall management utility
+ - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
+ - 'com.google.santad.plist' # google santa
+ - 'com.carbonblack.defense.daemon.plist' # carbon black
+ - 'com.carbonblack.daemon.plist' # carbon black
+ - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
+ - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
+ - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
+ - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
+ - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
+ - 'osquery' # facebook osquery
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'td-agent' # fluentd log shipper
+ disable_gatekeeper:
+ Image: '/usr/sbin/spctl'
+ CommandLine|contains: 'disable'
+ condition: (launchctl_unload and security_plists) or disable_gatekeeper
+falsepositives:
+ - Legitimate activities
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
\ No newline at end of file
diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos_emond_launch_daemon.yml
new file mode 100644
index 000000000..1c904a61b
--- /dev/null
+++ b/rules/linux/macos_emond_launch_daemon.yml
@@ -0,0 +1,26 @@
+title: MacOS Emond Launch Daemon
+id: 23c43900-e732-45a4-8354-63e4a6c187ce
+status: experimental
+description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/23
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
+ - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+logsource:
+ category: file_event
+ product: macos
+detection:
+ selection_1:
+ TargetFilename|contains: '/etc/emond.d/rules/'
+ TargetFilename|endswith: '.plist'
+ selection_2:
+ TargetFilename|contains: '/private/var/db/emondClients/'
+ condition: selection_1 or selection_2
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.014
diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml
new file mode 100644
index 000000000..025babc38
--- /dev/null
+++ b/rules/linux/macos_file_and_directory_discovery.yml
@@ -0,0 +1,31 @@
+title: File and Directory Discovery
+id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ file_with_asterisk:
+ Image: '/usr/bin/file'
+ CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+ recursive_ls:
+ Image: '/bin/ls'
+ CommandLine|contains: '-R'
+ find_execution:
+ Image: '/usr/bin/find'
+ mdfind_execution:
+ Image: '/usr/bin/mdfind'
+ tree_execution|endswith:
+ Image: '/tree'
+ condition: 1 of them
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1083
\ No newline at end of file
diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml
new file mode 100644
index 000000000..2f47f1034
--- /dev/null
+++ b/rules/linux/macos_find_cred_in_files.yml
@@ -0,0 +1,28 @@
+title: 'Credentials In Files'
+id: df3fcaea-2715-4214-99c5-0056ea59eb35
+status: experimental
+description: 'Detecting attempts to extract passwords with grep and laZagne'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image|endswith:
+ - '/grep'
+ CommandLine|contains:
+ - 'password'
+ selection2:
+ CommandLine|contains: 'laZagne'
+ condition: selection1 or selection2
+falsepositives:
+ - 'Unknown'
+level: high
+tags:
+ - attack.credential_access
+ - attack.t1552.001
diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml
new file mode 100644
index 000000000..22b42e1c4
--- /dev/null
+++ b/rules/linux/macos_gui_input_capture.yml
@@ -0,0 +1,39 @@
+title: GUI Input Capture - macOS
+id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
+status: experimental
+description: Detects attempts to use system dialog prompts to capture user credentials
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
+ - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image:
+ - '/usr/sbin/osascript'
+ selection2:
+ Commandline|contains|all:
+ - '-e'
+ - 'display'
+ - 'dialog'
+ - 'answer'
+ selection3:
+ Commandline|contains:
+ - 'admin'
+ - 'administrator'
+ - 'authenticate'
+ - 'authentication'
+ - 'credentials'
+ - 'pass'
+ - 'password'
+ - 'unlock'
+ condition: all of them
+falsepositives:
+ - Legitimate administration tools and activities
+level: low
+tags:
+ - attack.credential_access
+ - attack.t1056.002
diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml
new file mode 100644
index 000000000..638fb1ba9
--- /dev/null
+++ b/rules/linux/macos_local_account.yml
@@ -0,0 +1,48 @@
+title: Local System Accounts Discovery
+id: ddf36b67-e872-4507-ab2e-46bda21b842c
+status: experimental
+description: Detects enumeration of local systeam accounts on MacOS
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains|all:
+ - 'list'
+ - '/users'
+ selection_2:
+ Image|endswith:
+ - '/dscacheutil'
+ CommandLine|contains|all:
+ - '-q'
+ - 'user'
+ selection_3:
+ CommandLine|contains:
+ - "'x:0:'"
+ selection_4:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/passwd'
+ - '/etc/sudoers'
+ selection_5:
+ Image|endswith:
+ - '/id'
+ selection_6:
+ Image|endswith:
+ - '/lsof'
+ CommandLine|contains:
+ - '-u'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1087.001
diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml
new file mode 100644
index 000000000..7cffce09d
--- /dev/null
+++ b/rules/linux/macos_local_groups.yml
@@ -0,0 +1,36 @@
+title: Local Groups Discovery
+id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/dscacheutil'
+ CommandLine|contains|all:
+ - '-q'
+ - 'group'
+ selection_2:
+ Image|endswith:
+ - '/cat'
+ CommandLine|contains:
+ - '/etc/group'
+ selection_3:
+ Image|endswith:
+ - '/dscl'
+ CommandLine|contains|all:
+ - '-list'
+ - '/groups'
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1069.001
diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml
new file mode 100644
index 000000000..8faa5b721
--- /dev/null
+++ b/rules/linux/macos_network_service_scanning.yml
@@ -0,0 +1,29 @@
+title: MacOS Network Service Scanning
+id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/nc'
+ - '/netcat'
+ selection_2:
+ Image|endswith:
+ - '/nmap'
+ - '/telnet'
+ filter:
+ CommandLine|contains: 'l'
+ condition: (selection_1 and not filter) or selection_2
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.discovery
+ - attack.t1046
diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml
new file mode 100644
index 000000000..ef95ea36d
--- /dev/null
+++ b/rules/linux/macos_network_sniffing.yml
@@ -0,0 +1,24 @@
+title: Network Sniffing
+id: adc9bcc4-c39c-4f6b-a711-1884017bf043
+status: experimental
+description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/tcpdump'
+ - '/tshark'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.credential_access
+ - attack.t1040
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
new file mode 100644
index 000000000..a7a1fdf22
--- /dev/null
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -0,0 +1,48 @@
+title: Macos Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection_1:
+ Image|endswith:
+ - '/arp'
+ CommandLine|contains:
+ - '-a'
+ selection_2:
+ Image|endswith:
+ - '/ping'
+ CommandLine|contains:
+ - ' 10.' #10.0.0.0/8
+ - ' 192.168.' #192.168.0.0/16
+ - ' 172.16.' #172.16.0.0/12
+ - ' 172.17.'
+ - ' 172.18.'
+ - ' 172.19.'
+ - ' 172.20.'
+ - ' 172.21.'
+ - ' 172.22.'
+ - ' 172.23.'
+ - ' 172.24.'
+ - ' 172.25.'
+ - ' 172.26.'
+ - ' 172.27.'
+ - ' 172.28.'
+ - ' 172.29.'
+ - ' 172.30.'
+ - ' 172.31.'
+ - ' 127.' #127.0.0.0/8
+ - ' 169.254.' #169.254.0.0/16
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1018
diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml
new file mode 100644
index 000000000..c757d014f
--- /dev/null
+++ b/rules/linux/macos_schedule_task_job_cron.yml
@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 7c3b43d8-d794-47d2-800a-d277715aa460
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith:
+ - '/crontab'
+ CommandLine|contains:
+ - '/tmp/'
+ condition: selection
+falsepositives:
+ - Legitimate administration activities
+level: medium
+tags:
+ - attack.execution
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1053.003
diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml
new file mode 100644
index 000000000..18fb1bf32
--- /dev/null
+++ b/rules/linux/macos_screencapture.yml
@@ -0,0 +1,22 @@
+title: Screen Capture - macOS
+id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
+status: experimental
+description: Detects attempts to use screencapture to collect macOS screenshots
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+ - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image: '/usr/sbin/screencapture'
+ condition: selection
+falsepositives:
+ - Legitimate user activity taking screenshots
+level: low
+tags:
+ - attack.collection
+ - attack.t1113
diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml
new file mode 100644
index 000000000..ae896a953
--- /dev/null
+++ b/rules/linux/macos_security_software_discovery.yml
@@ -0,0 +1,39 @@
+title: Security Software Discovery
+id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ grep_execution:
+ Image: '/usr/bin/grep'
+ security_services_and_processes:
+ CommandLine|contains:
+ - 'nessusd' # nessus vulnerability scanner
+ - 'santad' # google santa
+ - 'CbDefense' # carbon black
+ - 'falcond' # crowdstrike falcon
+ - 'td-agent' # fluentd log shipper
+ - 'packetbeat' # elastic network logger/shipper
+ - 'filebeat' # elastic log file shipper
+ - 'auditbeat' # elastic auditing agent/log shipper
+ - 'osqueryd' # facebook osquery
+ - 'BlockBlock' # Objective-See persistence locations watcher/blocker
+ - 'LuLu' # Objective-See firewall management utility
+ little_snitch_process: # Objective Development Software firewall management utility
+ CommandLine|contains|all:
+ - 'Little'
+ - 'Snitch'
+ condition: grep_execution and security_services_and_processes or
+ grep_execution and little_snitch_process
+falsepositives:
+ - Legitimate activities
+level: medium
+tags:
+ - attack.discovery
+ - attack.t1518.001
\ No newline at end of file
diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml
new file mode 100644
index 000000000..f65d96dee
--- /dev/null
+++ b/rules/linux/macos_split_file_into_pieces.yml
@@ -0,0 +1,23 @@
+title: 'Split A File Into Pieces'
+id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see link
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/15
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image|endswith: '/split'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: low
+tags:
+ - attack.exfiltration
+ - attack.t1030
diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml
new file mode 100644
index 000000000..89102e3ff
--- /dev/null
+++ b/rules/linux/macos_startup_items.yml
@@ -0,0 +1,24 @@
+title: Startup Items
+id: dfe8b941-4e54-4242-b674-6b613d521962
+status: experimental
+description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
+logsource:
+ category: file_event
+ product: macos
+detection:
+ selection_1:
+ TargetFilename|contains: '/Library/StartupItems/'
+ selection_2:
+ TargetFilename|endswith: '.plist'
+ condition: selection_1 and selection_2
+falsepositives:
+ - Legitimate administration activities
+level: low
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1037.005
diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml
new file mode 100644
index 000000000..b643bfbb3
--- /dev/null
+++ b/rules/linux/macos_susp_histfile_operations.yml
@@ -0,0 +1,33 @@
+title: 'Suspicious History File Operations'
+id: 508a9374-ad52-4789-b568-fc358def2c65
+status: experimental
+description: 'Detects commandline operations on shell history files'
+ # Rule detects presence of various shell history files in process commandline
+ # Normally user expected to view own history with dedicated 'history' command and not some other tools
+ # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ CommandLine|contains:
+ - '.bash_history'
+ - '.zsh_history'
+ - '.zhistory'
+ - '.history'
+ - '.sh_history'
+ - 'fish_history'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+ - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+ - attack.credential_access
+ - attack.t1552.003
diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml
new file mode 100644
index 000000000..1a3fb7d41
--- /dev/null
+++ b/rules/linux/macos_system_network_connections_discovery.yml
@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image:
+ - '/usr/bin/who'
+ - '/usr/bin/w'
+ - '/usr/bin/last'
+ - '/usr/sbin/lsof'
+ - '/usr/sbin/netstat'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1049
\ No newline at end of file
diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml
new file mode 100644
index 000000000..40b2f33d5
--- /dev/null
+++ b/rules/linux/macos_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - macOS
+id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
+status: experimental
+description: Detects enumeration of local network configuration
+author: remotephone, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection1:
+ Image:
+ - '/usr/sbin/netstat'
+ - '/sbin/ifconfig'
+ - '/usr/sbin/ipconfig'
+ - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+ - '/usr/sbin/networksetup'
+ - '/usr/sbin/arp'
+ selection2:
+ Image: '/usr/bin/defaults'
+ Commandline|contains|all:
+ - 'read'
+ - '/Library/Preferences/com.apple.alf'
+ condition: selection1 or selection2
+falsepositives:
+ - Legitimate administration activities
+level: informational
+tags:
+ - attack.discovery
+ - attack.t1016
diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml
new file mode 100644
index 000000000..fe4d4b645
--- /dev/null
+++ b/rules/linux/macos_system_shutdown_reboot.yml
@@ -0,0 +1,26 @@
+title: 'System Shutdown/Reboot'
+id: 40b1fbe2-18ea-4ee7-be47-0294285811de
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+ # For this rule to work you must enable audit of process execution in OpenBSM, see
+ # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+ - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+ product: macos
+ category: process_creation
+detection:
+ selection:
+ Image|endswith:
+ - '/shutdown'
+ - '/reboot'
+ - '/halt'
+ condition: selection
+falsepositives:
+ - 'Legitimate administrative activity'
+level: informational
+tags:
+ - attack.impact
+ - attack.t1529
diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml
new file mode 100644
index 000000000..8c4ac76c2
--- /dev/null
+++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml
@@ -0,0 +1,24 @@
+title: Gatekeeper Bypass via Xattr
+id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
+status: experimental
+description: Detects macOS Gatekeeper bypass via xattr utility
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md
+logsource:
+ category: process_creation
+ product: macos
+detection:
+ selection:
+ Image|endswith: '/xattr'
+ CommandLine|contains|all:
+ - '-r'
+ - 'com.apple.quarantine'
+ condition: selection
+falsepositives:
+ - Legitimate activities
+level: low
+tags:
+ - attack.defense_evasion
+ - attack.t1553.001
\ No newline at end of file
diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml
index 8af84a946..6031ac587 100644
--- a/rules/network/net_susp_dns_b64_queries.yml
+++ b/rules/network/net_susp_dns_b64_queries.yml
@@ -11,8 +11,8 @@ logsource:
category: dns
detection:
selection:
- query:
- - '*==.*'
+ query|contains:
+ - '==.'
condition: selection
falsepositives:
- Unknown
@@ -23,4 +23,4 @@ tags:
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- - attack.t1071.004
\ No newline at end of file
+ - attack.t1071.004
diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml
index 7632d31f3..4e97c3493 100644
--- a/rules/network/net_susp_dns_txt_exec_strings.yml
+++ b/rules/network/net_susp_dns_txt_exec_strings.yml
@@ -13,10 +13,10 @@ logsource:
detection:
selection:
record_type: 'TXT'
- answer:
- - '*IEX*'
- - '*Invoke-Expression*'
- - '*cmd.exe*'
+ answer|contains:
+ - 'IEX'
+ - 'Invoke-Expression'
+ - 'cmd.exe'
condition: selection
falsepositives:
- Unknown
@@ -24,4 +24,4 @@ level: high
tags:
- attack.command_and_control
- attack.t1071 # an old one
- - attack.t1071.004
\ No newline at end of file
+ - attack.t1071.004
diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
index a625e2078..9fe207555 100644
--- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
+++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
@@ -15,11 +15,11 @@ date: 2020/05/01
modified: 2020/09/02
detection:
selection_webdav:
- - c-useragent: '*WebDAV*'
- - c-uri: '*webdav*'
+ - c-useragent|contains: 'WebDAV'
+ - c-uri|contains: 'webdav'
selection_executable:
- - resp_mime_types: '*dosexec*'
- - c-uri: '*.exe'
+ - resp_mime_types|contains: 'dosexec'
+ - c-uri|endswith: '.exe'
condition: selection_webdav AND selection_executable
falsepositives:
- unknown
diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
index 48a607a55..44d812ee7 100644
--- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
@@ -16,8 +16,11 @@ logsource:
service: smb_files
detection:
selection:
- path: '\\*ADMIN$'
- name: '*SYSTEM32\\*.tmp'
+ path|contains|all:
+ - '\'
+ - 'ADMIN$'
+ name|contains: 'SYSTEM32\'
+ name|endswith: '.tmp'
condition: selection
falsepositives:
- 'unknown'
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
index 2f29807f8..34da2addf 100644
--- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
@@ -14,14 +14,18 @@ logsource:
service: smb_files
detection:
selection1:
- path: \\*\IPC$
- name:
- - '*-stdin'
- - '*-stdout'
- - '*-stderr'
+ path|contains|all:
+ - '\\'
+ - '\IPC$'
+ name|endswith:
+ - '-stdin'
+ - '-stdout'
+ - '-stderr'
selection2:
- name: \\*\IPC$
- path: 'PSEXESVC*'
+ name|contains|all:
+ - '\\'
+ - '\IPC$'
+ path|startswith: 'PSEXESVC'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
index 7e5880e00..5604b7171 100644
--- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
@@ -12,19 +12,19 @@ logsource:
service: smb_files
detection:
selection:
- name:
- - '*.pst'
- - '*.ost'
- - '*.msg'
- - '*.nst'
- - '*.oab'
- - '*.edb'
- - '*.nsf'
- - '*.bak'
- - '*.dmp'
- - '*.kirbi'
- - '*\groups.xml'
- - '*.rdp'
+ name|endswith:
+ - '.pst'
+ - '.ost'
+ - '.msg'
+ - '.nst'
+ - '.oab'
+ - '.edb'
+ - '.nsf'
+ - '.bak'
+ - '.dmp'
+ - '.kirbi'
+ - '\groups.xml'
+ - '.rdp'
condition: selection
fields:
- ComputerName
diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
index 75c4cc801..c5b85768e 100644
--- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml
+++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
@@ -17,7 +17,7 @@ detection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
- service: '$*'
+ service|startswith: '$'
condition: selection and not computer_acct
falsepositives:
- normal enterprise SPN requests activity
diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml
index 9a4e0ecd0..5fd9a8641 100644
--- a/rules/proxy/proxy_chafer_malware.yml
+++ b/rules/proxy/proxy_chafer_malware.yml
@@ -10,7 +10,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/asp.asp?ui=*'
+ c-uri|contains: '/asp.asp?ui='
condition: selection
fields:
- ClientIP
@@ -22,4 +22,4 @@ level: critical
tags:
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml
index 9bbaedc7e..e604589b8 100644
--- a/rules/proxy/proxy_cobalt_amazon.yml
+++ b/rules/proxy/proxy_cobalt_amazon.yml
@@ -16,7 +16,7 @@ detection:
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
- cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+ cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
cs-method: 'POST'
@@ -30,4 +30,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml
index e57a85e6a..d657963aa 100644
--- a/rules/proxy/proxy_cobalt_ocsp.yml
+++ b/rules/proxy/proxy_cobalt_ocsp.yml
@@ -16,7 +16,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/oscp/*'
+ c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
condition: selection
diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml
index 08457c817..30975e58a 100644
--- a/rules/proxy/proxy_cobalt_onedrive.yml
+++ b/rules/proxy/proxy_cobalt_onedrive.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects Malleable OneDrive Profile
author: Markus Neis
date: 2019/11/12
-modified: 2020/09/02
+modified: 2020/11/28
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
logsource:
@@ -12,10 +12,11 @@ logsource:
detection:
selection:
cs-method: 'GET'
- c-uri: '*?manifest=wac'
+ c-uri|endswith: '?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
- c-uri: 'http*://onedrive.live.com/*'
+ c-uri|startswith: 'http'
+ c-uri|contains: '://onedrive.live.com/'
condition: selection and not filter
falsepositives:
- Unknown
@@ -24,4 +25,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml
index 708beca24..4a73e87b4 100644
--- a/rules/proxy/proxy_download_susp_dyndns.yml
+++ b/rules/proxy/proxy_download_susp_dyndns.yml
@@ -30,77 +30,77 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
- r-dns:
- - '*.hopto.org'
- - '*.no-ip.org'
- - '*.no-ip.info'
- - '*.no-ip.biz'
- - '*.no-ip.com'
- - '*.noip.com'
- - '*.ddns.name'
- - '*.myftp.org'
- - '*.myftp.biz'
- - '*.serveblog.net'
- - '*.servebeer.com'
- - '*.servemp3.com'
- - '*.serveftp.com'
- - '*.servequake.com'
- - '*.servehalflife.com'
- - '*.servehttp.com'
- - '*.servegame.com'
- - '*.servepics.com'
- - '*.myvnc.com'
- - '*.ignorelist.com'
- - '*.jkub.com'
- - '*.dlinkddns.com'
- - '*.jumpingcrab.com'
- - '*.ddns.info'
- - '*.mooo.com'
- - '*.dns-dns.com'
- - '*.strangled.net'
- - '*.adultdns.net'
- - '*.craftx.biz'
- - '*.ddns01.com'
- - '*.dns53.biz'
- - '*.dnsapi.info'
- - '*.dnsd.info'
- - '*.dnsdynamic.com'
- - '*.dnsdynamic.net'
- - '*.dnsget.org'
- - '*.fe100.net'
- - '*.flashserv.net'
- - '*.ftp21.net'
- - '*.http01.com'
- - '*.http80.info'
- - '*.https443.com'
- - '*.imap01.com'
- - '*.kadm5.com'
- - '*.mysq1.net'
- - '*.ns360.info'
- - '*.ntdll.net'
- - '*.ole32.com'
- - '*.proxy8080.com'
- - '*.sql01.com'
- - '*.ssh01.com'
- - '*.ssh22.net'
- - '*.tempors.com'
- - '*.tftpd.net'
- - '*.ttl60.com'
- - '*.ttl60.org'
- - '*.user32.com'
- - '*.voip01.com'
- - '*.wow64.net'
- - '*.x64.me'
- - '*.xns01.com'
- - '*.dyndns.org'
- - '*.dyndns.info'
- - '*.dyndns.tv'
- - '*.dyndns-at-home.com'
- - '*.dnsomatic.com'
- - '*.zapto.org'
- - '*.webhop.net'
- - '*.25u.com'
- - '*.slyip.net'
+ r-dns|endswith:
+ - '.hopto.org'
+ - '.no-ip.org'
+ - '.no-ip.info'
+ - '.no-ip.biz'
+ - '.no-ip.com'
+ - '.noip.com'
+ - '.ddns.name'
+ - '.myftp.org'
+ - '.myftp.biz'
+ - '.serveblog.net'
+ - '.servebeer.com'
+ - '.servemp3.com'
+ - '.serveftp.com'
+ - '.servequake.com'
+ - '.servehalflife.com'
+ - '.servehttp.com'
+ - '.servegame.com'
+ - '.servepics.com'
+ - '.myvnc.com'
+ - '.ignorelist.com'
+ - '.jkub.com'
+ - '.dlinkddns.com'
+ - '.jumpingcrab.com'
+ - '.ddns.info'
+ - '.mooo.com'
+ - '.dns-dns.com'
+ - '.strangled.net'
+ - '.adultdns.net'
+ - '.craftx.biz'
+ - '.ddns01.com'
+ - '.dns53.biz'
+ - '.dnsapi.info'
+ - '.dnsd.info'
+ - '.dnsdynamic.com'
+ - '.dnsdynamic.net'
+ - '.dnsget.org'
+ - '.fe100.net'
+ - '.flashserv.net'
+ - '.ftp21.net'
+ - '.http01.com'
+ - '.http80.info'
+ - '.https443.com'
+ - '.imap01.com'
+ - '.kadm5.com'
+ - '.mysq1.net'
+ - '.ns360.info'
+ - '.ntdll.net'
+ - '.ole32.com'
+ - '.proxy8080.com'
+ - '.sql01.com'
+ - '.ssh01.com'
+ - '.ssh22.net'
+ - '.tempors.com'
+ - '.tftpd.net'
+ - '.ttl60.com'
+ - '.ttl60.org'
+ - '.user32.com'
+ - '.voip01.com'
+ - '.wow64.net'
+ - '.x64.me'
+ - '.xns01.com'
+ - '.dyndns.org'
+ - '.dyndns.info'
+ - '.dyndns.tv'
+ - '.dyndns-at-home.com'
+ - '.dnsomatic.com'
+ - '.zapto.org'
+ - '.webhop.net'
+ - '.25u.com'
+ - '.slyip.net'
condition: selection
fields:
- cs-ip
@@ -112,4 +112,4 @@ tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1105
- - attack.t1568
\ No newline at end of file
+ - attack.t1568
diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml
index 26fb1c0eb..76081c8d8 100644
--- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml
@@ -33,73 +33,73 @@ detection:
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
- r-dns:
+ r-dns|endswith:
# Symantec / Chris Larsen analysis
- - '*.country'
- - '*.stream'
- - '*.gdn'
- - '*.mom'
- - '*.xin'
- - '*.kim'
- - '*.men'
- - '*.loan'
- - '*.download'
- - '*.racing'
- - '*.online'
- - '*.science'
- - '*.ren'
- - '*.gb'
- - '*.win'
- - '*.top'
- - '*.review'
- - '*.vip'
- - '*.party'
- - '*.tech'
- - '*.xyz'
- - '*.date'
- - '*.faith'
- - '*.zip'
- - '*.cricket'
- - '*.space'
+ - '.country'
+ - '.stream'
+ - '.gdn'
+ - '.mom'
+ - '.xin'
+ - '.kim'
+ - '.men'
+ - '.loan'
+ - '.download'
+ - '.racing'
+ - '.online'
+ - '.science'
+ - '.ren'
+ - '.gb'
+ - '.win'
+ - '.top'
+ - '.review'
+ - '.vip'
+ - '.party'
+ - '.tech'
+ - '.xyz'
+ - '.date'
+ - '.faith'
+ - '.zip'
+ - '.cricket'
+ - '.space'
# McAfee report
- - '*.info'
- - '*.vn'
- - '*.cm'
- - '*.am'
- - '*.cc'
- - '*.asia'
- - '*.ws'
- - '*.tk'
- - '*.biz'
- - '*.su'
- - '*.st'
- - '*.ro'
- - '*.ge'
- - '*.ms'
- - '*.pk'
- - '*.nu'
- - '*.me'
- - '*.ph'
- - '*.to'
- - '*.tt'
- - '*.name'
- - '*.tv'
- - '*.kz'
- - '*.tc'
- - '*.mobi'
+ - '.info'
+ - '.vn'
+ - '.cm'
+ - '.am'
+ - '.cc'
+ - '.asia'
+ - '.ws'
+ - '.tk'
+ - '.biz'
+ - '.su'
+ - '.st'
+ - '.ro'
+ - '.ge'
+ - '.ms'
+ - '.pk'
+ - '.nu'
+ - '.me'
+ - '.ph'
+ - '.to'
+ - '.tt'
+ - '.name'
+ - '.tv'
+ - '.kz'
+ - '.tc'
+ - '.mobi'
# Spamhaus
- - '*.study'
- - '*.click'
- - '*.link'
- - '*.trade'
- - '*.accountant'
+ - '.study'
+ - '.click'
+ - '.link'
+ - '.trade'
+ - '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- - '*.cf'
- - '*.gq'
- - '*.ml'
- - '*.ga'
+ - '.cf'
+ - '.gq'
+ - '.ml'
+ - '.ga'
# Custom
- - '*.pw'
+ - '.pw'
condition: selection
fields:
- ClientIP
@@ -113,4 +113,4 @@ tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- - attack.t1204 # an old one
\ No newline at end of file
+ - attack.t1204 # an old one
diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml
index 9b66a43ad..9b9200c5d 100644
--- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml
@@ -29,25 +29,25 @@ detection:
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
- r-dns:
- - '*.com'
- - '*.org'
- - '*.net'
- - '*.edu'
- - '*.gov'
- - '*.uk'
- - '*.ca'
- - '*.de'
- - '*.jp'
- - '*.fr'
- - '*.au'
- - '*.us'
- - '*.ch'
- - '*.it'
- - '*.nl'
- - '*.se'
- - '*.no'
- - '*.es'
+ r-dns|endswith:
+ - '.com'
+ - '.org'
+ - '.net'
+ - '.edu'
+ - '.gov'
+ - '.uk'
+ - '.ca'
+ - '.de'
+ - '.jp'
+ - '.fr'
+ - '.au'
+ - '.us'
+ - '.ch'
+ - '.it'
+ - '.nl'
+ - '.se'
+ - '.no'
+ - '.es'
# Extend this list as needed
condition: selection and not filter
fields:
diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml
index 472ec041d..c1a8bf30f 100644
--- a/rules/proxy/proxy_downloadcradle_webdav.yml
+++ b/rules/proxy/proxy_downloadcradle_webdav.yml
@@ -11,7 +11,7 @@ logsource:
category: proxy
detection:
selection:
- c-useragent: 'Microsoft-WebDAV-MiniRedir/*'
+ c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
fields:
@@ -27,4 +27,4 @@ level: high
tags:
- attack.command_and_control
- attack.t1071.001
- - attack.t1043 # an old one
\ No newline at end of file
+ - attack.t1043 # an old one
diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml
index 9501f8f1f..a1f1ee1a0 100644
--- a/rules/proxy/proxy_ios_implant.yml
+++ b/rules/proxy/proxy_ios_implant.yml
@@ -12,7 +12,7 @@ logsource:
category: proxy
detection:
selection:
- c-uri: '*/list/suc?name=*'
+ c-uri|contains: '/list/suc?name='
condition: selection
fields:
- ClientIP
@@ -30,4 +30,4 @@ tags:
- attack.credential_access
- attack.t1528
- attack.t1552.001
- - attack.t1081 # an old one
\ No newline at end of file
+ - attack.t1081 # an old one
diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml
index c03e2182a..f3d91771e 100644
--- a/rules/proxy/proxy_powershell_ua.yml
+++ b/rules/proxy/proxy_powershell_ua.yml
@@ -11,7 +11,7 @@ logsource:
category: proxy
detection:
selection:
- c-useragent: '* WindowsPowerShell/*'
+ c-useragent|contains: ' WindowsPowerShell/'
condition: selection
fields:
- ClientIP
@@ -24,4 +24,4 @@ level: medium
tags:
- attack.defense_evasion
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml
index 402bcb514..521ab197a 100644
--- a/rules/proxy/proxy_susp_flash_download_loc.yml
+++ b/rules/proxy/proxy_susp_flash_download_loc.yml
@@ -4,17 +4,17 @@ status: experimental
description: Detects a flashplayer update from an unofficial location
author: Florian Roth
date: 2017/10/25
+modified: 2020/11/28
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
logsource:
category: proxy
detection:
selection:
- c-uri-query:
- - '*/install_flash_player.exe'
- - '*/flash_install.php*'
+ - c-uri-query|contains: '/flash_install.php'
+ - c-uri-query|endswith: '/install_flash_player.exe'
filter:
- c-uri-stem: '*.adobe.com/*'
+ c-uri-stem|contains: '.adobe.com/'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
@@ -27,4 +27,4 @@ tags:
- attack.t1204 # an old one
- attack.defense_evasion
- attack.t1036.005
- - attack.t1036 # an old one
\ No newline at end of file
+ - attack.t1036 # an old one
diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml
index a4a79014f..eda3a5ef9 100644
--- a/rules/proxy/proxy_telegram_api.yml
+++ b/rules/proxy/proxy_telegram_api.yml
@@ -16,10 +16,10 @@ detection:
r-dns:
- 'api.telegram.org' # Often used by Bots
filter:
- c-useragent:
+ c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- - '*Telegram*'
- - '*Bot*'
+ - 'Telegram'
+ - 'Bot'
condition: selection and not filter
fields:
- ClientIP
diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
index f31994036..d0c169d4e 100644
--- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
@@ -9,13 +9,13 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
- - 'Microsoft BITS/*'
+ c-useragent|startswith:
+ - 'Microsoft BITS/'
falsepositives:
- r-dns:
- - '*.com'
- - '*.net'
- - '*.org'
+ r-dns|endswith:
+ - '.com'
+ - '.net'
+ - '.org'
condition: selection and not falsepositives
fields:
- ClientIP
@@ -30,4 +30,4 @@ tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- - attack.s0190
\ No newline at end of file
+ - attack.s0190
diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml
index d1d0b763d..ea4a3bd26 100644
--- a/rules/proxy/proxy_ua_cryptominer.yml
+++ b/rules/proxy/proxy_ua_cryptominer.yml
@@ -12,11 +12,11 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
+ c-useragent|startswith:
# XMRig
- - 'XMRig *'
+ - 'XMRig '
# CCMiner
- - 'ccminer*'
+ - 'ccminer'
condition: selection
fields:
- ClientIP
@@ -27,4 +27,4 @@ falsepositives:
level: high
tags:
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml
index 7ebcc109b..1e2f96537 100644
--- a/rules/proxy/proxy_ua_hacktool.yml
+++ b/rules/proxy/proxy_ua_hacktool.yml
@@ -12,58 +12,58 @@ logsource:
category: proxy
detection:
selection:
- c-useragent:
- # Vulnerability scanner and brute force tools
- - '*(hydra)*'
- - '* arachni/*'
- - '* BFAC *'
- - '* brutus *'
- - '* cgichk *'
- - '*core-project/1.0*'
- - '* crimscanner/*'
- - '*datacha0s*'
- - '*dirbuster*'
- - '*domino hunter*'
- - '*dotdotpwn*'
- - 'FHScan Core'
- - '*floodgate*'
- - '*get-minimal*'
- - '*gootkit auto-rooter scanner*'
- - '*grendel-scan*'
- - '* inspath *'
- - '*internet ninja*'
- - '*jaascois*'
- - '* zmeu *'
- - '*masscan*'
- - '* metis *'
- - '*morfeus fucking scanner*'
- - '*n-stealth*'
- - '*nsauditor*'
- - '*pmafind*'
- - '*security scan*'
- - '*springenwerk*'
- - '*teh forest lobster*'
- - '*toata dragostea*'
- - '* vega/*'
- - '*voideye*'
- - '*webshag*'
- - '*webvulnscan*'
- - '* whcc/*'
+ c-useragent|contains:
+ # Vulnerbility scanner and brute force tools
+ - '(hydra)'
+ - ' arachni/'
+ - ' BFAC '
+ - ' brutus '
+ - ' cgichk '
+ - 'core-project/1.0'
+ - ' crimscanner/'
+ - 'datacha0s'
+ - 'dirbuster'
+ - 'domino hunter'
+ - 'dotdotpwn'
+ - 'FHScan Core'
+ - 'floodgate'
+ - 'get-minimal'
+ - 'gootkit auto-rooter scanner'
+ - 'grendel-scan'
+ - ' inspath '
+ - 'internet ninja'
+ - 'jaascois'
+ - ' zmeu '
+ - 'masscan'
+ - ' metis '
+ - 'morfeus fucking scanner'
+ - 'n-stealth'
+ - 'nsauditor'
+ - 'pmafind'
+ - 'security scan'
+ - 'springenwerk'
+ - 'teh forest lobster'
+ - 'toata dragostea'
+ - ' vega/'
+ - 'voideye'
+ - 'webshag'
+ - 'webvulnscan'
+ - ' whcc/'
- # SQL Injection
- - '* Havij'
- - '*absinthe*'
- - '*bsqlbf*'
- - '*mysqloit*'
- - '*pangolin*'
- - '*sql power injector*'
- - '*sqlmap*'
- - '*sqlninja*'
- - '*uil2pn*'
+ # SQL Injection
+ - ' Havij'
+ - 'absinthe'
+ - 'bsqlbf'
+ - 'mysqloit'
+ - 'pangolin'
+ - 'sql power injector'
+ - 'sqlmap'
+ - 'sqlninja'
+ - 'uil2pn'
- # Hack tool
- - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
+ # Hack tool
+ - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+ - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
fields:
- ClientIP
@@ -76,4 +76,4 @@ tags:
- attack.initial_access
- attack.t1190
- attack.credential_access
- - attack.t1110
\ No newline at end of file
+ - attack.t1110
diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml
index 682ff4b72..1445ed4f3 100644
--- a/rules/proxy/proxy_ursnif_malware.yml
+++ b/rules/proxy/proxy_ursnif_malware.yml
@@ -4,12 +4,15 @@ status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
-modified: 2020/09/03
+modified: 2020/11/28
logsource:
category: proxy
detection:
selection:
- c-uri: '*/*.php?l=*.cab'
+ c-uri|contains|all:
+ - '/'
+ - '.php?l='
+ c-uri|endswith: '.cab'
sc-status: 200
condition: selection
fields:
@@ -32,13 +35,13 @@ logsource:
category: proxy
detection:
b64encoding:
- c-uri:
- - "*_2f*"
- - "*_2b*"
+ c-uri|contains:
+ - "_2f"
+ - "_2b"
urlpatterns:
- c-uri|all:
- - "*.avi"
- - "*/images/*"
+ c-uri|contains|all:
+ - ".avi"
+ - "/images/"
condition: b64encoding and urlpatterns
fields:
- c-ip
@@ -56,4 +59,4 @@ tags:
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
- - attack.t1071.001
\ No newline at end of file
+ - attack.t1071.001
diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
new file mode 100644
index 000000000..8a240ab40
--- /dev/null
+++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
@@ -0,0 +1,30 @@
+title: CVE-2021-21978 Exploitation Attempt
+id: 77586a7f-7ea4-4c41-b19c-820140b84ca9
+status: experimental
+description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
+author: Bhabesh Raj
+date: 2020/03/10
+references:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
+ - https://twitter.com/wugeej/status/1369476795255320580
+ - https://paper.seebug.org/1495/
+logsource:
+ category: webserver
+detection:
+ selection:
+ cs-method: 'POST'
+ c-uri|contains|all:
+ - 'logupload'
+ - 'logMetaData'
+ - 'wsgi_log_upload.py'
+ condition: selection
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - None
+level: high
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - cve.2021-21978
\ No newline at end of file
diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml
index fc068bf4e..b4ccdb5c3 100644
--- a/rules/web/win_webshell_regeorg.yml
+++ b/rules/web/win_webshell_regeorg.yml
@@ -13,11 +13,11 @@ logsource:
detection:
selection:
uri_query|contains:
- - '*cmd=read*'
- - '*connect&target*'
- - '*cmd=connect*'
- - '*cmd=disconnect*'
- - '*cmd=forward*'
+ - 'cmd=read'
+ - 'connect&target'
+ - 'cmd=connect'
+ - 'cmd=disconnect'
+ - 'cmd=forward'
filter:
referer: null
useragent: null
diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml
index b44e64c24..cd9f525aa 100644
--- a/rules/windows/builtin/win_GPO_scheduledtasks.yml
+++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml
@@ -19,8 +19,8 @@ detection:
selection:
EventID: 5145
ShareName: \\*\SYSVOL
- RelativeTargetName: '*ScheduledTasks.xml'
- Accesses: '*WriteData*'
+ RelativeTargetName|endswith: 'ScheduledTasks.xml'
+ Accesses|contains: 'WriteData'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml
index d7d9b1ce6..a6705cb88 100644
--- a/rules/windows/builtin/win_account_discovery.yml
+++ b/rules/windows/builtin/win_account_discovery.yml
@@ -21,18 +21,20 @@ detection:
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
- ObjectName:
- - '*-512'
- - '*-502'
- - '*-500'
- - '*-505'
- - '*-519'
- - '*-520'
- - '*-544'
- - '*-551'
- - '*-555'
- - '*admin*'
- condition: selection
+ selection_object:
+ - ObjectName|endswith:
+ - '-512'
+ - '-502'
+ - '-500'
+ - '-505'
+ - '-519'
+ - '-520'
+ - '-544'
+ - '-551'
+ - '-555'
+ - ObjectName|contains:
+ - 'admin'
+ condition: selection and selection_object
falsepositives:
- if source account name is not an admin then its super suspicious
level: high
diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml
index c276804b0..99aa6af16 100644
--- a/rules/windows/builtin/win_admin_rdp_login.yml
+++ b/rules/windows/builtin/win_admin_rdp_login.yml
@@ -23,7 +23,7 @@ detection:
EventID: 4624
LogonType: 10
AuthenticationPackageName: Negotiate
- AccountName: 'Admin-*'
+ AccountName|startswith: 'Admin-'
condition: selection
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml
index 22919f3bc..33ea11512 100644
--- a/rules/windows/builtin/win_admin_share_access.yml
+++ b/rules/windows/builtin/win_admin_share_access.yml
@@ -18,7 +18,7 @@ detection:
EventID: 5140
ShareName: Admin$
filter:
- SubjectUserName: '*$'
+ SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml
index 882bda89c..078f02eb0 100644
--- a/rules/windows/builtin/win_alert_active_directory_user_control.yml
+++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml
@@ -17,8 +17,8 @@ detection:
selection:
EventID: 4704
keywords:
- Message:
- - '*SeEnableDelegationPrivilege*'
+ Message|contains:
+ - 'SeEnableDelegationPrivilege'
condition: all of them
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
index ad1a2174c..c0904ce53 100644
--- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml
+++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
@@ -18,13 +18,13 @@ detection:
selection:
EventID: 4738
keywords:
- Message:
- - '*DES*'
- - '*Preauth*'
- - '*Encrypted*'
+ Message|contains:
+ - 'DES'
+ - 'Preauth'
+ - 'Encrypted'
filters:
- Message:
- - '*Enabled*'
+ Message|contains:
+ - 'Enabled'
condition: selection and keywords and filters
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml
index 3c6ec77fc..a2cddf48a 100644
--- a/rules/windows/builtin/win_alert_lsass_access.yml
+++ b/rules/windows/builtin/win_alert_lsass_access.yml
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
EventID: 1121
- Path: '*\lsass.exe'
+ Path|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Google Chrome GoogleUpdate.exe
diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index 34f43994a..1280bd767 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -19,17 +19,17 @@ logsource:
product: windows
detection:
keywords:
- Message:
- - "* mimikatz *"
- - "* mimilib *"
- - "* <3 eo.oe *"
- - "* eo.oe.kiwi *"
- - "* privilege::debug *"
- - "* sekurlsa::logonpasswords *"
- - "* lsadump::sam *"
- - "* mimidrv.sys *"
- - "* p::d *"
- - "* s::l *"
+ Message|contains:
+ - "mimikatz"
+ - "mimilib"
+ - "<3 eo.oe"
+ - "eo.oe.kiwi"
+ - "privilege::debug"
+ - "sekurlsa::logonpasswords"
+ - "lsadump::sam"
+ - "mimidrv.sys"
+ - " p::d "
+ - " s::l "
condition: keywords
falsepositives:
- Naughty administrators
diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml
index 4d07c3077..1d61e8bfe 100755
--- a/rules/windows/builtin/win_apt_stonedrill.yml
+++ b/rules/windows/builtin/win_apt_stonedrill.yml
@@ -17,7 +17,7 @@ detection:
selection:
EventID: 7045
ServiceName: NtsSrv
- ServiceFileName: '* LocalService'
+ ServiceFileName|endswith: ' LocalService'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml
index 037db2528..c0f68564f 100644
--- a/rules/windows/builtin/win_atsvc_task.yml
+++ b/rules/windows/builtin/win_atsvc_task.yml
@@ -21,7 +21,7 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: atsvc
- Accesses: '*WriteData*'
+ Accesses|contains: 'WriteData'
condition: selection
falsepositives:
- pentesting
diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml
index 14191d944..cbf84be0e 100644
--- a/rules/windows/builtin/win_av_relevant_match.yml
+++ b/rules/windows/builtin/win_av_relevant_match.yml
@@ -9,34 +9,32 @@ logsource:
service: application
detection:
keywords:
- Message:
- - "*HTool*"
- - "*Hacktool*"
- - "*ASP/Backdoor*"
- - "*JSP/Backdoor*"
- - "*PHP/Backdoor*"
- - "*Backdoor.ASP*"
- - "*Backdoor.JSP*"
- - "*Backdoor.PHP*"
- - "*Webshell*"
- - "*Portscan*"
- - "*Mimikatz*"
- - "*WinCred*"
- - "*PlugX*"
- - "*Korplug*"
- - "*Pwdump*"
- - "*Chopper*"
- - "*WmiExec*"
- - "*Xscan*"
- - "*Clearlog*"
- - "*ASPXSpy*"
- - "*Seatbelt*"
- - "*sbelt*"
- filters:
- Message:
- - "*Keygen*"
- - "*Crack*"
- condition: keywords and not 1 of filters
+ Message|contains:
+ - "HTool"
+ - "Hacktool"
+ - "ASP/Backdoor"
+ - "JSP/Backdoor"
+ - "PHP/Backdoor"
+ - "Backdoor.ASP"
+ - "Backdoor.JSP"
+ - "Backdoor.PHP"
+ - "Webshell"
+ - "Portscan"
+ - "Mimikatz"
+ - "WinCred"
+ - "PlugX"
+ - "Korplug"
+ - "Pwdump"
+ - "Chopper"
+ - "WmiExec"
+ - "Xscan"
+ - "Clearlog"
+ - "ASPXSpy"
+ filter:
+ Message|contains:
+ - "Keygen"
+ - "Crack"
+ condition: keywords and not filter
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml
index cfe2bd114..2020946e1 100644
--- a/rules/windows/builtin/win_dcsync.yml
+++ b/rules/windows/builtin/win_dcsync.yml
@@ -19,17 +19,19 @@ logsource:
detection:
selection:
EventID: 4662
- Properties:
- - '*Replicating Directory Changes All*'
- - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+ Properties|contains:
+ - 'Replicating Directory Changes All'
+ - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
- SubjectUserName:
- - 'NT AUTHORITY*'
- - '*$'
- - 'MSOL_*'
- condition: selection and not filter1 and not filter2
+ SubjectUserName|startswith:
+ - 'NT AUTHORITY'
+ - 'MSOL_'
+ filter3:
+ SubjectUserName|endswith:
+ - '$'
+ condition: selection and not filter1 and not filter2 and not filter3
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
level: high
diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml
index 0140cbe32..9a1d9139f 100644
--- a/rules/windows/builtin/win_hack_smbexec.yml
+++ b/rules/windows/builtin/win_hack_smbexec.yml
@@ -20,7 +20,7 @@ detection:
service_installation:
EventID: 7045
ServiceName: 'BTOBTO'
- ServiceFileName: '*\execute.bat'
+ ServiceFileName|endswith: '\execute.bat'
condition: service_installation
fields:
- ServiceName
diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
new file mode 100644
index 000000000..95d562295
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation CLIP+ Launcher
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
\ No newline at end of file
diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
new file mode 100644
index 000000000..ae5bf974b
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
\ No newline at end of file
diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
new file mode 100644
index 000000000..cd893f908
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation VAR+ Launcher
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
\ No newline at end of file
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
new file mode 100644
index 000000000..e15561a51
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 175997c5-803c-4b08-8bb0-70b099f47595
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - unknown
+level: medium
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
\ No newline at end of file
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
new file mode 100644
index 000000000..3bad01d92
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: medium
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
new file mode 100644
index 000000000..9790bb96b
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Stdin
+id: 487c7524-f892-4054-b263-8a0ace63fc25
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 000000000..28e5e44fc
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Use Clip
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml
new file mode 100644
index 000000000..3df3229c0
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Use MSHTA
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
new file mode 100644
index 000000000..19c236c76
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation Via Use Rundll32
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
new file mode 100644
index 000000000..fb74d50bf
--- /dev/null
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
@@ -0,0 +1,42 @@
+action: global
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+falsepositives:
+ - Unknown
+level: high
+detection:
+ selection_1:
+ - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+ condition: selection and selection_1
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 6
+---
+ logsource:
+ product: windows
+ service: security
+ detection:
+ selection:
+ EventID: 4697
\ No newline at end of file
diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml
index df16fe303..e188aa447 100644
--- a/rules/windows/builtin/win_mal_wceaux_dll.yml
+++ b/rules/windows/builtin/win_mal_wceaux_dll.yml
@@ -21,7 +21,7 @@ detection:
- 4658
- 4660
- 4663
- ObjectName: '*\wceaux.dll'
+ ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Penetration testing
diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml
index 31b971d24..190dc1057 100644
--- a/rules/windows/builtin/win_mmc20_lateral_movement.yml
+++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml
@@ -16,9 +16,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\svchost.exe'
- Image: '*\mmc.exe'
- CommandLine: '*-Embedding*'
+ ParentImage|endswith: '\svchost.exe'
+ Image|endswith: '\mmc.exe'
+ CommandLine|contains: '-Embedding'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index b0429c532..2883f3df2 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -12,6 +12,28 @@ tags:
- attack.t1089 # an old one
- attack.t1562.001
- attack.t1112
+detection:
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: critical
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection1:
+ EventID: 13
+ TargetObject|contains|all:
+ - 'SYSTEM\'
+ - 'ControlSet'
+ - '\Control\Lsa'
+ TargetObject|endswith:
+ - '\lmcompatibilitylevel'
+ - '\NtlmMinClientSec'
+ - '\RestrictSendingNTLMTraffic'
+
+---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
@@ -20,7 +42,7 @@ logsource:
detection:
selection:
EventID: 4657
- ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
+ ObjectName|startswith: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
@@ -28,4 +50,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml
new file mode 100644
index 000000000..6bf752976
--- /dev/null
+++ b/rules/windows/builtin/win_net_use_admin_share.yml
@@ -0,0 +1,26 @@
+title: Mounted Windows Admin Shares with net.exe
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+status: experimental
+description: Detects when an admin share is mounted using net.exe
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
+date: 2020/10/05
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains|all:
+ - ' use '
+ - '\\\\*\*$*'
+ condition: selection
+falsepositives:
+ - Administrators
+level: medium
diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml
index f227cd538..280873fed 100644
--- a/rules/windows/builtin/win_possible_dc_shadow.yml
+++ b/rules/windows/builtin/win_possible_dc_shadow.yml
@@ -18,11 +18,11 @@ logsource:
detection:
selection1:
EventID: 4742
- ServicePrincipalNames: '*GC/*'
+ ServicePrincipalNames|contains: 'GC/'
selection2:
EventID: 5136
LDAPDisplayName: servicePrincipalName
- Value: 'GC/*'
+ Value|startswith: 'GC/'
condition: selection1 OR selection2
falsepositives:
- Exclude known DCs
diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
new file mode 100644
index 000000000..1f5a7e419
--- /dev/null
+++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,41 @@
+action: global
+title: PowerShell Scripts Installed as Services
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+description: Detects powershell script installed as a Service
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1569.002
+detection:
+ powershell_as_service:
+ ServiceFileName|contains:
+ - 'powershell'
+ - 'pwsh'
+ condition: service_creation and powershell_as_service
+falsepositives: Unknown
+level: high
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ service_creation:
+ EventID: 7045
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ service_creation:
+ EventID: 6
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ service_creation:
+ EventID: 4697
diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
new file mode 100644
index 000000000..25f9d8143
--- /dev/null
+++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,28 @@
+title: 'Possible Zerologon (CVE-2020-1472) Exploitation'
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+status: experimental
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+references:
+ - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+ - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community'
+date: 2020/10/15
+tags:
+ - attack.t1068
+ - attack.privilege_escalation
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4742
+ SourceUserName: 'ANONYMOUS LOGON'
+ TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
+ filter:
+ ChangedAttributes|contains:
+ - 'Password Last Set: -'
+ condition: selection and not filter
+falsepositives:
+ - automatic DC computer account password change
+ - legitimate DC computer account password change
+level: high
diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml
new file mode 100644
index 000000000..d0f67207f
--- /dev/null
+++ b/rules/windows/builtin/win_root_certificate_installed.yml
@@ -0,0 +1,47 @@
+action: global
+title: Root Certificate Installed
+id: 42821614-9264-4761-acfc-5772c3286f76
+status: experimental
+description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/10
+tags:
+ - attack.defense_evasion
+ - attack.t1553.004
+level: medium
+falsepositives:
+ - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+detection:
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection1:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'Move-Item'
+ - 'Cert:\LocalMachine\Root'
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'Import-Certificate'
+ - 'Cert:\LocalMachine\Root'
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der
+ CommandLine|contains|all:
+ - '-addstore'
+ - 'root'
+ selection2:
+ Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
+ CommandLine|contains|all:
+ - '/add'
+ - 'root'
diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
new file mode 100644
index 000000000..a00956dad
--- /dev/null
+++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
@@ -0,0 +1,25 @@
+title: Set OabVirtualDirectory ExternalUrl Property
+id: 9db37458-4df2-46a5-95ab-307e7f29e675
+description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
+author: Jose Rodriguez @Cyb3rPandaH
+status: experimental
+date: 2021/03/15
+references:
+ - https://twitter.com/OTR_Community/status/1371053369071132675
+tags:
+ - attack.persistence
+ - attack.t1505.003
+logsource:
+ product: windows
+ service: msexchange-management
+detection:
+ selection:
+ Message|contains|all:
+ - 'Set-OabVirtualDirectory'
+ - 'ExternalUrl'
+ - 'Page_Load'
+ - 'script'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml
new file mode 100644
index 000000000..d1c815ee1
--- /dev/null
+++ b/rules/windows/builtin/win_software_discovery.yml
@@ -0,0 +1,41 @@
+action: global
+title: Detected Windows Software Discovery
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+tags:
+ - attack.discovery
+ - attack.t1518
+level: medium
+falsepositives:
+ - Legitimate administration activities
+detection:
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
+ - 'get-itemProperty'
+ - '\software\'
+ - 'select-object'
+ - 'format-table'
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
+ CommandLine|contains|all:
+ - 'query'
+ - '\software\'
+ - '/v'
+ - 'svcversion'
diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml
index af191e20b..a5ebc9671 100644
--- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml
+++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml
@@ -18,7 +18,9 @@ logsource:
detection:
selection:
EventID: 4720
- SAMAccountName: '*ANONYMOUS*LOGON*'
+ SAMAccountName|contains|all:
+ - 'ANONYMOUS'
+ - 'LOGON'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml
new file mode 100644
index 000000000..142c6a7a7
--- /dev/null
+++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml
@@ -0,0 +1,33 @@
+title: Suspicous Remote Logon with Explicit Credentials
+id: 941e5c45-cda7-4864-8cea-bbb7458d194a
+status: experimental
+description: Detects suspicious processes logging on with explicit credentials
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
+date: 2020/10/05
+tags:
+ - attack.t1078
+ - attack.lateral_movement
+logsource:
+ product: windows
+ service: security
+ definition:
+detection:
+ selection:
+ EventID: 4648
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\pwsh.exe'
+ - '\winrs.exe'
+ - '\wmic.exe'
+ - '\net.exe'
+ - '\net1.exe'
+ - '\reg.exe'
+ filter:
+ Target_Server_Name: 'localhost'
+ condition: selection and not filter
+falsepositives:
+ - Administrators that use the RunAS command or scheduled tasks
+level: medium
diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml
index 83b26c58d..cac81fb5b 100644
--- a/rules/windows/builtin/win_susp_mshta_execution.yml
+++ b/rules/windows/builtin/win_susp_mshta_execution.yml
@@ -22,15 +22,15 @@ falsepositives:
level: high
detection:
selection1:
- Image: '*\mshta.exe'
- CommandLine:
- - '*vbscript*'
- - '*.jpg*'
- - '*.png*'
- - '*.lnk*'
- # - '*.chm*' # could be prone to false positives
- - '*.xls*'
- - '*.doc*'
- - '*.zip*'
+ Image|endswith: '\mshta.exe'
+ CommandLine|contains:
+ - 'vbscript'
+ - '.jpg'
+ - '.png'
+ - '.lnk'
+ # - '.chm' # could be prone to false positives
+ - '.xls'
+ - '.doc'
+ - '.zip'
condition:
selection1
diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml
index a33b52842..15b527e73 100644
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@@ -23,10 +23,10 @@ detection:
Source: 'Windows Error Reporting'
EventID: 1001
keywords:
- Message:
- - '*MsMpEng.exe*'
- - '*mpengine.dll*'
- condition: 1 of selection* and all of keywords
+ Message|contains:
+ - 'MsMpEng.exe'
+ - 'mpengine.dll'
+ condition: 1 of selection* and keywords
falsepositives:
- MsMpEng.exe can crash when C:\ is full
level: high
diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index c6a7653af..3fa612999 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
-author: Florian Roth (rule), Jack Croock (method)
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017/03/07
modified: 2020/08/23
tags:
@@ -20,15 +20,17 @@ logsource:
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- - EventID: 4661
- ObjectType: 'SAM_USER'
- ObjectName: 'S-1-5-21-*-500'
+ EventID: 4661
+ ObjectType:
+ - 'SAM_USER'
+ - 'SAM_GROUP'
+ ObjectName|startswith: 'S-1-5-21-'
AccessMask: '0x2d'
- - EventID: 4661
- ObjectType: 'SAM_GROUP'
- ObjectName: 'S-1-5-21-*-512'
- AccessMask: '0x2d'
- condition: selection
+ selection2:
+ ObjectName|endswith:
+ - '-500'
+ - '-512'
+ condition: selection and selection2
falsepositives:
- Administrator activity
- Penetration tests
diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml
index 81aa4bf6a..f9e9df5a2 100644
--- a/rules/windows/builtin/win_susp_ntlm_auth.yml
+++ b/rules/windows/builtin/win_susp_ntlm_auth.yml
@@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: ntlm
- definition: Reqiures events from Microsoft-Windows-NTLM/Operational
+ definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8002
diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml
index bed9e568a..96e1d00a8 100644
--- a/rules/windows/builtin/win_susp_ntlm_rdp.yml
+++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
EventID: 8001
- TargetName: TERMSRV*
+ TargetName|startswith: TERMSRV
condition: selection
fields:
- Computer
diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml
index 84d8da0e7..f64f235f7 100644
--- a/rules/windows/builtin/win_susp_psexec.yml
+++ b/rules/windows/builtin/win_susp_psexec.yml
@@ -17,14 +17,14 @@ detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
- RelativeTargetName:
- - '*-stdin'
- - '*-stdout'
- - '*-stderr'
+ RelativeTargetName|endswith:
+ - '-stdin'
+ - '-stdout'
+ - '-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
- RelativeTargetName: 'PSEXESVC*'
+ RelativeTargetName|startswith: 'PSEXESVC'
condition: selection1 and not selection2
falsepositives:
- nothing observed so far
diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
index 16114b2be..66caa1f78 100644
--- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
@@ -14,19 +14,19 @@ detection:
selection:
EventID:
- 5145
- RelativeTargetName:
- - '*.pst'
- - '*.ost'
- - '*.msg'
- - '*.nst'
- - '*.oab'
- - '*.edb'
- - '*.nsf'
- - '*.bak'
- - '*.dmp'
- - '*.kirbi'
- - '*\groups.xml'
- - '*.rdp'
+ RelativeTargetName|endswith:
+ - '.pst'
+ - '.ost'
+ - '.msg'
+ - '.nst'
+ - '.oab'
+ - '.edb'
+ - '.nsf'
+ - '.bak'
+ - '.dmp'
+ - '.kirbi'
+ - '\groups.xml'
+ - '.rdp'
condition: selection
fields:
- ComputerName
diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml
index 41a25dc72..496ed1524 100644
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
@@ -20,7 +20,7 @@ detection:
TicketOptions: '0x40810000'
TicketEncryptionType: '0x17'
reduction:
- - ServiceName: '$*'
+ - ServiceName|startswith: '$'
condition: selection and not reduction
falsepositives:
- Service accounts used on legacy systems (e.g. NetApp)
diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml
index 7c0894b6b..d014cb46e 100644
--- a/rules/windows/builtin/win_susp_sam_dump.yml
+++ b/rules/windows/builtin/win_susp_sam_dump.yml
@@ -15,8 +15,9 @@ logsource:
detection:
selection:
EventID: 16
- Message:
- - '*\AppData\Local\Temp\SAM-*.dmp *'
+ Message|contains|all:
+ - '\AppData\Local\Temp\SAM-'
+ - '.dmp'
condition: selection
falsepositives:
- Penetration testing
diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml
index 5bb8bd700..558a109e1 100644
--- a/rules/windows/builtin/win_susp_sdelete.yml
+++ b/rules/windows/builtin/win_susp_sdelete.yml
@@ -28,9 +28,9 @@ detection:
- 4656
- 4663
- 4658
- ObjectName:
- - '*.AAA'
- - '*.ZZZ'
+ ObjectName|endswith:
+ - '.AAA'
+ - '.ZZZ'
condition: selection
falsepositives:
- Legitime usage of SDelete
diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml
index e9627a54e..98835de02 100644
--- a/rules/windows/builtin/win_susp_wmi_login.yml
+++ b/rules/windows/builtin/win_susp_wmi_login.yml
@@ -13,7 +13,7 @@ logsource:
detection:
selection:
EventID: 4624
- ProcessName: "*\\WmiPrvSE.exe"
+ ProcessName|endswith: '\WmiPrvSE.exe'
condition: selection
falsepositives:
- Monitoring tools
diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
index c975f68f7..6b172fb38 100644
--- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
@@ -3,7 +3,7 @@ id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- - https://github.com/GhostPack/Rubeus8
+ - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml
index bd8939a65..be19e9ffb 100644
--- a/rules/windows/builtin/win_svcctl_remote_service.yml
+++ b/rules/windows/builtin/win_svcctl_remote_service.yml
@@ -19,7 +19,7 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: svcctl
- Accesses: '*WriteData*'
+ Accesses|contains: 'WriteData'
condition: selection
falsepositives:
- pentesting
diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml
index ff56999a5..0c36525b1 100644
--- a/rules/windows/builtin/win_syskey_registry_access.yml
+++ b/rules/windows/builtin/win_syskey_registry_access.yml
@@ -6,7 +6,7 @@ date: 2019/08/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md
+ - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html
tags:
- attack.discovery
- attack.t1012
@@ -27,4 +27,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml
index 418b2bb86..0443447e9 100644
--- a/rules/windows/builtin/win_user_added_to_local_administrators.yml
+++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml
@@ -22,7 +22,7 @@ detection:
selection_group2:
GroupSid: 'S-1-5-32-544'
filter:
- SubjectUserName: '*$'
+ SubjectUserName|endswith: '$'
condition: selection and (1 of selection_group*) and not filter
falsepositives:
- Legitimate administrative activity
diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml
index 5abc45e1f..7d1630089 100644
--- a/rules/windows/builtin/win_user_driver_loaded.yml
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@@ -20,19 +20,19 @@ detection:
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
selection_2:
- ProcessName|contains:
- - '*\Windows\System32\Dism.exe'
- - '*\Windows\System32\rundll32.exe'
- - '*\Windows\System32\fltMC.exe'
- - '*\Windows\HelpPane.exe'
- - '*\Windows\System32\mmc.exe'
- - '*\Windows\System32\svchost.exe'
- - '*\Windows\System32\wimserv.exe'
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
- - '*\Google\Chrome\Application\chrome.exe'
+ ProcessName|endswith:
+ - '\Windows\System32\Dism.exe'
+ - '\Windows\System32\rundll32.exe'
+ - '\Windows\System32\fltMC.exe'
+ - '\Windows\HelpPane.exe'
+ - '\Windows\System32\mmc.exe'
+ - '\Windows\System32\svchost.exe'
+ - '\Windows\System32\wimserv.exe'
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
+ - '\Google\Chrome\Application\chrome.exe'
condition: selection_1 and not selection_2
falsepositives:
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'
diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml
index 009665b75..083b9f7f5 100755
--- a/rules/windows/driver_load/sysmon_susp_driver_load.yml
+++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml
@@ -13,9 +13,9 @@ logsource:
category: driver_load
product: windows
detection:
- selection:
- ImageLoaded: '*\Temp\\*'
+ selection:
+ ImageLoaded|contains: '\Temp\'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
-level: medium
+level: high
diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml
index bd723e0e8..386636a0c 100755
--- a/rules/windows/file_event/sysmon_creation_system_file.yml
+++ b/rules/windows/file_event/sysmon_creation_system_file.yml
@@ -14,40 +14,40 @@ logsource:
product: windows
detection:
selection:
- TargetFilename:
- - '*\svchost.exe'
- - '*\rundll32.exe'
- - '*\services.exe'
- - '*\powershell.exe'
- - '*\regsvr32.exe'
- - '*\spoolsv.exe'
- - '*\lsass.exe'
- - '*\smss.exe'
- - '*\csrss.exe'
- - '*\conhost.exe'
- - '*\wininit.exe'
- - '*\lsm.exe'
- - '*\winlogon.exe'
- - '*\explorer.exe'
- - '*\taskhost.exe'
- - '*\Taskmgr.exe'
- - '*\taskmgr.exe'
- - '*\sihost.exe'
- - '*\RuntimeBroker.exe'
- - '*\runtimebroker.exe'
- - '*\smartscreen.exe'
- - '*\dllhost.exe'
- - '*\audiodg.exe'
- - '*\wlanext.exe'
+ TargetFilename|endswith:
+ - '\svchost.exe'
+ - '\rundll32.exe'
+ - '\services.exe'
+ - '\powershell.exe'
+ - '\regsvr32.exe'
+ - '\spoolsv.exe'
+ - '\lsass.exe'
+ - '\smss.exe'
+ - '\csrss.exe'
+ - '\conhost.exe'
+ - '\wininit.exe'
+ - '\lsm.exe'
+ - '\winlogon.exe'
+ - '\explorer.exe'
+ - '\taskhost.exe'
+ - '\Taskmgr.exe'
+ - '\taskmgr.exe'
+ - '\sihost.exe'
+ - '\RuntimeBroker.exe'
+ - '\runtimebroker.exe'
+ - '\smartscreen.exe'
+ - '\dllhost.exe'
+ - '\audiodg.exe'
+ - '\wlanext.exe'
filter:
- TargetFilename:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\system32\\*'
- - 'C:\Windows\SysWow64\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\winsxs\\*'
- - 'C:\Windows\WinSxS\\*'
- - '\SystemRoot\System32\\*'
+ TargetFilename|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\system32\'
+ - 'C:\Windows\SysWow64\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\winsxs\'
+ - 'C:\Windows\WinSxS\'
+ - '\SystemRoot\System32\'
condition: selection and not filter
fields:
- Image
diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
index a82059024..3019ca420 100755
--- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
@@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection:
- TargetFilename: '*\Temp\debug.bin'
+ TargetFilename|endswith: '\Temp\debug.bin'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
new file mode 100644
index 000000000..b7440b4b6
--- /dev/null
+++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
@@ -0,0 +1,31 @@
+title: Files Dropped to Program Files by Non-Priviledged Process
+id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1
+description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/17
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1574
+ - attack.t1574.010
+logsource:
+ category: file_event
+ product: windows
+detection:
+ integrity:
+ IntegrityLevel: 'Medium'
+ program_files:
+ - TargetFilename|contains:
+ - '\Program Files\'
+ - '\Program Files (x86)\'
+ windows:
+ TargetFilename|startswith: '\Windows\'
+ temp:
+ TargetFilename|contains: 'temp'
+ condition: integrity and (program_files or windows and not temp)
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
index 7ca774187..e446c5307 100755
--- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
@@ -15,102 +15,102 @@ logsource:
product: windows
detection:
selection:
- TargetFilename:
- - '*\Invoke-DllInjection.ps1'
- - '*\Invoke-WmiCommand.ps1'
- - '*\Get-GPPPassword.ps1'
- - '*\Get-Keystrokes.ps1'
- - '*\Get-VaultCredential.ps1'
- - '*\Invoke-CredentialInjection.ps1'
- - '*\Invoke-Mimikatz.ps1'
- - '*\Invoke-NinjaCopy.ps1'
- - '*\Invoke-TokenManipulation.ps1'
- - '*\Out-Minidump.ps1'
- - '*\VolumeShadowCopyTools.ps1'
- - '*\Invoke-ReflectivePEInjection.ps1'
- - '*\Get-TimedScreenshot.ps1'
- - '*\Invoke-UserHunter.ps1'
- - '*\Find-GPOLocation.ps1'
- - '*\Invoke-ACLScanner.ps1'
- - '*\Invoke-DowngradeAccount.ps1'
- - '*\Get-ServiceUnquoted.ps1'
- - '*\Get-ServiceFilePermission.ps1'
- - '*\Get-ServicePermission.ps1'
- - '*\Invoke-ServiceAbuse.ps1'
- - '*\Install-ServiceBinary.ps1'
- - '*\Get-RegAutoLogon.ps1'
- - '*\Get-VulnAutoRun.ps1'
- - '*\Get-VulnSchTask.ps1'
- - '*\Get-UnattendedInstallFile.ps1'
- - '*\Get-WebConfig.ps1'
- - '*\Get-ApplicationHost.ps1'
- - '*\Get-RegAlwaysInstallElevated.ps1'
- - '*\Get-Unconstrained.ps1'
- - '*\Add-RegBackdoor.ps1'
- - '*\Add-ScrnSaveBackdoor.ps1'
- - '*\Gupt-Backdoor.ps1'
- - '*\Invoke-ADSBackdoor.ps1'
- - '*\Enabled-DuplicateToken.ps1'
- - '*\Invoke-PsUaCme.ps1'
- - '*\Remove-Update.ps1'
- - '*\Check-VM.ps1'
- - '*\Get-LSASecret.ps1'
- - '*\Get-PassHashes.ps1'
- - '*\Show-TargetScreen.ps1'
- - '*\Port-Scan.ps1'
- - '*\Invoke-PoshRatHttp.ps1'
- - '*\Invoke-PowerShellTCP.ps1'
- - '*\Invoke-PowerShellWMI.ps1'
- - '*\Add-Exfiltration.ps1'
- - '*\Add-Persistence.ps1'
- - '*\Do-Exfiltration.ps1'
- - '*\Start-CaptureServer.ps1'
- - '*\Invoke-ShellCode.ps1'
- - '*\Get-ChromeDump.ps1'
- - '*\Get-ClipboardContents.ps1'
- - '*\Get-FoxDump.ps1'
- - '*\Get-IndexedItem.ps1'
- - '*\Get-Screenshot.ps1'
- - '*\Invoke-Inveigh.ps1'
- - '*\Invoke-NetRipper.ps1'
- - '*\Invoke-EgressCheck.ps1'
- - '*\Invoke-PostExfil.ps1'
- - '*\Invoke-PSInject.ps1'
- - '*\Invoke-RunAs.ps1'
- - '*\MailRaider.ps1'
- - '*\New-HoneyHash.ps1'
- - '*\Set-MacAttribute.ps1'
- - '*\Invoke-DCSync.ps1'
- - '*\Invoke-PowerDump.ps1'
- - '*\Exploit-Jboss.ps1'
- - '*\Invoke-ThunderStruck.ps1'
- - '*\Invoke-VoiceTroll.ps1'
- - '*\Set-Wallpaper.ps1'
- - '*\Invoke-InveighRelay.ps1'
- - '*\Invoke-PsExec.ps1'
- - '*\Invoke-SSHCommand.ps1'
- - '*\Get-SecurityPackages.ps1'
- - '*\Install-SSP.ps1'
- - '*\Invoke-BackdoorLNK.ps1'
- - '*\PowerBreach.ps1'
- - '*\Get-SiteListPassword.ps1'
- - '*\Get-System.ps1'
- - '*\Invoke-BypassUAC.ps1'
- - '*\Invoke-Tater.ps1'
- - '*\Invoke-WScriptBypassUAC.ps1'
- - '*\PowerUp.ps1'
- - '*\PowerView.ps1'
- - '*\Get-RickAstley.ps1'
- - '*\Find-Fruit.ps1'
- - '*\HTTP-Login.ps1'
- - '*\Find-TrustedDocuments.ps1'
- - '*\Invoke-Paranoia.ps1'
- - '*\Invoke-WinEnum.ps1'
- - '*\Invoke-ARPScan.ps1'
- - '*\Invoke-PortScan.ps1'
- - '*\Invoke-ReverseDNSLookup.ps1'
- - '*\Invoke-SMBScanner.ps1'
- - '*\Invoke-Mimikittenz.ps1'
+ TargetFilename|endswith:
+ - '\Invoke-DllInjection.ps1'
+ - '\Invoke-WmiCommand.ps1'
+ - '\Get-GPPPassword.ps1'
+ - '\Get-Keystrokes.ps1'
+ - '\Get-VaultCredential.ps1'
+ - '\Invoke-CredentialInjection.ps1'
+ - '\Invoke-Mimikatz.ps1'
+ - '\Invoke-NinjaCopy.ps1'
+ - '\Invoke-TokenManipulation.ps1'
+ - '\Out-Minidump.ps1'
+ - '\VolumeShadowCopyTools.ps1'
+ - '\Invoke-ReflectivePEInjection.ps1'
+ - '\Get-TimedScreenshot.ps1'
+ - '\Invoke-UserHunter.ps1'
+ - '\Find-GPOLocation.ps1'
+ - '\Invoke-ACLScanner.ps1'
+ - '\Invoke-DowngradeAccount.ps1'
+ - '\Get-ServiceUnquoted.ps1'
+ - '\Get-ServiceFilePermission.ps1'
+ - '\Get-ServicePermission.ps1'
+ - '\Invoke-ServiceAbuse.ps1'
+ - '\Install-ServiceBinary.ps1'
+ - '\Get-RegAutoLogon.ps1'
+ - '\Get-VulnAutoRun.ps1'
+ - '\Get-VulnSchTask.ps1'
+ - '\Get-UnattendedInstallFile.ps1'
+ - '\Get-WebConfig.ps1'
+ - '\Get-ApplicationHost.ps1'
+ - '\Get-RegAlwaysInstallElevated.ps1'
+ - '\Get-Unconstrained.ps1'
+ - '\Add-RegBackdoor.ps1'
+ - '\Add-ScrnSaveBackdoor.ps1'
+ - '\Gupt-Backdoor.ps1'
+ - '\Invoke-ADSBackdoor.ps1'
+ - '\Enabled-DuplicateToken.ps1'
+ - '\Invoke-PsUaCme.ps1'
+ - '\Remove-Update.ps1'
+ - '\Check-VM.ps1'
+ - '\Get-LSASecret.ps1'
+ - '\Get-PassHashes.ps1'
+ - '\Show-TargetScreen.ps1'
+ - '\Port-Scan.ps1'
+ - '\Invoke-PoshRatHttp.ps1'
+ - '\Invoke-PowerShellTCP.ps1'
+ - '\Invoke-PowerShellWMI.ps1'
+ - '\Add-Exfiltration.ps1'
+ - '\Add-Persistence.ps1'
+ - '\Do-Exfiltration.ps1'
+ - '\Start-CaptureServer.ps1'
+ - '\Invoke-ShellCode.ps1'
+ - '\Get-ChromeDump.ps1'
+ - '\Get-ClipboardContents.ps1'
+ - '\Get-FoxDump.ps1'
+ - '\Get-IndexedItem.ps1'
+ - '\Get-Screenshot.ps1'
+ - '\Invoke-Inveigh.ps1'
+ - '\Invoke-NetRipper.ps1'
+ - '\Invoke-EgressCheck.ps1'
+ - '\Invoke-PostExfil.ps1'
+ - '\Invoke-PSInject.ps1'
+ - '\Invoke-RunAs.ps1'
+ - '\MailRaider.ps1'
+ - '\New-HoneyHash.ps1'
+ - '\Set-MacAttribute.ps1'
+ - '\Invoke-DCSync.ps1'
+ - '\Invoke-PowerDump.ps1'
+ - '\Exploit-Jboss.ps1'
+ - '\Invoke-ThunderStruck.ps1'
+ - '\Invoke-VoiceTroll.ps1'
+ - '\Set-Wallpaper.ps1'
+ - '\Invoke-InveighRelay.ps1'
+ - '\Invoke-PsExec.ps1'
+ - '\Invoke-SSHCommand.ps1'
+ - '\Get-SecurityPackages.ps1'
+ - '\Install-SSP.ps1'
+ - '\Invoke-BackdoorLNK.ps1'
+ - '\PowerBreach.ps1'
+ - '\Get-SiteListPassword.ps1'
+ - '\Get-System.ps1'
+ - '\Invoke-BypassUAC.ps1'
+ - '\Invoke-Tater.ps1'
+ - '\Invoke-WScriptBypassUAC.ps1'
+ - '\PowerUp.ps1'
+ - '\PowerView.ps1'
+ - '\Get-RickAstley.ps1'
+ - '\Find-Fruit.ps1'
+ - '\HTTP-Login.ps1'
+ - '\Find-TrustedDocuments.ps1'
+ - '\Invoke-Paranoia.ps1'
+ - '\Invoke-WinEnum.ps1'
+ - '\Invoke-ARPScan.ps1'
+ - '\Invoke-PortScan.ps1'
+ - '\Invoke-ReverseDNSLookup.ps1'
+ - '\Invoke-SMBScanner.ps1'
+ - '\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
index 2a582eaa3..66d153487 100755
--- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml
+++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
@@ -18,7 +18,9 @@ logsource:
detection:
selection:
# Sysmon: File Creation (ID 11)
- TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
+ TargetFilename|contains|all:
+ - '\AppData\Local\Temp\SAM-'
+ - '.dmp'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
index 204bb61c0..7ec9950cd 100755
--- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
+++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -18,7 +18,8 @@ logsource:
category: file_event
detection:
selection_1:
- TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
+ TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
+ TargetFilename|endswith: '.sch'
selection_2:
Image:
- 'C:\windows\system32\svchost.exe'
diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml
new file mode 100644
index 000000000..97fa03b0c
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml
@@ -0,0 +1,29 @@
+title: Suspcious CLR Logs Creation
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+description: Detects suspicious .NET assembly executions
+references:
+ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+date: 2020/10/12
+tags:
+ - attack.execution
+ - attack.t1059.001
+status: experimental
+author: omkar72, oscd.community
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename|contains|all:
+ - '\AppData\Local\Microsoft\CLR'
+ - '\UsageLogs\'
+ TargetFilename|contains:
+ - 'mshta'
+ - 'cscript'
+ - 'wscript'
+ - 'regsvr32'
+ - 'wmic'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
index 2dac9fab7..a929366d2 100755
--- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -15,13 +15,14 @@ logsource:
category: file_event
detection:
selection_1:
- TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
+ TargetFilename|contains: '\AppData\Local\Temp\'
+ TargetFilename|endswith: 'PROCEXP152.sys'
selection_2:
Image|contains:
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
index 194b75581..c171dcdfc 100755
--- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -9,8 +9,8 @@ logsource:
category: file_event
detection:
selection:
- Image: '*\mstsc.exe'
- TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+ Image|endswith: '\mstsc.exe'
+ TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml
new file mode 100644
index 000000000..6304043ad
--- /dev/null
+++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml
@@ -0,0 +1,27 @@
+title: Suspicious Multiple File Rename Or Delete Occurred
+id: 97919310-06a7-482c-9639-92b67ed63cf8
+status: experimental
+description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
+tags:
+ - attack.impact
+ - attack.t1486
+author: Vasiliy Burov, oscd.community
+date: 2020/10/16
+references:
+ - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
+logsource:
+ product: windows
+ service: security
+ definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access'
+detection:
+ selection:
+ EventID: 4663
+ ObjectType: 'File'
+ AccessList: '%%1537'
+ Keywords: '0x8020000000000000'
+ timeframe: 30s
+ condition: selection | count() by SubjectLogonId > 10
+falsepositives:
+ - Software uninstallation
+ - Files restore activities
+level: medium
diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
index 7c077934c..d4f1dcd25 100755
--- a/rules/windows/image_load/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -2,9 +2,9 @@ title: In-memory PowerShell
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
status: experimental
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
-author: Tom Kern, oscd.community
+author: Tom Kern, oscd.community, Natalia Shornikova
date: 2019/11/14
-modified: 2019/11/30
+modified: 2020/10/12
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
@@ -27,6 +27,12 @@ detection:
- '\WINDOWS\System32\sdiagnhost.exe'
- '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance
- '\WINDOWS\System32\RemoteFXvGPUDisablement.exe' # on win10
+ - '\sqlps.exe'
+ - '\wsmprovhost.exe'
+ - '\winrshost.exe'
+ - '\syncappvpublishingserver.exe'
+ - '\runscripthelper.exe'
+ - '\ServerManager.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives:
diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
index 50568b560..d21584364 100755
--- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
@@ -18,9 +18,9 @@ detection:
selector:
Image: 'C:\Windows\System32\rundll32.exe'
dllload1:
- ImageLoaded: '*\vaultcli.dll'
+ ImageLoaded|endswith: '\vaultcli.dll'
dllload2:
- ImageLoaded: '*\wlanapi.dll'
+ ImageLoaded|endswith: '\wlanapi.dll'
exclusion:
ImageLoaded:
- 'ntdsapi.dll'
diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml
index 5a2bc710f..5bf530559 100755
--- a/rules/windows/image_load/sysmon_susp_image_load.yml
+++ b/rules/windows/image_load/sysmon_susp_image_load.yml
@@ -16,11 +16,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\notepad.exe'
- ImageLoaded:
- - '*\samlib.dll'
- - '*\WinSCard.dll'
+ Image|endswith:
+ - '\notepad.exe'
+ ImageLoaded|endswith:
+ - '\samlib.dll'
+ - '\WinSCard.dll'
condition: selection
falsepositives:
- Very likely, needs more tuning
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
index a8c6f2ec5..c9d881196 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - 'C:\Windows\assembly\\*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith:
+ - 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
index 59b043baa..f75cce094 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\clr.dll*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains:
+ - '\clr.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
index a9f820194..fa0182796 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith:
+ - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
index 9897408c6..f6297faef 100755
--- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\dsparse.dll*'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains:
+ - '\dsparse.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
index 2ac8622f5..b42030734 100755
--- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\kerberos.dll'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\kerberos.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
new file mode 100644
index 000000000..701d372fa
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
@@ -0,0 +1,31 @@
+title: CLR DLL Loaded Via Scripting Applications
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+status: experimental
+description: Detects CLR DLL being loaded by an scripting applications
+references:
+ - https://github.com/tyranid/DotNetToJScript
+ - https://thewover.github.io/Introducing-Donut/
+ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+author: omkar72, oscd.community
+date: 2020/10/14
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\mshta.exe'
+ ImageLoaded|endswith:
+ - '\clr.dll'
+ - '\mscoree.dll'
+ - '\mscorlib.dll'
+ condition: selection
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
index fedeecf64..262d9c7dc 100755
--- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -16,15 +16,15 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\VBE7.DLL'
- - '*\VBEUI.DLL'
- - '*\VBE7INTL.DLL'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\VBE7.DLL'
+ - '\VBEUI.DLL'
+ - '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
diff --git a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
index dee953acc..bdbbc5b27 100755
--- a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -16,17 +16,17 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\winword.exe'
- - '*\powerpnt.exe'
- - '*\excel.exe'
- - '*\outlook.exe'
- ImageLoaded:
- - '*\wmiutils.dll'
- - '*\wbemcomn.dll'
- - '*\wbemprox.dll'
- - '*\wbemdisp.dll'
- - '*\wbemsvc.dll'
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\wmiutils.dll'
+ - '\wbemcomn.dll'
+ - '\wbemprox.dll'
+ - '\wbemdisp.dll'
+ - '\wbemsvc.dll'
condition: selection
falsepositives:
- Possible. Requires further testing.
diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
index 9d009c297..6247ee4f9 100755
--- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -21,15 +21,15 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- ImageLoaded:
- - '*\tsmsisrv.dll'
- - '*\tsvipsrv.dll'
- - '*\wlbsctrl.dll'
+ Image|endswith:
+ - '\svchost.exe'
+ ImageLoaded|endswith:
+ - '\tsmsisrv.dll'
+ - '\tsvipsrv.dll'
+ - '\wlbsctrl.dll'
filter:
- ImageLoaded:
- - 'C:\Windows\WinSxS\\*'
+ ImageLoaded|startswith:
+ - 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Pentest
diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml
new file mode 100644
index 000000000..64f945e89
--- /dev/null
+++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml
@@ -0,0 +1,38 @@
+action: global
+title: Time Travel Debugging Utility Usage
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+ - https://twitter.com/mattifestation/status/1196390321783025666
+ - https://twitter.com/oulusoyum/status/1191329746069655553
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/06
+tags:
+ - attack.defense_evasion
+ - attack.credential_access
+ - attack.t1218
+ - attack.t1003.001
+detection:
+ condition: 1 of them
+falsepositives:
+ - Legitimate usage by software developers/testers
+level: high
+---
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection1:
+ ImageLoaded|endswith:
+ - '\ttdrecord.dll'
+ - '\ttdwriter.dll'
+ - '\ttdloader.dll'
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection2:
+ ParentImage|endswith:
+ - '\tttracer.exe'
diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
new file mode 100644
index 000000000..46200f57b
--- /dev/null
+++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml
@@ -0,0 +1,31 @@
+title: UAC Bypass With Fake DLL
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+status: experimental
+description: Attempts to load dismcore.dll after dropping it
+references:
+ - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+ - attack.t1574.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\dism.exe'
+ ImageLoaded|endswith:
+ - '\dismcore.dll'
+ filter:
+ ImageLoaded:
+ - 'C:\Windows\System32\Dism\dismcore.dll'
+ condition: selection
+falsepositives:
+ - Pentests
+ - Actions of a legitimate telnet client
+level: high
diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml
index 929879772..94ec45d72 100644
--- a/rules/windows/malware/av_exploiting.yml
+++ b/rules/windows/malware/av_exploiting.yml
@@ -15,16 +15,20 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "*MeteTool*"
- - "*MPreter*"
- - "*Meterpreter*"
- - "*Metasploit*"
- - "*PowerSploit*"
- - "*CobaltStrike*"
- - "*Swrort*"
- - "*Rozena*"
- - "*Backdoor.Cobalt*"
+ Signature|contains:
+ - "MeteTool"
+ - "MPreter"
+ - "Meterpreter"
+ - "Metasploit"
+ - "PowerSploit"
+ - "CobaltSrike"
+ - "Swrort"
+ - "Rozena"
+ - "Backdoor.Cobalt"
+ - "CobaltStr"
+ - "COBEACON"
+ - "Cometer"
+ - "Razy"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml
index 77cc9d433..dc75de349 100644
--- a/rules/windows/malware/av_password_dumper.yml
+++ b/rules/windows/malware/av_password_dumper.yml
@@ -17,17 +17,19 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "*DumpCreds*"
- - "*Mimikatz*"
- - "*PWCrack*"
+ Signature|contains:
+ - "DumpCreds"
+ - "Mimikatz"
+ - "PWCrack"
- "HTool/WCE"
- - "*PSWtool*"
- - "*PWDump*"
- - "*SecurityTool*"
- - "*PShlSpy*"
- - "*Rubeus*"
- - "*Kekeo*"
+ - "PSWtool"
+ - "PWDump"
+ - "SecurityTool"
+ - "PShlSpy"
+ - "Rubeus"
+ - "Kekeo"
+ - "LsassDump"
+ - "Outflank"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml
index 747bd494a..4975c1e95 100644
--- a/rules/windows/malware/av_relevant_files.yml
+++ b/rules/windows/malware/av_relevant_files.yml
@@ -10,33 +10,36 @@ logsource:
product: antivirus
detection:
selection:
- FileName:
- - 'C:\Windows\Temp\\*'
- - 'C:\Temp\\*'
- - '*\\Client\\*'
- - 'C:\PerfLogs\\*'
- - 'C:\Users\Public\\*'
- - 'C:\Users\Default\\*'
- - '*.ps1'
- - '*.vbs'
- - '*.bat'
- - '*.chm'
- - '*.xml'
- - '*.txt'
- - '*.jsp'
- - '*.jspx'
- - '*.asp'
- - '*.aspx'
- - '*.php'
- - '*.war'
- - '*.hta'
- - '*.lnk'
- - '*.scf'
- - '*.sct'
- - '*.vbe'
- - '*.wsf'
- - '*.wsh'
- condition: selection
+ - FileName|startswith:
+ - 'C:\Windows\Temp\'
+ - 'C:\Temp\'
+ - 'C:\PerfLogs\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - FileName|contains:
+ - '\Client\'
+ selection2:
+ Filename|endswith:
+ - '.ps1'
+ - '.vbs'
+ - '.bat'
+ - '.chm'
+ - '.xml'
+ - '.txt'
+ - '.jsp'
+ - '.jspx'
+ - '.asp'
+ - '.aspx'
+ - '.php'
+ - '.war'
+ - '.hta'
+ - '.lnk'
+ - '.scf'
+ - '.sct'
+ - '.vbe'
+ - '.wsf'
+ - '.wsh'
+ condition: selection or selection2
fields:
- Signature
- User
diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml
index 3290dba48..3942662be 100644
--- a/rules/windows/malware/av_webshell.yml
+++ b/rules/windows/malware/av_webshell.yml
@@ -17,26 +17,27 @@ logsource:
product: antivirus
detection:
selection:
- Signature:
- - "PHP/Backdoor*"
- - "JSP/Backdoor*"
- - "ASP/Backdoor*"
- - "Backdoor?PHP*"
- - "Backdoor?JSP*"
- - "Backdoor?ASP*"
- - "Backdoor?Java*"
- - "*Webshell*"
- - "*Chopper*"
- - "*ASPXSpy*"
- - "*Aspdoor*"
- - "*PHP:*"
- - "*PHPShell*"
- - "*Trojan.PHP*"
- - "*Trojan.ASP*"
- - "*Trojan.JSP*"
- - "*PHP?Agent*"
- - "*ASP?Agent*"
- - "*JSP?Agent*"
+ - Signature|startswith:
+ - "PHP/Backdoor"
+ - "JSP/Backdoor"
+ - "ASP/Backdoor"
+ - "Backdoor.PHP"
+ - "Backdoor.JSP"
+ - "Backdoor.ASP"
+ - "Backdoor?Java"
+ - Signature|contains:
+ - "Webshell"
+ - "Chopper"
+ - "ASPXSpy"
+ - "Aspdoor"
+ - "PHP:"
+ - "PHPShell"
+ - "Trojan.PHP"
+ - "Trojan.ASP"
+ - "Trojan.JSP"
+ - "PHP?Agent"
+ - "ASP?Agent"
+ - "JSP?Agent"
condition: selection
fields:
- FileName
diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml
index 42fe48bae..65afffb47 100644
--- a/rules/windows/malware/mal_azorult_reg.yml
+++ b/rules/windows/malware/mal_azorult_reg.yml
@@ -17,8 +17,8 @@ detection:
EventID:
- 12
- 13
- TargetObject:
- - '*SYSTEM\\*\services\localNETService'
+ TargetObject|contains: 'SYSTEM\'
+ TargetObject|endswith: '\services\localNETService'
condition: selection
fields:
- Image
diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml
index 37e315f90..d033b4b84 100644
--- a/rules/windows/malware/win_mal_flowcloud.yml
+++ b/rules/windows/malware/win_mal_flowcloud.yml
@@ -17,12 +17,14 @@ detection:
EventID:
- 12 # key create
- 13 # value set
- TargetObject:
+ selection2:
+ - TargetObject:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- - 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
- condition: selection
+ - TargetObject|startswith:
+ - 'HKLM\SYSTEM\Setup\PrintResponsor\'
+ condition: selection and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/malware/win_mal_lockergoga.yml b/rules/windows/malware/win_mal_lockergoga.yml
new file mode 100644
index 000000000..c22d83ab7
--- /dev/null
+++ b/rules/windows/malware/win_mal_lockergoga.yml
@@ -0,0 +1,23 @@
+title: LockerGoga Ransomware
+id: 74db3488-fd28-480a-95aa-b7af626de068
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+status: experimental
+references:
+ - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+ - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+ - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+tags:
+ - attack.impact
+ - attack.t1486
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains: '-i SM-tgytutrc -s'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: critical
diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml
index aa5977d23..02603871b 100644
--- a/rules/windows/malware/win_mal_ryuk.yml
+++ b/rules/windows/malware/win_mal_ryuk.yml
@@ -11,10 +11,15 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\net.exe stop "samss" *'
- - '*\net.exe stop "audioendpointbuilder" *'
- - '*\net.exe stop "unistoresvc_?????" *'
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains|all:
+ - 'stop'
+ CommandLine|contains:
+ - 'samss'
+ - 'audioendpointbuilder'
+ - 'unistoresvc_?????'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml
index 902d85ae3..a0c51c74a 100644
--- a/rules/windows/malware/win_mal_ursnif.yml
+++ b/rules/windows/malware/win_mal_ursnif.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
EventID: 13
- TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+ TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
new file mode 100644
index 000000000..124148c19
--- /dev/null
+++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
@@ -0,0 +1,26 @@
+title: Silenttrinity Stager Msbuild Activity
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+description: Detects a possible remote connections to Silenttrinity c2
+references:
+ - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+tags:
+ - attack.execution # example MITRE ATT&CK category
+ - attack.t1127.001
+status: experimental
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\msbuild.exe'
+ filter:
+ DestinationPort:
+ - '80'
+ - '443'
+ Initiated: 'true'
+ condition: selection and filter
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
index 48a2a8c46..e97176154 100644
--- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
@@ -18,29 +18,29 @@ logsource:
product: windows
detection:
selection:
- Image: '*\dllhost.exe'
+ Image|endswith: '\dllhost.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
index a8dd264d6..6ab3c851a 100755
--- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
@@ -70,28 +70,28 @@ detection:
- '4040'
- '9943'
filter1:
- Image: '*\Program Files*'
+ Image|contains: '\Program Files'
filter2:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
DestinationIsIpv6: 'false'
condition: selection and not ( filter1 or filter2 )
falsepositives:
diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
index 857d1e7e5..0ab14bd51 100755
--- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
@@ -18,7 +18,7 @@ date: 2020/05/14
modified: 2020/08/24
detection:
selection:
- Image: '*\notepad.exe'
+ Image|endswith: '\notepad.exe'
filter:
DestinationPort: '9100'
condition: selection and not filter
diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
index 23d39f5bd..4a110b53e 100755
--- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -16,28 +16,28 @@ logsource:
product: windows
detection:
selection:
- Image: '*\powershell.exe'
+ Image|endswith: '\powershell.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
index 77bde60a2..ad50510af 100755
--- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
+++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -19,13 +19,15 @@ logsource:
product: windows
detection:
selection:
- Image: '*\svchost.exe'
+ Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
- DestinationIp:
- - '127.*'
+ selection2:
+ - DestinationIp|startswith:
+ - '127.'
+ - DestinationIP:
- '::1'
- condition: selection
+ condition: selection and selection2
falsepositives:
- unknown
level: high
diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
index 3766fc091..75920a653 100755
--- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
@@ -17,29 +17,29 @@ logsource:
product: windows
detection:
selection:
- Image: '*\rundll32.exe'
+ Image|endswith: '\rundll32.exe'
Initiated: 'true'
filter:
- DestinationIp:
- - '10.*'
- - '192.168.*'
- - '172.16.*'
- - '172.17.*'
- - '172.18.*'
- - '172.19.*'
- - '172.20.*'
- - '172.21.*'
- - '172.22.*'
- - '172.23.*'
- - '172.24.*'
- - '172.25.*'
- - '172.26.*'
- - '172.27.*'
- - '172.28.*'
- - '172.29.*'
- - '172.30.*'
- - '172.31.*'
- - '127.*'
+ DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
index 9b152411f..b8c4544dc 100755
--- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -12,19 +12,21 @@ logsource:
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
- Image:
- # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- - '*\$Recycle.bin'
- - '*\Users\All Users\\*'
- - '*\Users\Default\\*'
- - '*\Users\Public\\*'
- - '*\Users\Contacts\\*'
- - '*\Users\Searches\\*'
- - 'C:\Perflogs\\*'
- - '*\config\systemprofile\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
+ - Image|contains:
+ # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows
+ - '\Users\All Users\'
+ - '\Users\Default\'
+ - '\Users\Public\'
+ - '\Users\Contacts\'
+ - '\Users\Searches\'
+ - '\config\systemprofile\'
+ - '\Windows\Fonts\'
+ - '\Windows\IME\'
+ - '\Windows\addins\'
+ - Image|endswith:
+ - '\$Recycle.bin'
+ - Image|startswith:
+ - 'C:\Perflogs\'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml
index 8955b940f..e12fde626 100755
--- a/rules/windows/network_connection/sysmon_susp_rdp.yml
+++ b/rules/windows/network_connection/sysmon_susp_rdp.yml
@@ -20,26 +20,26 @@ detection:
DestinationPort: 3389
Initiated: 'true'
filter:
- Image:
- - '*\mstsc.exe'
- - '*\RTSApp.exe'
- - '*\RTS2App.exe'
- - '*\RDCMan.exe'
- - '*\ws_TunnelService.exe'
- - '*\RSSensor.exe'
- - '*\RemoteDesktopManagerFree.exe'
- - '*\RemoteDesktopManager.exe'
- - '*\RemoteDesktopManager64.exe'
- - '*\mRemoteNG.exe'
- - '*\mRemote.exe'
- - '*\Terminals.exe'
- - '*\spiceworks-finder.exe'
- - '*\FSDiscovery.exe'
- - '*\FSAssessment.exe'
- - '*\MobaRTE.exe'
- - '*\chrome.exe'
- - '*\thor.exe'
- - '*\thor64.exe'
+ Image|endswith:
+ - '\mstsc.exe'
+ - '\RTSApp.exe'
+ - '\RTS2App.exe'
+ - '\RDCMan.exe'
+ - '\ws_TunnelService.exe'
+ - '\RSSensor.exe'
+ - '\RemoteDesktopManagerFree.exe'
+ - '\RemoteDesktopManager.exe'
+ - '\RemoteDesktopManager64.exe'
+ - '\mRemoteNG.exe'
+ - '\mRemote.exe'
+ - '\Terminals.exe'
+ - '\spiceworks-finder.exe'
+ - '\FSDiscovery.exe'
+ - '\FSAssessment.exe'
+ - '\MobaRTE.exe'
+ - '\chrome.exe'
+ - '\thor.exe'
+ - '\thor64.exe'
condition: selection and not filter
falsepositives:
- Other Remote Desktop RDP tools
diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
index 1d197ab93..a63c8b1e0 100755
--- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
@@ -21,10 +21,10 @@ logsource:
detection:
selection:
Initiated: 'true'
- DestinationHostname:
- - '*.github.com'
- - '*.githubusercontent.com'
- Image: 'C:\Windows\\*'
+ DestinationHostname|endswith:
+ - '.github.com'
+ - '.githubusercontent.com'
+ Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- 'Unknown'
diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
index 6e324b9cb..4422fc1e5 100755
--- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
@@ -16,11 +16,11 @@ logsource:
detection:
selection:
Initiated: 'true'
- DestinationHostname:
- - '*dl.dropboxusercontent.com'
- - '*.pastebin.com'
- - '*.githubusercontent.com' # includes both gists and github repositories
- Image: 'C:\Windows\\*'
+ DestinationHostname|endswith:
+ - 'dl.dropboxusercontent.com'
+ - '.pastebin.com'
+ - '.githubusercontent.com' # includes both gists and github repositories
+ Image|startswith: 'C:\Windows\'
condition: selection
falsepositives:
- 'Unknown'
diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml
index 9a34a1575..eac2c43d1 100644
--- a/rules/windows/other/win_pcap_drivers.yml
+++ b/rules/windows/other/win_pcap_drivers.yml
@@ -16,16 +16,16 @@ logsource:
detection:
selection:
EventID: 4697
- ServiceFileName:
- - '*pcap*'
- - '*npcap*'
- - '*npf*'
- - '*nm3*'
- - '*ndiscap*'
- - '*nmnt*'
- - '*windivert*'
- - '*USBPcap*'
- - '*pktmon*'
+ ServiceFileName|contains:
+ - 'pcap'
+ - 'npcap'
+ - 'npf'
+ - 'nm3'
+ - 'ndiscap'
+ - 'nmnt'
+ - 'windivert'
+ - 'USBPcap'
+ - 'pktmon'
condition: selection
fields:
- EventID
diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
new file mode 100644
index 000000000..da829faa9
--- /dev/null
+++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
@@ -0,0 +1,27 @@
+title: Zerologon Exploitation Using Well-known Tools
+id: 18f37338-b9bd-4117-a039-280c81f7a596
+status: stable
+description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
+references:
+ - https://www.secura.com/blog/zero-logon
+author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
+date: 2020/10/13
+tags:
+ - attack.t1210
+ - attack.lateral_movement
+logsource:
+ category: other
+ service: system
+ product: windows
+detection:
+ selection:
+ - EventID: '5805'
+ Message|contains:
+ - kali
+ - mimikatz
+ - EventID: '5723'
+ Message|contains:
+ - kali
+ - mimikatz
+ condition: selection
+level: critical
diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index 211766129..76f9deda4 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -33,7 +33,7 @@ detection:
service_installation:
EventID: 7045
ServiceName: 'PSEXESVC'
- ServiceFileName: '*\PSEXESVC.exe'
+ ServiceFileName|endswith: '\PSEXESVC.exe'
service_execution:
EventID: 7036
ServiceName: 'PSEXESVC'
@@ -43,5 +43,5 @@ logsource:
product: windows
detection:
sysmon_processcreation:
- Image: '*\PSEXESVC.exe'
+ Image|endswith: '\PSEXESVC.exe'
User: 'NT AUTHORITY\SYSTEM'
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index dbb17a226..bf8e8a0f7 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -1,10 +1,11 @@
+action: global
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
-author: Florian Roth
+description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017/08/22
-modified: 2020/08/23
+modified: 2020/10/13
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
@@ -13,21 +14,32 @@ tags:
- attack.privilege_escalation
- attack.t1084 # an old one
- attack.t1546.003
-logsource:
- product: windows
- service: wmi
-detection:
- selection:
- EventID: 5861
- keywords:
- Message:
- - '*ActiveScriptEventConsumer*'
- - '*CommandLineEventConsumer*'
- - '*CommandLineTemplate*'
- # - 'Binding EventFilter' # too many false positive with HP Health Driver
- selection2:
- EventID: 5859
- condition: selection and 1 of keywords or selection2
falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium
+---
+logsource:
+ product: windows
+ service: wmi #native windows detection
+ definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
+detection:
+ wmi_filter_to_consumer_binding:
+ EventID: 5861
+ Message|contains:
+ - 'ActiveScriptEventConsumer'
+ - 'CommandLineEventConsumer'
+ - 'CommandLineTemplate'
+ # - 'Binding EventFilter' # too many false positive with HP Health Driver
+ wmi_filter_registration:
+ EventID: 5859
+ condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration)
+---
+logsource:
+ product: windows
+ service: security
+detection:
+ wmi_subscription:
+ EventID: 4662
+ ObjectType: 'WMI Namespace'
+ ObjectName|contains: 'subscription'
+ condition: wmi_subscription
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
new file mode 100644
index 000000000..9c4f4342f
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
@@ -0,0 +1,24 @@
+title: Execution via CL_Invocation.ps1
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ condition: selection
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml
new file mode 100644
index 000000000..f22022cf9
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ condition: selection2 | count(ScriptBlockText) by Computer > 2
+ # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+ # PS > SyncInvoke c:\Evil.exe
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml
new file mode 100644
index 000000000..46cbd45be
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml
@@ -0,0 +1,24 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ condition: selection
+falsepositives: Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
new file mode 100644
index 000000000..f7c4075fa
--- /dev/null
+++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
@@ -0,0 +1,26 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection2:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ condition: selection2 | count(ScriptBlockText) by Computer > 2
+ # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+ # PS > runAfterCancelProcess c:\Evil.exe
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml
new file mode 100644
index 000000000..862bbd69b
--- /dev/null
+++ b/rules/windows/powershell/powershell_accessing_win_api.yml
@@ -0,0 +1,71 @@
+title: Accessing WinAPI in PowerShell
+id: 03d83090-8cba-44a0-b02f-0b756a050306
+status: experimental
+description: Detecting use WinAPI Functions in PowerShell
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.t1106
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID:
+ - 4104
+ Message|contains:
+ - 'WaitForSingleObject'
+ - 'QueueUserApc'
+ - 'RtlCreateUserThread'
+ - 'OpenProcess'
+ - 'VirtualAlloc'
+ - 'VirtualFree'
+ - 'WriteProcessMemory'
+ - 'CreateUserThread'
+ - 'CloseHanlde'
+ - 'GetDelegateForFunctionPointer'
+ - 'CreateThread'
+ - 'memcpy'
+ - 'LoadLibrary'
+ - 'GetModuleHandle'
+ - 'GetProcAdress'
+ - 'VirtualProtect'
+ - 'FreeLibrary'
+ - 'ReadProcessMemory'
+ - 'CreateRemoteThread'
+ - 'AdjustTokenPrivileges'
+ - 'WriteByte'
+ - 'WriteInt32'
+ - 'OpenThreadToken'
+ - 'PtrToString'
+ - 'FreeHGlobal'
+ - 'ZeroFreeGlobalAllocUnicode'
+ - 'OpenProcessToken'
+ - 'GetTokenInformation'
+ - 'SetThreadToken'
+ - 'ImpersonateLoggedOnUser'
+ - 'RevertToSelf'
+ - 'GetLogonSessionData'
+ - 'CreateProcessWithToken'
+ - 'DuplicateRokenEx'
+ - 'OpenWindowStation'
+ - 'OpenDesktop'
+ - 'MiniDumpWrireDump'
+ - 'AddSecurityPackage'
+ - 'EnumerateSecurityPackages'
+ - 'GetProcessHandle'
+ - 'DangerousGetHandle'
+ - 'Kernel32'
+ - 'Advapi32'
+ - 'Msvcrt'
+ - 'ntdll'
+ - 'User32'
+ - 'Secur32'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml
new file mode 100644
index 000000000..eb2a473e4
--- /dev/null
+++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml
@@ -0,0 +1,42 @@
+title: Bad Opsec Powershell Code Artifacts
+id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
+status: experimental
+references:
+ - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
+ - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
+ - https://www.mdeditor.tw/pl/pgRt
+author: 'ok @securonix invrep_de, oscd.community'
+date: 2020/10/09
+modified: 2020/10/09
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.t1086
+logsource:
+ product: windows
+ service: powershell
+ definition: 'Script block logging must be enabled'
+detection:
+ selection_4104:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - '$DoIt'
+ - 'harmj0y'
+ - 'mattifestation'
+ - '_RastaMouse'
+ - 'tifkin_'
+ - '0xdeadbeef'
+ selection_4103:
+ EventID: 4103
+ Payload|contains:
+ - '$DoIt'
+ - 'harmj0y'
+ - 'mattifestation'
+ - '_RastaMouse'
+ - 'tifkin_'
+ - '0xdeadbeef'
+ condition: selection_4104 or selection_4103
+falsepositives:
+ - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
+level: high
diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml
index b2249b79b..695c01d00 100644
--- a/rules/windows/powershell/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_clear_powershell_history.yml
@@ -3,7 +3,8 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
-author: Ilyas Ochkov, oscd.community
+modified: 2020/11/28
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
@@ -14,12 +15,36 @@ logsource:
product: windows
service: powershell
detection:
- keywords:
- - 'del (Get-PSReadlineOption).HistorySavePath'
- - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing'
- - 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- - 'rm (Get-PSReadlineOption).HistorySavePath'
- condition: keywords
+ selection_1:
+ EventID: 4104
+ selection_2:
+ ScriptBlockText|contains:
+ - 'del'
+ - 'Remove-Item'
+ - 'rm'
+ ScriptBlockText|contains|all:
+ - '(Get-PSReadlineOption).HistorySavePath'
+ selection_3:
+ ScriptBlockText|contains|all:
+ - 'Set-PSReadlineOption'
+ - '–HistorySaveStyle'
+ - 'SaveNothing'
+ selection_4:
+ EventID: 4103
+ selection_5:
+ Payload|contains:
+ - 'del'
+ - 'Remove-Item'
+ - 'rm'
+ Payload|contains|all:
+ - '(Get-PSReadlineOption).HistorySavePath'
+ selection_6:
+ Payload|contains|all:
+ - 'Set-PSReadlineOption'
+ - '–HistorySaveStyle'
+ - 'SaveNothing'
+ condition: selection_1 and ( selection_2 or selection_3 ) or
+ selection_4 and ( selection_5 or selection_6 )
falsepositives:
- - some PS-scripts
+ - Legitimate PowerShell scripts
level: medium
diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml
new file mode 100644
index 000000000..a652304e2
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml
@@ -0,0 +1,51 @@
+title: Suspicious PowerShell Cmdline
+id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
+description: Detects the PowerShell command lines with reversed strings
+status: experimental
+references:
+ - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'hctac'
+ - 'kearb'
+ - 'dnammoc'
+ - 'ekovn'
+ - 'eliFd'
+ - 'rahc'
+ - 'etirw'
+ - 'golon'
+ - 'tninon'
+ - 'eddih'
+ - 'tpircS'
+ - 'ssecorp'
+ - 'llehsrewop'
+ - 'esnopser'
+ - 'daolnwod'
+ - 'tneilCbeW'
+ - 'tneilc'
+ - 'ptth'
+ - 'elifotevas'
+ - '46esab'
+ - 'htaPpmeTteG'
+ - 'tcejbO'
+ - 'maerts'
+ - 'hcaerof'
+ - 'ekovni'
+ - 'retupmoc'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml
new file mode 100644
index 000000000..ec328a9a2
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml
@@ -0,0 +1,36 @@
+title: Suspicious PowerShell Command Line
+id: d7bcd677-645d-4691-a8d4-7a5602b780d1
+description: Detects the PowerShell command lines with special characters
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/15
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
+ selection2:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
+ selection3:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*{.*{.*{.*{.*{.*'
+ selection4:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*^.*^.*^.*^.*^.*'
+ selection5:
+ Image|endswith: '\powershell.exe'
+ CommandLine|re: '.*`.*`.*`.*`.*`.*'
+ condition: selection1 or selection2 or selection3 or selection4 or selection5
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
new file mode 100644
index 000000000..6bfa956ee
--- /dev/null
+++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
@@ -0,0 +1,55 @@
+title: Encoded PowerShell Command Line
+id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+description: Detects specific combinations of encoding methods in the PowerShell command lines
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'char'
+ - 'join'
+ selection2:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'ToInt'
+ - 'ToDecimal'
+ - 'ToByte'
+ - 'ToUint'
+ - 'ToSingle'
+ - 'ToSByte'
+ selection3:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'ToChar'
+ - 'ToString'
+ - 'String'
+ selection4:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'split'
+ - 'join'
+ selection5:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'ForEach'
+ - 'Xor'
+ selection6:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - 'cOnvErTTO-SECUreStRIng'
+ condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6
+falsepositives:
+ - Unlikely
+level: medium
diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml
new file mode 100644
index 000000000..47d220c50
--- /dev/null
+++ b/rules/windows/powershell/powershell_code_injection.yml
@@ -0,0 +1,24 @@
+title: Accessing WinAPI in PowerShell. Code Injection.
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+status: experimental
+description: Detecting Code injection with PowerShell in another process
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: sysmon
+ definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
+detection:
+ selection:
+ EventID:
+ - 8
+ SourceImage|endswith: '\powershell.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml
index 034b3d02d..4785ccf29 100644
--- a/rules/windows/powershell/powershell_exe_calling_ps.yml
+++ b/rules/windows/powershell/powershell_exe_calling_ps.yml
@@ -17,11 +17,11 @@ logsource:
detection:
selection1:
EventID: 400
- EngineVersion:
- - '2.*'
- - '4.*'
- - '5.*'
- HostVersion: '3.*'
+ EngineVersion|startswith:
+ - '2.'
+ - '4.'
+ - '5.'
+ HostVersion|startswith: '3.'
condition: selection1
falsepositives:
- Penetration Tests
diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml
new file mode 100644
index 000000000..373f679aa
--- /dev/null
+++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml
@@ -0,0 +1,25 @@
+title: PowerShell ICMP Exfiltration
+id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
+status: experimental
+description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+author: 'Bartlomiej Czyz @bczyz1, oscd.community'
+date: 2020/10/10
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains|all:
+ - 'New-Object'
+ - 'System.Net.NetworkInformation.Ping'
+ - '.Send('
+ condition: selection
+falsepositives:
+ - Legitimate usage of System.Net.NetworkInformation.Ping class
+level: medium
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml
new file mode 100644
index 000000000..7d9b4abc9
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: 73e67340-0d25-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml
new file mode 100644
index 000000000..7e2b0ef2d
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml
new file mode 100644
index 000000000..9c2ab871f
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml
new file mode 100644
index 000000000..365149a58
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: 1 of them
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 000000000..793dc3c14
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 000000000..ab358c642
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Stdin
+id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 000000000..5f514bc69
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Clip
+id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 000000000..45764546f
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: e55a5195-4724-480e-a77e-3ebe64bd3759
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 000000000..a0abb7616
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
new file mode 100644
index 000000000..62f796ce2
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@@ -0,0 +1,27 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection_1:
+ EventID: 4104
+ ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+ selection_2:
+ EventID: 4103
+ Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+ condition: selection_1 or selection_2
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index d75d512ae..ad4609d8d 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -8,112 +8,116 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
-author: Sean Metcalf (source), Florian Roth (rule)
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
+modified: 2020/10/11
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Message:
- - "*Invoke-DllInjection*"
- - "*Invoke-Shellcode*"
- - "*Invoke-WmiCommand*"
- - "*Get-GPPPassword*"
- - "*Get-Keystrokes*"
- - "*Get-TimedScreenshot*"
- - "*Get-VaultCredential*"
- - "*Invoke-CredentialInjection*"
- - "*Invoke-Mimikatz*"
- - "*Invoke-NinjaCopy*"
- - "*Invoke-TokenManipulation*"
- - "*Out-Minidump*"
- - "*VolumeShadowCopyTools*"
- - "*Invoke-ReflectivePEInjection*"
- - "*Invoke-UserHunter*"
- - "*Find-GPOLocation*"
- - "*Invoke-ACLScanner*"
- - "*Invoke-DowngradeAccount*"
- - "*Get-ServiceUnquoted*"
- - "*Get-ServiceFilePermission*"
- - "*Get-ServicePermission*"
- - "*Invoke-ServiceAbuse*"
- - "*Install-ServiceBinary*"
- - "*Get-RegAutoLogon*"
- - "*Get-VulnAutoRun*"
- - "*Get-VulnSchTask*"
- - "*Get-UnattendedInstallFile*"
- - "*Get-ApplicationHost*"
- - "*Get-RegAlwaysInstallElevated*"
- - "*Get-Unconstrained*"
- - "*Add-RegBackdoor*"
- - "*Add-ScrnSaveBackdoor*"
- - "*Gupt-Backdoor*"
- - "*Invoke-ADSBackdoor*"
- - "*Enabled-DuplicateToken*"
- - "*Invoke-PsUaCme*"
- - "*Remove-Update*"
- - "*Check-VM*"
- - "*Get-LSASecret*"
- - "*Get-PassHashes*"
- - "*Show-TargetScreen*"
- - "*Port-Scan*"
- - "*Invoke-PoshRatHttp*"
- - "*Invoke-PowerShellTCP*"
- - "*Invoke-PowerShellWMI*"
- - "*Add-Exfiltration*"
- - "*Add-Persistence*"
- - "*Do-Exfiltration*"
- - "*Start-CaptureServer*"
- - "*Get-ChromeDump*"
- - "*Get-ClipboardContents*"
- - "*Get-FoxDump*"
- - "*Get-IndexedItem*"
- - "*Get-Screenshot*"
- - "*Invoke-Inveigh*"
- - "*Invoke-NetRipper*"
- - "*Invoke-EgressCheck*"
- - "*Invoke-PostExfil*"
- - "*Invoke-PSInject*"
- - "*Invoke-RunAs*"
- - "*MailRaider*"
- - "*New-HoneyHash*"
- - "*Set-MacAttribute*"
- - "*Invoke-DCSync*"
- - "*Invoke-PowerDump*"
- - "*Exploit-Jboss*"
- - "*Invoke-ThunderStruck*"
- - "*Invoke-VoiceTroll*"
- - "*Set-Wallpaper*"
- - "*Invoke-InveighRelay*"
- - "*Invoke-PsExec*"
- - "*Invoke-SSHCommand*"
- - "*Get-SecurityPackages*"
- - "*Install-SSP*"
- - "*Invoke-BackdoorLNK*"
- - "*PowerBreach*"
- - "*Get-SiteListPassword*"
- - "*Get-System*"
- - "*Invoke-BypassUAC*"
- - "*Invoke-Tater*"
- - "*Invoke-WScriptBypassUAC*"
- - "*PowerUp*"
- - "*PowerView*"
- - "*Get-RickAstley*"
- - "*Find-Fruit*"
- - "*HTTP-Login*"
- - "*Find-TrustedDocuments*"
- - "*Invoke-Paranoia*"
- - "*Invoke-WinEnum*"
- - "*Invoke-ARPScan*"
- - "*Invoke-PortScan*"
- - "*Invoke-ReverseDNSLookup*"
- - "*Invoke-SMBScanner*"
- - "*Invoke-Mimikittenz*"
- - "*Invoke-AllChecks*"
+ EventID: 4104
+ ScriptBlockText|contains:
+ - "Invoke-DllInjection"
+ - "Invoke-Shellcode"
+ - "Invoke-WmiCommand"
+ - "Get-GPPPassword"
+ - "Get-Keystrokes"
+ - "Get-TimedScreenshot"
+ - "Get-VaultCredential"
+ - "Invoke-CredentialInjection"
+ - "Invoke-Mimikatz"
+ - "Invoke-NinjaCopy"
+ - "Invoke-TokenManipulation"
+ - "Out-Minidump"
+ - "VolumeShadowCopyTools"
+ - "Invoke-ReflectivePEInjection"
+ - "Invoke-UserHunter"
+ - "Find-GPOLocation"
+ - "Invoke-ACLScanner"
+ - "Invoke-DowngradeAccount"
+ - "Get-ServiceUnquoted"
+ - "Get-ServiceFilePermission"
+ - "Get-ServicePermission"
+ - "Invoke-ServiceAbuse"
+ - "Install-ServiceBinary"
+ - "Get-RegAutoLogon"
+ - "Get-VulnAutoRun"
+ - "Get-VulnSchTask"
+ - "Get-UnattendedInstallFile"
+ - "Get-ApplicationHost"
+ - "Get-RegAlwaysInstallElevated"
+ - "Get-Unconstrained"
+ - "Add-RegBackdoor"
+ - "Add-ScrnSaveBackdoor"
+ - "Gupt-Backdoor"
+ - "Invoke-ADSBackdoor"
+ - "Enabled-DuplicateToken"
+ - "Invoke-PsUaCme"
+ - "Remove-Update"
+ - "Check-VM"
+ - "Get-LSASecret"
+ - "Get-PassHashes"
+ - "Show-TargetScreen"
+ - "Port-Scan"
+ - "Invoke-PoshRatHttp"
+ - "Invoke-PowerShellTCP"
+ - "Invoke-PowerShellWMI"
+ - "Add-Exfiltration"
+ - "Add-Persistence"
+ - "Do-Exfiltration"
+ - "Start-CaptureServer"
+ - "Get-ChromeDump"
+ - "Get-ClipboardContents"
+ - "Get-FoxDump"
+ - "Get-IndexedItem"
+ - "Get-Screenshot"
+ - "Invoke-Inveigh"
+ - "Invoke-NetRipper"
+ - "Invoke-EgressCheck"
+ - "Invoke-PostExfil"
+ - "Invoke-PSInject"
+ - "Invoke-RunAs"
+ - "MailRaider"
+ - "New-HoneyHash"
+ - "Set-MacAttribute"
+ - "Invoke-DCSync"
+ - "Invoke-PowerDump"
+ - "Exploit-Jboss"
+ - "Invoke-ThunderStruck"
+ - "Invoke-VoiceTroll"
+ - "Set-Wallpaper"
+ - "Invoke-InveighRelay"
+ - "Invoke-PsExec"
+ - "Invoke-SSHCommand"
+ - "Get-SecurityPackages"
+ - "Install-SSP"
+ - "Invoke-BackdoorLNK"
+ - "PowerBreach"
+ - "Get-SiteListPassword"
+ - "Get-System"
+ - "Invoke-BypassUAC"
+ - "Invoke-Tater"
+ - "Invoke-WScriptBypassUAC"
+ - "PowerUp"
+ - "PowerView"
+ - "Get-RickAstley"
+ - "Find-Fruit"
+ - "HTTP-Login"
+ - "Find-TrustedDocuments"
+ - "Invoke-Paranoia"
+ - "Invoke-WinEnum"
+ - "Invoke-ARPScan"
+ - "Invoke-PortScan"
+ - "Invoke-ReverseDNSLookup"
+ - "Invoke-SMBScanner"
+ - "Invoke-Mimikittenz"
+ - "Invoke-AllChecks"
false_positives:
- - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+ EventID: 4104
+ ScriptBlockText|contains:
+ - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
falsepositives:
- Penetration testing
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml
index bf8809959..f46ce60b3 100644
--- a/rules/windows/powershell/powershell_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_malicious_keywords.yml
@@ -16,27 +16,27 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Message:
- - "*AdjustTokenPrivileges*"
- - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- - "*Microsoft.Win32.UnsafeNativeMethods*"
- - "*ReadProcessMemory.Invoke*"
- - "*SE_PRIVILEGE_ENABLED*"
- - "*LSA_UNICODE_STRING*"
- - "*MiniDumpWriteDump*"
- - "*PAGE_EXECUTE_READ*"
- - "*SECURITY_DELEGATION*"
- - "*TOKEN_ADJUST_PRIVILEGES*"
- - "*TOKEN_ALL_ACCESS*"
- - "*TOKEN_ASSIGN_PRIMARY*"
- - "*TOKEN_DUPLICATE*"
- - "*TOKEN_ELEVATION*"
- - "*TOKEN_IMPERSONATE*"
- - "*TOKEN_INFORMATION_CLASS*"
- - "*TOKEN_PRIVILEGES*"
- - "*TOKEN_QUERY*"
- - "*Metasploit*"
- - "*Mimikatz*"
+ Message|contains:
+ - "AdjustTokenPrivileges"
+ - "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
+ - "Microsoft.Win32.UnsafeNativeMethods"
+ - "ReadProcessMemory.Invoke"
+ - "SE_PRIVILEGE_ENABLED"
+ - "LSA_UNICODE_STRING"
+ - "MiniDumpWriteDump"
+ - "PAGE_EXECUTE_READ"
+ - "SECURITY_DELEGATION"
+ - "TOKEN_ADJUST_PRIVILEGES"
+ - "TOKEN_ALL_ACCESS"
+ - "TOKEN_ASSIGN_PRIMARY"
+ - "TOKEN_DUPLICATE"
+ - "TOKEN_ELEVATION"
+ - "TOKEN_IMPERSONATE"
+ - "TOKEN_INFORMATION_CLASS"
+ - "TOKEN_PRIVILEGES"
+ - "TOKEN_QUERY"
+ - "Metasploit"
+ - "Mimikatz"
condition: keywords
falsepositives:
- Penetration tests
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index f5601ce97..4513b1dd2 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -20,8 +20,8 @@ detection:
selection:
EventID: 4104
keyword:
- Message:
- - '*PromptForCredential*'
+ Message|contains:
+ - 'PromptForCredential'
condition: all of them
falsepositives:
- Unknown
diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml
index dcd835dcf..ba269aca2 100644
--- a/rules/windows/powershell/powershell_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_shellcode_b64.yml
@@ -13,7 +13,7 @@ tags:
- attack.t1086 #an old one
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
-modified: 2020/08/24
+modified: 2020/12/01
logsource:
product: windows
service: powershell
@@ -21,12 +21,12 @@ logsource:
detection:
selection:
EventID: 4104
- keyword1:
- - '*AAAAYInlM*'
- keyword2:
- - '*OiCAAAAYInlM*'
- - '*OiJAAAAYInlM*'
- condition: selection and keyword1 and keyword2
+ ScriptBlockText|contains: 'AAAAYInlM'
+ selection2:
+ ScriptBlockText|contains:
+ - 'OiCAAAAYInlM'
+ - 'OiJAAAAYInlM'
+ condition: selection and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
index 42b151a2c..97833fc3e 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
@@ -6,21 +6,57 @@ tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
-author: Florian Roth (rule)
+author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
logsource:
product: windows
service: powershell
detection:
- keywords:
- Message:
- - '* -nop -w hidden -c * [Convert]::FromBase64String*'
- - '* -w hidden -noni -nop -c "iex(New-Object*'
- - '* -w hidden -ep bypass -Enc*'
- - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
- - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
- - '*iex(New-Object Net.WebClient).Download*'
- condition: keywords
+ convert_b64:
+ Message|contains|all:
+ - '-nop'
+ - ' -w '
+ - 'hidden'
+ - ' -c '
+ - '[Convert]::FromBase64String'
+ iex_selection:
+ Message|contains|all:
+ - ' -w '
+ - 'hidden'
+ - '-noni'
+ - '-nop'
+ - ' -c '
+ - 'iex'
+ - 'New-Object'
+ enc_selection:
+ Message|contains|all:
+ - ' -w '
+ - 'hidden'
+ - '-ep'
+ - 'bypass'
+ - '-Enc'
+ reg_selection:
+ Message|contains|all:
+ - 'powershell'
+ - 'reg'
+ - 'add'
+ - 'HKCU\software\microsoft\windows\currentversion\run'
+ webclient_selection:
+ Message|contains|all:
+ - 'bypass'
+ - '-noprofile'
+ - '-windowstyle'
+ - 'hidden'
+ - 'new-object'
+ - 'system.net.webclient'
+ - '.download'
+ iex_webclient:
+ Message|contains|all:
+ - 'iex'
+ - 'New-Object'
+ - 'Net.WebClient'
+ - '.Download'
+ condition: 1 of them
falsepositives:
- Penetration tests
level: high
diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml
new file mode 100644
index 000000000..f0ca3127e
--- /dev/null
+++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml
@@ -0,0 +1,24 @@
+title: PowerShell Deleted Mounted Share
+id: 66a4d409-451b-4151-94f4-a55d559c49b0
+status: experimental
+description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/08
+tags:
+ - attack.defense_evasion
+ - attack.t1070.005
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'Remove-SmbShare'
+ - 'Remove-FileShare'
+ condition: selection
+falsepositives:
+ - Administrators or Power users may remove their shares via cmd line
+level: medium
diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
index 87e162bd4..9555ba0d5 100644
--- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml
+++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
@@ -4,6 +4,7 @@ status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
+modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
logsource:
@@ -13,12 +14,12 @@ logsource:
detection:
selection:
EventID: 4104
- keyword1:
- - '*Set-ItemProperty*'
- - '*New-Item*'
- keyword2:
- - '*CurrentVersion\Winlogon*'
- condition: selection and ( keyword1 and keyword2 )
+ ScriptBlockText|contains: 'CurrentVersion\Winlogon'
+ selection2:
+ ScriptBlockText|contains:
+ - 'Set-ItemProperty'
+ - 'New-Item'
+ condition: selection and selection2
falsepositives:
- Unknown
level: medium
diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml
index 4a6f4f4bc..03a81c232 100755
--- a/rules/windows/process_access/sysmon_cmstp_execution.yml
+++ b/rules/windows/process_access/sysmon_cmstp_execution.yml
@@ -30,5 +30,5 @@ logsource:
detection:
# Process Access Call Trace
selection:
- CallTrace: '*cmlua.dll*'
+ CallTrace|contains: 'cmlua.dll*'
condition: selection
diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 6606314d4..615b10461 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -8,7 +8,7 @@ description: Detects the access to processes by other suspicious processes which
status: experimental
date: 2019/10/27
modified: 2020/08/24
-author: Perez Diego (@darkquassar), oscd.community
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
tags:
@@ -21,12 +21,19 @@ logsource:
category: process_access
product: windows
detection:
- selection1:
- CallTrace:
- - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)"
- - "*UNKNOWN(*)|UNKNOWN(*)"
- selection2:
- CallTrace: "*UNKNOWN*"
+ selection1:
+ CallTrace|contains|all:
+ - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+ - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+ - '|UNKNOWN('
+ - ')'
+ selection2:
+ CallTrace|contains|all:
+ - "UNKNOWN("
+ - ")|UNKNOWN("
+ CallTrace|endswith: ")"
+ selection3:
+ CallTrace|contains: "UNKNOWN"
granted_access:
GrantedAccess:
- "0x1F0FFF"
@@ -37,7 +44,7 @@ detection:
- "0x1F2FFF"
- "0x1F3FFF"
- "0x1FFFFF"
- condition: selection1 OR (selection2 AND granted_access)
+ condition: (selection1 or selection2) or (selection3 and granted_access)
fields:
- ComputerName
- User
diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index bbcf116ae..f779354d6 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -17,10 +17,10 @@ logsource:
product: windows
detection:
selection:
- TargetImage: '*\windows\system32\svchost.exe'
+ TargetImage|endswith: '\windows\system32\svchost.exe'
GrantedAccess: '0x1f3fff'
- CallTrace:
- - '*unknown*'
+ CallTrace|contains:
+ - 'unknown'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
index 2b57d3b48..bbeede229 100644
--- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
@@ -3,7 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
description: Detects LSASS process access by LaZagne for credential dumping.
status: stable
date: 2020/09/09
-author: Bhabesh Raj
+author: Bhabesh Raj, Jonhnathan Ribeiro
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
tags:
@@ -15,8 +15,12 @@ logsource:
product: windows
detection:
selection:
- TargetImage: '*\lsass.exe'
- CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"
+ TargetImage|endswith: '\lsass.exe'
+ CallTrace|contains|all:
+ - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+ - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+ - '_ctypes.pyd+'
+ - 'python27.dll+'
GrantedAccess: "0x1FFFFF"
condition: selection
level: critical
diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
new file mode 100644
index 000000000..703f86b32
--- /dev/null
+++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
@@ -0,0 +1,29 @@
+title: Load Undocumented Autoelevated COM Interface
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+status: experimental
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+references:
+ - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ CallTrace|contains: 'editionupgrademanagerobj.dll'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - SourceImage
+ - TargetImage
+ - CallTrace
+falsepositives:
+ - unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml
index 778afd9bc..ea72d46cc 100755
--- a/rules/windows/process_access/sysmon_lsass_memdump.yml
+++ b/rules/windows/process_access/sysmon_lsass_memdump.yml
@@ -19,9 +19,9 @@ detection:
selection:
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1fffff'
- CallTrace:
- - '*dbghelp.dll*'
- - '*dbgcore.dll*'
+ CallTrace|contains:
+ - 'dbghelp.dll'
+ - 'dbgcore.dll'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
index 2224ad19f..55855b3bc 100755
--- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
+++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
@@ -16,13 +16,15 @@ logsource:
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
- TargetImage: '*\verclsid.exe'
+ TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
- CallTrace: '*|UNKNOWN(*VBE7.DLL*'
+ CallTrace|contains|all:
+ - '|UNKNOWN('
+ - 'VBE7.DLL'
combination2:
- SourceImage: '*\Microsoft Office\\*'
- CallTrace: '*|UNKNOWN*'
+ SourceImage|contains: '\Microsoft Office\'
+ CallTrace|contains: '|UNKNOWN'
condition: selection and 1 of combination*
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml
index 7ec90b74e..7a27dc2f2 100644
--- a/rules/windows/process_creation/cmstp_execution.yml
+++ b/rules/windows/process_creation/cmstp_execution.yml
@@ -27,5 +27,5 @@ logsource:
detection:
# CMSTP Spawning Child Process
selection:
- ParentImage: '*\cmstp.exe'
+ ParentImage|endswith: '\cmstp.exe'
condition: selection
diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml
new file mode 100644
index 000000000..bbc19c20a
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_dotnet.yml
@@ -0,0 +1,33 @@
+title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
+status: experimental
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: dotnet.exe will execute any DLL and execute unsigned code
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
+ - https://twitter.com/_felamos/status/1204705548668555264
+ - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+tags:
+ - attack.execution
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Commandline|endswith:
+ - '.dll'
+ - '.csproj'
+ Image|endswith:
+ - '\dotnet.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml
new file mode 100644
index 000000000..cf35510fa
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_msdeploy.yml
@@ -0,0 +1,34 @@
+title: Execute Files with Msdeploy.exe
+status: experimental
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: Detects file execution using the msdeploy.exe lolbin
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
+ - https://twitter.com/pabraeken/status/995837734379032576
+ - https://twitter.com/pabraeken/status/999090532839313408
+tags:
+ - attack.execution
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Commandline|contains|all:
+ - 'verb:sync'
+ - '-source:RunCommand'
+ - '-dest:runCommand'
+ Image|endswith:
+ - '\msdeploy.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
new file mode 100644
index 000000000..399103d25
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -0,0 +1,44 @@
+title: Abused Debug Privilege by Arbitrary Parent Processes
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+status: experimental
+description: Detection of unusual child processes by different system processes
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+date: 2020/10/28
+tags:
+ - attack.privilege_escalation
+ - attack.t1548
+author: 'Semanur Guneysu @semanurtg, oscd.community'
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection1:
+ ParentImage|endswith:
+ - '\winlogon.exe'
+ - '\services.exe'
+ - '\lsass.exe'
+ - '\csrss.exe'
+ - '\smss.exe'
+ - '\wininit.exe'
+ - '\spoolsv.exe'
+ - '\searchindexer.exe'
+ selection2:
+ Image|endswith:
+ - '\powershell.exe'
+ - '\cmd.exe'
+ selection3:
+ User: 'NT AUTHORITY\SYSTEM'
+ filter:
+ CommandLine|contains|all:
+ - ' route '
+ - ' ADD '
+ condition: selection1 and selection2 and selection3 and not filter
+fields:
+ - ParentImage
+ - Image
+ - User
+ - CommandLine
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
new file mode 100644
index 000000000..0f53941d2
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
@@ -0,0 +1,30 @@
+title: Accesschk Usage After Privilege Escalation
+id: c625d754-6a3d-4f65-9c9a-536aea960d37
+description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
+tags:
+ - attack.discovery
+ - attack.t1069.001
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ integrity_level:
+ IntegrityLevel: 'Medium'
+ product:
+ Product|endswith: 'AccessChk'
+ description:
+ Description|contains: 'Reports effective permissions'
+ condition: integrity_level and (product or description)
+fields:
+ - IntegrityLevel
+ - Product
+ - Description
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: high
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
new file mode 100644
index 000000000..73a21e295
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -0,0 +1,32 @@
+title: Always Install Elevated MSI Spawned Cmd And Powershell
+id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ image:
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ parent_image:
+ ParentImage|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ ParentImage|endswith:
+ - 'tmp'
+ condition: image and parent_image
+fields:
+ - Image
+ - ParentImage
+falsepositives:
+ - Penetration test
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
new file mode 100644
index 000000000..cd2d7a6d6
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
@@ -0,0 +1,35 @@
+title: MSI Spawned Cmd and Powershell Spawned Processes
+id: 38cf8340-461b-4857-bf99-23a41f772b18
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ parent_image:
+ ParentImage|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ parent_of_parent_image:
+ ParentOfParentImage|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ ParentOfParentImage|endswith:
+ - 'tmp'
+ condition: parent_image and parent_of_parent_image
+fields:
+ - ParentImage
+ - ParentOfParentImage
+falsepositives:
+ - Penetration test
+level: high
+enrichment:
+ - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
+ - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
new file mode 100644
index 000000000..30cb9b428
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -0,0 +1,37 @@
+title: Always Install Elevated Windows Installer
+id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
+description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+tags:
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ integrity_level:
+ IntegrityLevel: 'System'
+ user:
+ User: 'NT AUTHORITY\SYSTEM'
+ image_1:
+ Image|contains|all:
+ - '\Windows\Installer\'
+ - 'msi'
+ Image|endswith:
+ - 'tmp'
+ image_2:
+ Image|endswith:
+ - '\msiexec.exe'
+ condition: (image_1 and user) or (image_2 and user and integrity_level)
+fields:
+ - IntegrityLevel
+ - User
+ - Image
+falsepositives:
+ - System administrator Usage
+ - Penetration test
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
index 2b158b3a3..365be7dcf 100644
--- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -16,17 +16,17 @@ logsource:
product: windows
detection:
exec_selection:
- ParentImage: '*\userinit.exe'
+ ParentImage|endswith: '\userinit.exe'
exec_exclusion1:
- Image: '*\explorer.exe'
+ Image|endswith: '\explorer.exe'
exec_exclusion2:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
create_keywords_cli:
- CommandLine: '*UserInitMprLogonScript*'
+ CommandLine|contains: 'UserInitMprLogonScript'
condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
new file mode 100644
index 000000000..2feca4fc3
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
@@ -0,0 +1,26 @@
+title: Too Long PowerShell Commandlines
+id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
+description: Detects Too long PowerShell command lines
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1059.001
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ Powershell_selection:
+ - CommandLine|contains:
+ - 'powershell'
+ - 'pwsh'
+ - Description: 'Windows Powershell'
+ - Product: 'PowerShell Core 6'
+ Length_selection:
+ CommandLine|re: '.{1000,}'
+ condition: all of them
+falsepositives: Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml
new file mode 100644
index 000000000..d7136f783
--- /dev/null
+++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml
@@ -0,0 +1,24 @@
+title: Execution via CL_Invocation.ps1
+id: a0459f02-ac51-4c09-b511-b8c9203fc429
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+ - https://twitter.com/bohops/status/948061991012327424
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'CL_Invocation.ps1'
+ - 'SyncInvoke'
+ # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe"
+ condition: selection
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml
new file mode 100644
index 000000000..984557a01
--- /dev/null
+++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml
@@ -0,0 +1,24 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 99465c8f-f102-4157-b11c-b0cddd53b79a
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+ - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'CL_Mutexverifiers.ps1'
+ - 'runAfterCancelProcess'
+ # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe"
+ condition: selection
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/process_creation/win_ad_find_discovery.yml b/rules/windows/process_creation/win_ad_find_discovery.yml
new file mode 100644
index 000000000..2e6f5b93f
--- /dev/null
+++ b/rules/windows/process_creation/win_ad_find_discovery.yml
@@ -0,0 +1,43 @@
+title: AdFind Usage Detection
+id: 9a132afa-654e-11eb-ae93-0242ac130002
+description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+references:
+ - https://thedfirreport.com/2020/05/08/adfind-recon/
+ - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
+ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+date: 2021/02/02
+modified: 2021/02/02
+tags:
+ - attack.discovery
+ - attack.t1482
+ - attack.t1018
+level: high
+status: experimental
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - 'domainlist'
+ - 'trustdmp'
+ - 'dcmodes'
+ - 'adinfo'
+ - ' dclist '
+ - 'computer_pwdnotreqd'
+ - 'objectcategory='
+ - '-subnets -f'
+ - 'name="Domain Admins"'
+ - '-sc u:'
+ - 'domainncs'
+ - 'dompol'
+ - ' oudmp '
+ - 'subnetdmp'
+ - 'gpodmp'
+ - 'fspdmp'
+ - 'users_noexpire'
+ - 'computers_active'
+ condition: selection
+falsepositives:
+ - Admin activity
diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
index 0e60a088c..69a911e44 100644
--- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
+++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
@@ -17,7 +17,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*-noni -ep bypass $*'
+ CommandLine|contains|all:
+ - '-noni'
+ - '-ep'
+ - 'bypass'
+ - '$'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
index ec6dbff16..248e3d652 100644
--- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
@@ -17,11 +17,20 @@ logsource:
product: windows
detection:
selection1:
- Image: '*\xcopy.exe'
- CommandLine: '* /S /E /C /Q /H \\*'
+ Image|endswith: '\xcopy.exe'
+ CommandLine|contains|all:
+ - '/S'
+ - '/E'
+ - '/C'
+ - '/Q'
+ - '/H'
+ - '\\'
selection2:
- Image: '*\adexplorer.exe'
- CommandLine: '* -snapshot "" c:\users\\*'
+ Image|endswith: '\adexplorer.exe'
+ CommandLine|contains|all:
+ - '-snapshot'
+ - '""'
+ - 'c:\users\'
condition: selection1 or selection2
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml
index ba271c720..dedb3b2d5 100644
--- a/rules/windows/process_creation/win_apt_bluemashroom.yml
+++ b/rules/windows/process_creation/win_apt_bluemashroom.yml
@@ -15,9 +15,12 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\regsvr32*\AppData\Local\\*'
- - '*\AppData\Local\\*,DllEntry*'
+ - CommandLine|contains|all:
+ - '\regsvr32'
+ - '\AppData\Local\'
+ - CommandLine|contains|all:
+ - '\AppData\Local\'
+ - ',DllEntry'
condition: selection
falsepositives:
- Unlikely
diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml
index 1662eac37..c167ff6ed 100755
--- a/rules/windows/process_creation/win_apt_chafer_mar18.yml
+++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml
@@ -19,7 +19,7 @@ tags:
- attack.t1071.004
date: 2018/03/23
modified: 2020/08/26
-author: Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
detection:
condition: 1 of them
falsepositives:
@@ -47,18 +47,16 @@ detection:
- 'UpdatMachine'
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection_reg1:
- EventID: 13
- TargetObject:
- - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+ TargetObject|endswith:
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+ - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
EventType: 'SetValue'
selection_reg2:
- EventID: 13
- TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+ TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential'
EventType: 'SetValue'
Details: 'DWORD (0x00000001)'
---
@@ -66,14 +64,19 @@ logsource:
category: process_creation
product: windows
detection:
+ selection_process0:
+ CommandLine|contains: '\Service.exe'
+ CommandLine|endswith:
+ - 'i'
+ - 'u'
selection_process1:
- CommandLine:
- - '*\Service.exe i'
- - '*\Service.exe u'
- - '*\microsoft\Taskbar\autoit3.exe'
- - 'C:\wsc.exe*'
+ - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe'
+ - CommandLine|startswith: 'C:\wsc.exe'
selection_process2:
- Image: '*\Windows\Temp\DB\\*.exe'
+ Image|contains: '\Windows\Temp\DB\'
+ Image|endswith: '.exe'
selection_process3:
- CommandLine: '*\nslookup.exe -q=TXT*'
- ParentImage: '*\Autoit*'
+ CommandLine|contains|all:
+ - '\nslookup.exe'
+ - '-q=TXT'
+ ParentImage|contains: '\Autoit'
diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml
index f6cde4853..8c6538e18 100755
--- a/rules/windows/process_creation/win_apt_cloudhopper.yml
+++ b/rules/windows/process_creation/win_apt_cloudhopper.yml
@@ -15,8 +15,10 @@ logsource:
product: windows
detection:
selection:
- Image: '*\cscript.exe'
- CommandLine: '*.vbs /shell *'
+ Image|endswith: '\cscript.exe'
+ CommandLine|contains|all:
+ - '.vbs'
+ - '/shell'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml
index 4c1593865..78c99ce92 100755
--- a/rules/windows/process_creation/win_apt_dragonfly.yml
+++ b/rules/windows/process_creation/win_apt_dragonfly.yml
@@ -13,8 +13,8 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\crackmapexec.exe'
+ Image|endswith:
+ - '\crackmapexec.exe'
condition: selection
falsepositives:
- None
diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml
index e392bbd7c..3758f698d 100755
--- a/rules/windows/process_creation/win_apt_elise.yml
+++ b/rules/windows/process_creation/win_apt_elise.yml
@@ -20,9 +20,9 @@ logsource:
detection:
selection1:
Image: 'C:\Windows\SysWOW64\cmd.exe'
- CommandLine: '*\Windows\Caches\NavShExt.dll *'
+ CommandLine|contains: '\Windows\Caches\NavShExt.dll '
selection2:
- CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+ CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: 1 of them
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
index 06a42220d..aae0f52a5 100644
--- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
+++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml
@@ -17,8 +17,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\sllauncher.exe'
- Image: '*\svchost.exe'
+ ParentImage|endswith: '\sllauncher.exe'
+ Image|endswith: '\svchost.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml
index 4aa084419..55efdc512 100644
--- a/rules/windows/process_creation/win_apt_empiremonkey.yml
+++ b/rules/windows/process_creation/win_apt_empiremonkey.yml
@@ -22,13 +22,13 @@ logsource:
product: windows
detection:
selection_cutil:
- CommandLine:
- - '*/i:%APPDATA%\logs.txt scrobj.dll'
- Image:
- - '*\cutil.exe'
+ CommandLine|endswith:
+ - '/i:%APPDATA%\logs.txt scrobj.dll'
+ Image|endswith:
+ - '\cutil.exe'
selection_regsvr32:
- CommandLine:
- - '*/i:%APPDATA%\logs.txt scrobj.dll'
+ CommandLine|endswith:
+ - '/i:%APPDATA%\logs.txt scrobj.dll'
Description:
- Microsoft(C) Registerserver
-
\ No newline at end of file
+
diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
index 6eedefb4a..78748faa4 100755
--- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
+++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
@@ -18,10 +18,10 @@ logsource:
product: windows
detection:
selection1:
- Image: '*\rundll32.exe'
- CommandLine: '*,dll_u'
+ Image|endswith: '\rundll32.exe'
+ CommandLine|endswith: ',dll_u'
selection2:
- CommandLine: '* -export dll_u *'
+ CommandLine|contains: ' -export dll_u '
condition: 1 of them
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
index da8c4c04f..df63be5a5 100644
--- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml
+++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
@@ -19,7 +19,8 @@ detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- - ' /s /i '
+ - '/s'
+ - '/i'
- '\AppData\Roaming\'
- '.ocx'
condition: selection
diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
index f56288f7f..ffae03271 100644
--- a/rules/windows/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -23,7 +23,8 @@ logsource:
detection:
selection1:
CommandLine|contains|all:
- - 'bitsadmin /transfer'
+ - 'bitsadmin'
+ - '/transfer'
- 'CSIDL_APPDATA'
selection2:
CommandLine|contains:
diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml
index 294a3484d..8f7f0eedd 100755
--- a/rules/windows/process_creation/win_apt_hurricane_panda.yml
+++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml
@@ -15,9 +15,12 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* localgroup administrators admin /add'
- - '*\Win64.exe*'
+ - CommandLine|contains|all:
+ - 'localgroup'
+ - 'admin'
+ - '/add'
+ - CommandLine|contains:
+ - '\Win64.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
index ca9d2189e..c1fb93db5 100644
--- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
@@ -20,15 +20,15 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*\ldifde.exe -f -n *'
- - '*\7za.exe a 1.7z *'
- - '* eprod.ldf'
- - '*\aaaa\procdump64.exe*'
- - '*\aaaa\netsess.exe*'
- - '*\aaaa\7za.exe*'
- - '*copy .\1.7z \\*'
- - '*copy \\client\c$\aaaa\\*'
+ - CommandLine|endswith: 'eprod.ldf'
+ - CommandLine|contains:
+ - '\ldifde.exe -f -n '
+ - '\7za.exe a 1.7z '
+ - '\aaaa\procdump64.exe'
+ - '\aaaa\netsess.exe'
+ - '\aaaa\7za.exe'
+ - 'copy .\1.7z \'
+ - 'copy \\client\c$\aaaa\'
selection2:
Image: C:\Users\Public\7za.exe
condition: selection1 or selection2
diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
index bf8fcd819..41edce51f 100644
--- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@@ -15,13 +15,13 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\msdtc.exe'
- - '*\gpvc.exe'
+ Image|endswith:
+ - '\msdtc.exe'
+ - '\gpvc.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml
index 28fa66924..614745109 100644
--- a/rules/windows/process_creation/win_apt_mustangpanda.yml
+++ b/rules/windows/process_creation/win_apt_mustangpanda.yml
@@ -2,7 +2,7 @@ title: Mustang Panda Dropper
id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
status: experimental
description: Detects specific process parameters as used by Mustang Panda droppers
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/10/30
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
@@ -13,15 +13,18 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*Temp\wtask.exe /create*'
- - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- - '*/E:vbscript * C:\Users\\*.txt" /F'
- - '*/tn "Security Script *'
- - '*%windir:~-1,1%*'
+ - CommandLine|contains:
+ - 'Temp\wtask.exe /create'
+ - '%windir:~-3,1%%PUBLIC:~-9,1%'
+ - '/tn "Security Script '
+ - '%windir:~-1,1%'
+ - CommandLine|contains|all:
+ - '/E:vbscript'
+ - 'C:\Users\'
+ - '.txt'
+ - '/F'
selection2:
- Image:
- - '*Temp\winwsh.exe'
+ Image|endswith: 'Temp\winwsh.exe'
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml
index 2588e6dd8..51589931e 100755
--- a/rules/windows/process_creation/win_apt_slingshot.yml
+++ b/rules/windows/process_creation/win_apt_slingshot.yml
@@ -25,7 +25,6 @@ detection:
CommandLine|contains:
- '/delete'
- '/change'
- selection2:
CommandLine|contains|all:
- '/TN'
- '\Microsoft\Windows\Defrag\ScheduledDefrag'
diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml
index 6daeed46b..ac8d9ae9b 100755
--- a/rules/windows/process_creation/win_apt_sofacy.yml
+++ b/rules/windows/process_creation/win_apt_sofacy.yml
@@ -1,9 +1,9 @@
title: Sofacy Trojan Loader Activity
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
status: experimental
date: 2018/03/01
-modified: 2020/08/27
+modified: 2020/11/28
description: Detects Trojan loader acitivty as used by APT28
references:
- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
@@ -22,11 +22,14 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - 'rundll32.exe %APPDATA%\\*.dat",*'
- - 'rundll32.exe %APPDATA%\\*.dll",#1'
- condition: selection
+ selection1:
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - '%APPDATA%\'
+ selection2:
+ - CommandLine|contains: '.dat",'
+ - CommandLine|endswith: '.dll",#1'
+ condition: selection1 and selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml
index 9cfbe54c6..70dcfd75e 100644
--- a/rules/windows/process_creation/win_apt_tropictrooper.yml
+++ b/rules/windows/process_creation/win_apt_tropictrooper.yml
@@ -16,6 +16,6 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+ CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
condition: selection
level: high
diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
index b36bd2f40..e238b8785 100644
--- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
+++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
@@ -22,7 +22,8 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*cyzfc.dat, PointFunctionCall'
+ CommandLine|contains: 'cyzfc.dat,'
+ CommandLine|endswith: 'PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
@@ -31,5 +32,5 @@ logsource:
detection:
selection2:
EventID: 11
- TargetFilename:
- - '*ds7002.lnk*'
\ No newline at end of file
+ TargetFilename|contains:
+ - 'ds7002.lnk'
diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
index 20e369df9..fb055f88e 100644
--- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml
+++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
@@ -9,7 +9,7 @@ tags:
- attack.t1574.002
- attack.t1073 # an old one
- attack.g0044
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2020/07/30
logsource:
category: process_creation
@@ -19,10 +19,12 @@ detection:
CommandLine|contains:
- 'setup0.exe -p'
selection2:
- CommandLine|endswith:
- - 'setup.exe -x:0'
- - 'setup.exe -x:1'
- - 'setup.exe -x:2'
+ CommandLine|contains|all:
+ - 'setup.exe'
+ CommandLine|endswith:
+ - '-x:0'
+ - '-x:1'
+ - '-x:2'
condition: 1 of them
falsepositives:
- Legitimate setups that use similar flags
diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml
index 20307a723..6ddaacd92 100644
--- a/rules/windows/process_creation/win_apt_wocao.yml
+++ b/rules/windows/process_creation/win_apt_wocao.yml
@@ -32,7 +32,7 @@ detection:
selection:
EventID: 4799
GroupName: 'Administrators'
- ProcessName: '*\checkadmin.exe'
+ ProcessName|endswith: '\checkadmin.exe'
condition: selection
---
logsource:
@@ -51,4 +51,4 @@ detection:
- 'type *keepass\KeePass.config.xml'
- 'iie.exe iie.txt'
- 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
- condition: selection
\ No newline at end of file
+ condition: selection
diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml
index fc17af95c..515d541e7 100755
--- a/rules/windows/process_creation/win_apt_zxshell.yml
+++ b/rules/windows/process_creation/win_apt_zxshell.yml
@@ -1,7 +1,7 @@
title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
description: Detects a ZxShell start by the called and well-known function name
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2017/07/20
modified: 2020/08/26
references:
@@ -20,9 +20,11 @@ logsource:
product: windows
detection:
selection:
+ Image|endswith:
+ - '\rundll32.exe'
CommandLine|contains:
- - 'rundll32.exe *,zxFunction*'
- - 'rundll32.exe *,RemoteDiskXXXXX'
+ - 'zxFunction'
+ - 'RemoteDiskXXXXX'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml
index 9e403128b..ca50c3bc1 100644
--- a/rules/windows/process_creation/win_attrib_hiding_files.yml
+++ b/rules/windows/process_creation/win_attrib_hiding_files.yml
@@ -10,12 +10,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\attrib.exe'
- CommandLine: '* +h *'
+ Image|endswith: '\attrib.exe'
+ CommandLine|contains: ' +h '
ini:
- CommandLine: '*\desktop.ini *'
+ CommandLine|contains: '\desktop.ini '
intel:
- ParentImage: '*\cmd.exe'
+ ParentImage|endswith: '\cmd.exe'
CommandLine: +R +H +S +A \\*.cui
ParentCommandLine: C:\WINDOWS\system32\\*.bat
condition: selection and not (ini or intel)
diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
new file mode 100644
index 000000000..4b9294d8c
--- /dev/null
+++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
@@ -0,0 +1,25 @@
+title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
+id: a7c3d773-caef-227e-a7e7-c2f13c622329
+status: experimental
+description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
+author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community'
+date: 2020/10/23
+references:
+ - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
+ - https://www.cobaltstrike.com/help-opsec
+tags:
+ - attack.defense_evasion
+ - attack.t1085 # legacy
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|endswith:
+ - '\WerFault.exe'
+ - '\rundll32.exe'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml
index 87c001abf..a5422e5f6 100644
--- a/rules/windows/process_creation/win_bypass_squiblytwo.yml
+++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml
@@ -24,19 +24,18 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\wmic.exe'
- CommandLine:
- - wmic * *format:\"http*
- - wmic * /format:'http
- - wmic * /format:http*
+ Image|endswith:
+ - '\wmic.exe'
+ CommandLine|contains|all:
+ - wmic
+ - format
+ - http
selection2:
Imphash:
- 1B1A3F43BF37B5BFE60751F2EE2F326E
- 37777A96245A3C74EB217308F3546F4C
- 9D87C9D67CE724033C0B40CC4CA1B206
- CommandLine:
- - '* *format:\"http*'
- - '* /format:''http'
- - '* /format:http*'
+ CommandLine|contains|all:
+ - 'format:'
+ - 'http'
condition: 1 of them
diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml
new file mode 100644
index 000000000..bb53e9173
--- /dev/null
+++ b/rules/windows/process_creation/win_class_exec_xwizard.yml
@@ -0,0 +1,22 @@
+title: Custom Class Execution via Xwizard
+id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
+status: experimental
+description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\xwizard.exe'
+ CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml
index ca801d0e6..bc9d89c74 100644
--- a/rules/windows/process_creation/win_cmdkey_recon.yml
+++ b/rules/windows/process_creation/win_cmdkey_recon.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\cmdkey.exe'
- CommandLine: '* /list *'
+ Image|endswith: '\cmdkey.exe'
+ CommandLine|contains: ' /list '
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml
index 5a42c7f50..589a2a18d 100644
--- a/rules/windows/process_creation/win_commandline_path_traversal.yml
+++ b/rules/windows/process_creation/win_commandline_path_traversal.yml
@@ -16,9 +16,11 @@ logsource:
product: windows
detection:
selection:
- ParentCommandLine|contains: 'cmd*/c'
+ ParentCommandLine|contains|all:
+ - 'cmd'
+ - '/c'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- (not much) some benign Java tools may product false-positive commandlines for loading libraries
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml
index 204190094..854f0f44e 100644
--- a/rules/windows/process_creation/win_control_panel_item.yml
+++ b/rules/windows/process_creation/win_control_panel_item.yml
@@ -14,24 +14,24 @@ tags:
- attack.t1546
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020/06/22
-modified: 2020/08/29
+modified: 2020/11/28
level: critical
logsource:
product: windows
category: process_creation
detection:
selection1:
- CommandLine: '*.cpl'
+ CommandLine|endswith: '.cpl'
filter:
- CommandLine:
- - '*\System32\\*'
- - '*%System%*'
+ CommandLine|contains:
+ - '\System32\'
+ - '%System%'
selection2:
- CommandLine:
- - '*reg add*'
+ Image|endswith: '\reg.exe'
+ CommandLine|contains: 'add'
selection3:
- CommandLine:
- - '*CurrentVersion\\Control Panel\\CPLs*'
+ CommandLine|contains:
+ - 'CurrentVersion\\Control Panel\\CPLs'
condition: (selection1 and not filter) or (selection2 and selection3)
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml
index c21b53e8e..53977514b 100755
--- a/rules/windows/process_creation/win_crime_fireball.yml
+++ b/rules/windows/process_creation/win_crime_fireball.yml
@@ -18,7 +18,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*\rundll32.exe *,InstallArcherSvc'
+ CommandLine|contains|all:
+ - 'rundll32.exe'
+ - 'InstallArcherSvc'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
index 1cd5cc9fb..478b80d63 100644
--- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
+++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection:
- - Image|endswith: '*\iodine.exe'
+ - Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
index 33472ac55..b941e2f99 100644
--- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
+++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -19,9 +19,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage|endswith: '*\powershell.exe'
- Image|endswith: '*\nslookup.exe'
- CommandLine|endswith: '*\nslookup.exe'
+ ParentImage|endswith: '\powershell.exe'
+ Image|endswith: '\nslookup.exe'
+ CommandLine|endswith: '\nslookup.exe'
condition: selection | count(Image) by ParentImage > 100
fields:
- Image
diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
index c2a463b9d..0a4f43d3b 100644
--- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\MicroScMgmt.exe'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|endswith: '\MicroScMgmt.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
index 1e17dad10..bdc45eabb 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml
@@ -20,8 +20,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\FLTLDR.exe*'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|contains: '\FLTLDR.exe'
condition: selection
falsepositives:
- Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
index 02ea83404..a21fcfead 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml
@@ -21,7 +21,7 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\EQNEDT32.EXE'
+ ParentImage|endswith: '\EQNEDT32.EXE'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
index 337b97c0d..03801e753 100644
--- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
@@ -20,8 +20,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\WINWORD.EXE'
- Image: '*\csc.exe'
+ ParentImage|endswith: '\WINWORD.EXE'
+ Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
index 0186b46cb..a4593acf1 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
references:
- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/11/15
modified: 2020/08/29
tags:
@@ -19,15 +19,19 @@ logsource:
product: windows
detection:
selection:
- ParentCommandLine:
- - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd'
- - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd'
+ ParentCommandLine|contains|all:
+ - '\cmd.exe'
+ - '/c'
+ - 'C:\Windows\Setup\Scripts\'
+ ParentCommandLine|endswith:
+ - 'SetupComplete.cmd'
+ - 'PartnerSetupComplete.cmd'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\WinSxS\\*'
- - 'C:\Windows\Setup\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\WinSxS\'
+ - 'C:\Windows\Setup\'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index 9cbd84fd5..c93f2113b 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -15,9 +15,9 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\consent.exe'
- Image: '*\iexplore.exe'
- CommandLine: '* http*'
+ ParentImage|endswith: '\consent.exe'
+ Image|endswith: '\iexplore.exe'
+ CommandLine|contains: ' http'
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
index c23014f1f..10aaacd2b 100644
--- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
@@ -25,9 +25,9 @@ detection:
selection:
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
Image|endswith:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\bitsadmin.exe'
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\bitsadmin.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
index c49df6bc1..a0ae78a12 100644
--- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
+++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection_1:
- Image: '*\reg.exe'
+ Image|endswith: '\reg.exe'
CommandLine|contains:
- 'save'
- 'export'
diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml
index 26057c10f..6daa475f9 100644
--- a/rules/windows/process_creation/win_hack_koadic.yml
+++ b/rules/windows/process_creation/win_hack_koadic.yml
@@ -14,16 +14,19 @@ tags:
- attack.t1059.007
- attack.t1064 # an old one
date: 2020/01/12
-modified: 2020/09/01
-author: wagga
+modified: 2020/11/28
+author: wagga, Jonhnathan Ribeiro, oscd.community
logsource:
category: process_creation
product: windows
detection:
- selection1:
- CommandLine:
- - '*cmd.exe* /q /c chcp *'
- condition: selection1
+ selection:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - '/q'
+ - '/c'
+ - 'chcp'
+ condition: selection
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml
index 491c60ad3..4ce04049b 100644
--- a/rules/windows/process_creation/win_hack_rubeus.yml
+++ b/rules/windows/process_creation/win_hack_rubeus.yml
@@ -18,16 +18,19 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* asreproast *'
- - '* dump /service:krbtgt *'
- - '* kerberoast *'
- - '* createnetonly /program:*'
- - '* ptt /ticket:*'
- - '* /impersonateuser:*'
- - '* renew /ticket:*'
- - '* asktgt /user:*'
- - '* harvest /interval:*'
+ CommandLine|contains:
+ - ' asreproast '
+ - ' dump /service:krbtgt '
+ - ' kerberoast '
+ - ' createnetonly /program:'
+ - ' ptt /ticket:'
+ - ' /impersonateuser:'
+ - ' renew /ticket:'
+ - ' asktgt /user:'
+ - ' harvest /interval:'
+ - ' s4u /user:'
+ - ' s4u /ticket:'
+ - ' hash /password:'
condition: selection
falsepositives:
- unlikely
diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml
index e10dfac4e..b1e40cded 100644
--- a/rules/windows/process_creation/win_hktl_createminidump.yml
+++ b/rules/windows/process_creation/win_hktl_createminidump.yml
@@ -18,7 +18,7 @@ logsource:
category: process_creation
product: windows
detection:
- selection1:
+ selection1:
Image|contains: '\CreateMiniDump.exe'
selection2:
Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
@@ -30,5 +30,5 @@ logsource:
detection:
selection:
EventID: 11
- TargetFilename|contains: '*\lsass.dmp'
+ TargetFilename|endswith: '\lsass.dmp'
condition: 1 of them
diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml
index 206d5ab97..e21047809 100644
--- a/rules/windows/process_creation/win_hwp_exploits.yml
+++ b/rules/windows/process_creation/win_hwp_exploits.yml
@@ -25,8 +25,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\Hwp.exe'
- Image: '*\gbb.exe'
+ ParentImage|endswith: '\Hwp.exe'
+ Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml
index ad6f147c2..a97030d7d 100644
--- a/rules/windows/process_creation/win_impacket_lateralization.yml
+++ b/rules/windows/process_creation/win_impacket_lateralization.yml
@@ -7,7 +7,7 @@ references:
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
-author: Ecco
+author: Ecco, oscd.community, Jonhnathan Ribeiro
date: 2019/09/03
modified: 2020/09/01
logsource:
@@ -32,20 +32,27 @@ detection:
# parent is services.exe
# example:
# C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
- ParentImage:
- - '*\wmiprvse.exe' # wmiexec
- - '*\mmc.exe' # dcomexec MMC
- - '*\explorer.exe' # dcomexec ShellBrowserWindow
- - '*\services.exe' # smbexec
- CommandLine:
- - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*'
+ ParentImage|endswith:
+ - '\wmiprvse.exe' # wmiexec
+ - '\mmc.exe' # dcomexec MMC
+ - '\explorer.exe' # dcomexec ShellBrowserWindow
+ - '\services.exe' # smbexec
+ CommandLine|contains|all:
+ - 'cmd.exe'
+ - '/Q'
+ - '/c'
+ - '\\\\127.0.0.1\'
+ - '&1'
selection_atexec:
- ParentCommandLine:
- - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
- - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
+ ParentCommandLine|contains:
+ - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
+ - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
# cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
- CommandLine:
- - 'cmd.exe /C *Windows\\Temp\\*&1'
+ CommandLine|contains|all:
+ - 'cmd.exe'
+ - '/C'
+ - 'Windows\Temp\'
+ - '&1'
condition: (1 of selection_*)
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
new file mode 100644
index 000000000..c560fbb4e
--- /dev/null
+++ b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
@@ -0,0 +1,29 @@
+title: Indirect Command Execution By Program Compatibility Wizard
+id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
+description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
+status: experimental
+author: A. Sungurov , oscd.community
+references:
+ - https://twitter.com/pabraeken/status/991335019833708544
+ - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
+date: 2020/10/12
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.execution
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\pcwrun.exe'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - ParentCommandLine
+ - CommandLine
+falsepositives:
+ - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
+ - Legit usage of scripts
+level: low
diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
index b21725e19..166a4561b 100644
--- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
+++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
@@ -9,21 +9,23 @@ tags:
- attack.privilege_escalation
- attack.t1546.008
- attack.t1015 # an old one
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/06
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
- - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
- - '*\CurrentVersion\Image File Execution Options\osk.exe*'
- - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
- - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
- - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
- - '*\CurrentVersion\Image File Execution Options\atbroker.exe*'
+ CommandLine|contains|all:
+ - '\CurrentVersion\Image File Execution Options\'
+ CommandLine|contains:
+ - 'sethc.exe'
+ - 'utilman.exe'
+ - 'osk.exe'
+ - 'magnify.exe'
+ - 'narrator.exe'
+ - 'displayswitch.exe'
+ - 'atbroker.exe'
condition: selection
falsepositives:
- Penetration Tests
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml
new file mode 100644
index 000000000..cc229f08e
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: b222df08-0e07-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml
new file mode 100644
index 000000000..dbdb4cbaa
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml
new file mode 100644
index 000000000..63ae15f8c
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 27aec9c9-dbb0-4939-8422-1742242471d0
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml
new file mode 100644
index 000000000..60a494a55
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 000000000..d8b91c93c
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 000000000..71f178496
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Stdin
+id: 9c14c9fa-1a63-4a64-8e57-d19280559490
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 000000000..ce8d6bfc8
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use Clip
+id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 000000000..95f4633a1
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: ac20ae82-8758-4f38-958e-b44a3140ca88
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 000000000..169d86471
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: 36c5146c-d127-4f85-8e21-01bf62355d5a
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
new file mode 100644
index 000000000..248c69830
--- /dev/null
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@@ -0,0 +1,23 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml
index 7fb6e101a..f3b83068d 100644
--- a/rules/windows/process_creation/win_lethalhta.yml
+++ b/rules/windows/process_creation/win_lethalhta.yml
@@ -16,8 +16,8 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\svchost.exe'
- Image: '*\mshta.exe'
+ ParentImage|endswith: '\svchost.exe'
+ Image|endswith: '\mshta.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml
index 574c7e182..6eea37379 100644
--- a/rules/windows/process_creation/win_mal_adwind.yml
+++ b/rules/windows/process_creation/win_mal_adwind.yml
@@ -6,7 +6,7 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-author: Florian Roth, Tom Ueltschi
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2020/09/01
tags:
@@ -23,25 +23,31 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\AppData\Roaming\Oracle*\java*.exe *'
- - '*cscript.exe *Retrive*.vbs *'
+ - CommandLine|contains|all:
+ - '\AppData\Roaming\Oracle'
+ - '\java'
+ - '.exe '
+ - CommandLine|contains|all:
+ - 'cscript.exe'
+ - 'Retrive'
+ - '.vbs '
---
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 11
- TargetFilename:
- - '*\AppData\Roaming\Oracle\bin\java*.exe'
- - '*\Retrive*.vbs'
+ - TargetFilename|contains|all:
+ - '\AppData\Roaming\Oracle\bin\java'
+ - '.exe'
+ - TargetFilename|contains|all:
+ - '\Retrive'
+ - '.vbs'
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
- TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
- Details: '%AppData%\Roaming\Oracle\bin\\*'
+ TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Details|startswith: '%AppData%\Roaming\Oracle\bin\\'
diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml
index 9040595c6..7d90d5575 100644
--- a/rules/windows/process_creation/win_malware_dridex.yml
+++ b/rules/windows/process_creation/win_malware_dridex.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects typical Dridex process patterns
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/01/10
modified: 2020/09/01
tags:
@@ -19,13 +19,21 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
+ Image|endswith: '\svchost.exe'
+ CommandLine|contains|all:
+ - 'C:\Users\'
+ - '\Desktop\'
selection2:
- ParentImage: '*\svchost.exe*'
- CommandLine:
- - '*whoami.exe /all'
- - '*net.exe view'
- condition: 1 of them
+ ParentImage|endswith: '\svchost.exe'
+ selection3:
+ Image|endswith: '\whoami.exe'
+ CommandLine|contains: 'all'
+ selection4:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains: 'view'
+ condition: selection1 or selection2 and (selection3 or selection4)
falsepositives:
- Unlikely
level: critical
diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml
index 722a2781c..e5e429be7 100644
--- a/rules/windows/process_creation/win_malware_dtrack.yml
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@@ -13,7 +13,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* echo EEEE > *'
+ CommandLine|contains: ' echo EEEE > '
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml
index de9119227..aa1db398b 100644
--- a/rules/windows/process_creation/win_malware_emotet.yml
+++ b/rules/windows/process_creation/win_malware_emotet.yml
@@ -21,15 +21,15 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -e* PAA*'
- - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*' # $env:userprofile
- - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*' # $env:userprofile
- - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*' # $env:userprofile
- - '*IgAoACcAKgAnACkAOwAkA*' # "('*');$
- - '*IAKAAnACoAJwApADsAJA*' # "('*');$
- - '*iACgAJwAqACcAKQA7ACQA*' # "('*');$
- - '*JABGAGwAeAByAGgAYwBmAGQ*'
+ CommandLine|contains:
+ - ' -e* PAA'
+ - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
+ - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
+ - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
+ - 'IgAoACcAKgAnACkAOwAkA' # "('*');$
+ - 'IAKAAnACoAJwApADsAJA' # "('*');$
+ - 'iACgAJwAqACcAKQA7ACQA' # "('*');$
+ - 'JABGAGwAeAByAGgAYwBmAGQ'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml
index 6f5e41b32..d30851ea9 100644
--- a/rules/windows/process_creation/win_malware_formbook.yml
+++ b/rules/windows/process_creation/win_malware_formbook.yml
@@ -3,7 +3,7 @@ id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to
delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/30
modified: 2019/10/31
references:
@@ -19,14 +19,30 @@ detection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
- ParentCommandLine:
- - 'C:\Windows\System32\\*.exe'
- - 'C:\Windows\SysWOW64\\*.exe'
- CommandLine:
- - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- - '* /c del "C:\Users\\*\Desktop\\*.exe'
- - '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
- condition: selection
+ ParentCommandLine|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ ParentCommandLine|endswith:
+ - '.exe'
+ selection2:
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\AppData\Local\Temp\'
+ - CommandLine|contains|all:
+ - '/c'
+ - 'del'
+ - 'C:\Users\'
+ - '\Desktop\'
+ - CommandLine|contains|all:
+ - '/C'
+ - 'type nul >'
+ - 'C:\Users\'
+ - '\Desktop\'
+ selection3:
+ CommandLine|endswith: '.exe'
+ condition: selection and selection2 and selection3
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml
index 6604463a2..4f0d44bf2 100644
--- a/rules/windows/process_creation/win_malware_notpetya.yml
+++ b/rules/windows/process_creation/win_malware_notpetya.yml
@@ -24,12 +24,14 @@ logsource:
product: windows
detection:
pipe_com:
- CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*'
+ CommandLine|contains|all:
+ - '\AppData\Local\Temp\'
+ - '\\.\pipe\\'
rundll32_dash1:
- Image: '*\rundll32.exe'
- CommandLine: '*.dat,#1'
- perfc_keyword:
- - '*\perfc.dat*'
+ Image|endswith: '\rundll32.exe'
+ CommandLine|endswith: '.dat,#1'
+ perfc_keyword|contains:
+ - '\perfc.dat'
condition: 1 of them
fields:
- CommandLine
@@ -37,3 +39,4 @@ fields:
falsepositives:
- Admin activity
level: critical
+
diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml
index 1481a3c14..5e6554068 100644
--- a/rules/windows/process_creation/win_malware_qbot.yml
+++ b/rules/windows/process_creation/win_malware_qbot.yml
@@ -18,10 +18,10 @@ logsource:
product: windows
detection:
selection1:
- ParentImage: '*\WinRAR.exe'
- Image: '*\wscript.exe'
+ ParentImage|endswith: '\WinRAR.exe'
+ Image|endswith: '\wscript.exe'
selection2:
- CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
+ CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
selection3:
CommandLine|contains|all:
- 'regsvr32.exe'
diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml
index d7a8819d3..45961cad4 100644
--- a/rules/windows/process_creation/win_malware_script_dropper.yml
+++ b/rules/windows/process_creation/win_malware_script_dropper.yml
@@ -2,7 +2,7 @@ title: WScript or CScript Dropper
id: cea72823-df4d-4567-950c-0b579eaf0846
status: experimental
description: Detects wscript/cscript executions of scripts located in user directories
-author: Margaritis Dimitrios (idea), Florian Roth (rule)
+author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community
date: 2019/01/16
modified: 2020/09/01
tags:
@@ -15,24 +15,23 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- Image:
- - '*\wscript.exe'
- - '*\cscript.exe'
- CommandLine:
- - '* C:\Users\\*.jse *'
- - '* C:\Users\\*.vbe *'
- - '* C:\Users\\*.js *'
- - '* C:\Users\\*.vba *'
- - '* C:\Users\\*.vbs *'
- - '* C:\ProgramData\\*.jse *'
- - '* C:\ProgramData\\*.vbe *'
- - '* C:\ProgramData\\*.js *'
- - '* C:\ProgramData\\*.vba *'
- - '* C:\ProgramData\\*.vbs *'
+ selection1:
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ CommandLine|contains:
+ - 'C:\Users\'
+ - 'C:\ProgramData\'
+ selection2:
+ CommandLine|contains:
+ - '.jse'
+ - '.vbe'
+ - '.js'
+ - '.vba'
+ - '.vbs'
falsepositive:
- ParentImage: '*\winzip*'
- condition: selection and not falsepositive
+ ParentImage|contains: '\winzip'
+ condition: selection1 and selection2 and not falsepositive
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
index 7610e73a2..fc271bf22 100644
--- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Rare System Admin Activity
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml
index 262ee8eee..815de36f2 100644
--- a/rules/windows/process_creation/win_malware_wannacry.yml
+++ b/rules/windows/process_creation/win_malware_wannacry.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects WannaCry ransomware activity
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019/01/16
modified: 2020/09/01
tags:
@@ -23,25 +23,38 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\tasksche.exe'
- - '*\mssecsvc.exe'
- - '*\taskdl.exe'
- - '*\@WanaDecryptor@*'
- - '*\WanaDecryptor*'
- - '*\taskhsvc.exe'
- - '*\taskse.exe'
- - '*\111.exe'
- - '*\lhdfrgui.exe'
- - '*\diskpart.exe'
- - '*\linuxnew.exe'
- - '*\wannacry.exe'
+ - Image|endswith:
+ - '\tasksche.exe'
+ - '\mssecsvc.exe'
+ - '\taskdl.exe'
+ - '\taskhsvc.exe'
+ - '\taskse.exe'
+ - '\111.exe'
+ - '\lhdfrgui.exe'
+ - '\diskpart.exe'
+ - '\linuxnew.exe'
+ - '\wannacry.exe'
+ - Image|contains: 'WanaDecryptor'
selection2:
- CommandLine:
- - '*icacls * /grant Everyone:F /T /C /Q*'
- - '*bcdedit /set {default} recoveryenabled no*'
- - '*wbadmin delete catalog -quiet*'
- - '*@Please_Read_Me@.txt*'
+ - CommandLine|contains|all:
+ - 'icacls'
+ - '/grant'
+ - 'Everyone:F'
+ - '/T'
+ - '/C'
+ - '/Q'
+ - CommandLine|contains|all:
+ - 'bcdedit'
+ - '/set'
+ - '{default}'
+ - 'recoveryenabled'
+ - 'no'
+ - CommandLine|contains|all:
+ - 'wbadmin'
+ - 'delete'
+ - 'catalog'
+ - '-quiet'
+ - CommandLine|contains: '@Please_Read_Me@.txt'
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml
new file mode 100644
index 000000000..3dcdeac85
--- /dev/null
+++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml
@@ -0,0 +1,25 @@
+title: Suspicious Usage of the Manage-bde.wsf Script
+id: c363385c-f75d-4753-a108-c1a8e28bdbda
+description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
+ - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+ - https://twitter.com/bohops/status/980659399495741441
+ - https://twitter.com/JohnLaTwC/status/1223292479270600706
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+date: 2020/10/13
+author: oscd.community, Natalia Shornikova
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Commandline|contains|all:
+ - 'cscript'
+ - 'manage-bde.wsf'
+ condition: selection
+falsepositives: Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml
index 5fc53cdde..f99d8cfb9 100644
--- a/rules/windows/process_creation/win_mavinject_proc_inj.yml
+++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml
@@ -18,7 +18,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* /INJECTRUNNING *'
+ CommandLine|contains: ' /INJECTRUNNING '
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml
index f5c4ef1a5..70641647f 100644
--- a/rules/windows/process_creation/win_mmc_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml
@@ -16,18 +16,20 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\mmc.exe'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\reg.exe'
- - '*\regsvr32.exe'
- - '*\BITSADMIN*'
- condition: selection
+ ParentImage|endswith: '\mmc.exe'
+ selection2:
+ - Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\reg.exe'
+ - '\regsvr32.exe'
+ - Image|contains:
+ - '\BITSADMIN'
+ condition: selection and selection2
fields:
- CommandLine
- Image
diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml
index fca0d99b9..ad6835d1a 100644
--- a/rules/windows/process_creation/win_mshta_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml
@@ -12,18 +12,20 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\mshta.exe'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\reg.exe'
- - '*\regsvr32.exe'
- - '*\BITSADMIN*'
- condition: selection
+ ParentImage|endswith: '\mshta.exe'
+ selection2:
+ - Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\reg.exe'
+ - '\regsvr32.exe'
+ - Image|contains:
+ - '\BITSADMIN'
+ condition: selection and selection2
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index cc440dc01..9fe41f4c9 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -17,11 +17,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*netsh*'
+ Image|endswith: '\netsh.exe'
selection2:
- CommandLine:
- - '*firewall add*'
+ CommandLine|contains|all:
+ - 'firewall'
+ - 'add'
condition: selection1 and selection2
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
index 601c36047..13f3ead73 100644
--- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
@@ -5,50 +5,56 @@ references:
- https://www.virusradar.com/en/Win32_Kasidet.AD/description
- https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
date: 2020/05/25
-modified: 2020/09/01
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.004
status: experimental
-author: Sander Wiebing
+author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection1:
+ Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- - 'netsh'
- - 'firewall add allowedprogram'
+ - 'firewall'
+ - 'add'
+ - 'allowedprogram'
selection2:
+ Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- - netsh
- - advfirewall firewall add rule
- - action=allow
- - program=
+ - 'advfirewall'
+ - 'firewall'
+ - 'add'
+ - 'rule'
+ - 'action=allow'
+ - 'program='
susp_image:
- CommandLine|contains:
- - '*%TEMP%*'
- - '*:\RECYCLER\\*'
- - '*C:\$Recycle.bin\\*'
- - '*:\SystemVolumeInformation\\*'
- - 'C:\\Windows\\Tasks\\*'
- - 'C:\\Windows\\debug\\*'
- - 'C:\\Windows\\fonts\\*'
- - 'C:\\Windows\\help\\*'
- - 'C:\\Windows\\drivers\\*'
- - 'C:\\Windows\\addins\\*'
- - 'C:\\Windows\\cursors\\*'
- - 'C:\\Windows\\system32\tasks\\*'
- - '*C:\Windows\Temp\\*'
- - '*C:\Temp\\*'
- - '*C:\Users\Public\\*'
- - '%Public%\\*'
- - '*C:\Users\Default\\*'
- - '*C:\Users\Desktop\\*'
- - '*\Downloads\\*'
- - '*\Temporary Internet Files\Content.Outlook\\*'
- - '*\Local Settings\Temporary Internet Files\\*'
+ - CommandLine|contains:
+ - '%TEMP%'
+ - ':\RECYCLER\'
+ - 'C:\$Recycle.bin\'
+ - ':\SystemVolumeInformation\'
+ - 'C:\Windows\Temp\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - 'C:\Users\Desktop\'
+ - '\Downloads\'
+ - '\Temporary Internet Files\Content.Outlook\'
+ - '\Local Settings\Temporary Internet Files\'
+ - CommandLine|startswith:
+ - 'C:\Windows\Tasks\'
+ - 'C:\Windows\debug\'
+ - 'C:\Windows\fonts\'
+ - 'C:\Windows\help\'
+ - 'C:\Windows\drivers\'
+ - 'C:\Windows\addins\'
+ - 'C:\Windows\cursors\'
+ - 'C:\Windows\system32\tasks\'
+ - '%Public%\'
condition: (selection1 or selection2) and susp_image
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml
index ad6128419..6790dee29 100644
--- a/rules/windows/process_creation/win_netsh_port_fwd.yml
+++ b/rules/windows/process_creation/win_netsh_port_fwd.yml
@@ -4,22 +4,32 @@ description: Detects netsh commands that configure a port forwarding
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
-modified: 2020/09/01
+modified: 2021/01/06
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
status: experimental
-author: Florian Roth
+author: Florian Roth, omkar72, oscd.community
logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - netsh interface portproxy add v4tov4 *
- condition: selection
+ selection1:
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'interface'
+ - 'portproxy'
+ - 'add'
+ - 'v4tov4'
+ selection2:
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'connectp'
+ - 'listena'
+ - 'c='
+ condition: selection1 or selection2
falsepositives:
- Legitimate administration
level: medium
diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
index 02124e93f..91f2c0488 100644
--- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
+++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml
@@ -4,20 +4,25 @@ description: Detects netsh commands that configure a port forwarding of port 338
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
+modified: 2020/11/28
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
status: experimental
-author: Florian Roth
+author: Florian Roth, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - netsh i* p*=3389 c*
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'i'
+ - ' p'
+ - '=3389'
+ - ' c'
condition: selection
falsepositives:
- Legitimate administration
diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
index b34ae86ee..952ac4683 100644
--- a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
+++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
@@ -4,9 +4,9 @@ status: experimental
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
-author: Andreas Hunkeler (@Karneades)
+author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020/04/20
-modified: 2020/09/01
+modified: 2020/11/28
tags:
- attack.discovery
- attack.credential_access
@@ -16,8 +16,13 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - 'netsh wlan s* p* k*=clear'
+ Image|endswith: '\netsh.exe'
+ CommandLine|contains|all:
+ - 'wlan'
+ - ' s'
+ - ' p'
+ - ' k'
+ - '=clear'
condition: selection
falsepositives:
- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason
diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml
new file mode 100644
index 000000000..b42648cc4
--- /dev/null
+++ b/rules/windows/process_creation/win_nltest_query.yml
@@ -0,0 +1,24 @@
+title: Nltest Credential Hash Theft
+id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
+description: Detects nltest query commands which may leak credential hashes
+references:
+ - https://twitter.com/sysopfb/status/986799053668139009
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
+date: 2018/04/18
+modified: 2021/01/05
+tags:
+ - attack.credential_access
+ - attack.t1003
+status: experimental
+author: Craig Young, oscd.community
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\nltest.exe'
+ CommandLine|contains: '\query'
+ condition: selection
+falsepositives:
+ - Legitimate administration
+level: medium
diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
new file mode 100644
index 000000000..8ff4bf024
--- /dev/null
+++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
@@ -0,0 +1,45 @@
+title: Non-privileged Usage of Reg or Powershell
+id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
+description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references:
+ - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ integrity_level:
+ IntegrityLevel: 'Medium'
+ reg:
+ CommandLine|contains|all:
+ - 'reg'
+ - 'add'
+ powershell_1:
+ CommandLine|contains: 'powershell'
+ powershell_2:
+ CommandLine|contains:
+ - 'set-itemproperty'
+ - ' sp '
+ - 'new-itemproperty'
+ registry_folder:
+ CommandLine|contains|all:
+ - 'ControlSet'
+ - 'Services'
+ registry_key:
+ CommandLine|contains:
+ - 'ImagePath'
+ - 'FailureCommand'
+ - 'ServiceDLL'
+ condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key
+fields:
+ - EventID
+ - IntegrityLevel
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml
index a91b4bd97..e1f5ea7c3 100644
--- a/rules/windows/process_creation/win_office_shell.yml
+++ b/rules/windows/process_creation/win_office_shell.yml
@@ -17,36 +17,36 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\WINWORD.EXE'
- - '*\EXCEL.EXE'
- - '*\POWERPNT.exe'
- - '*\MSPUB.exe'
- - '*\VISIO.exe'
- - '*\OUTLOOK.EXE'
- - '*\MSACCESS.EXE'
- - '*\EQNEDT32.EXE'
- Image:
- - '*\cmd.exe'
- - '*\powershell.exe'
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\scrcons.exe'
- - '*\schtasks.exe'
- - '*\regsvr32.exe'
- - '*\hh.exe'
- - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- - '*\mshta.exe'
- - '*\rundll32.exe'
- - '*\msiexec.exe'
- - '*\forfiles.exe'
- - '*\scriptrunner.exe'
- - '*\mftrace.exe'
- - '*\AppVLP.exe'
- - '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- - '*\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
+ ParentImage|endswith:
+ - '\WINWORD.EXE'
+ - '\EXCEL.EXE'
+ - '\POWERPNT.exe'
+ - '\MSPUB.exe'
+ - '\VISIO.exe'
+ - '\OUTLOOK.EXE'
+ - '\MSACCESS.EXE'
+ - '\EQNEDT32.EXE'
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\scrcons.exe'
+ - '\schtasks.exe'
+ - '\regsvr32.exe'
+ - '\hh.exe'
+ - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+ - '\mshta.exe'
+ - '\rundll32.exe'
+ - '\msiexec.exe'
+ - '\forfiles.exe'
+ - '\scriptrunner.exe'
+ - '\mftrace.exe'
+ - '\AppVLP.exe'
+ - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
+ - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
index 637f34842..cf43685fc 100644
--- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@@ -11,24 +11,26 @@ tags:
- attack.t1204.002
- FIN7
- car.2013-05-002
-author: Jason Lynch
+author: Jason Lynch
date: 2019/04/02
-modified: 2021/03/13
+modified: 2021/04/01
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage:
- - '*\WINWORD.EXE'
- - '*\EXCEL.EXE'
- - '*\POWERPNT.exe'
- - '*\MSPUB.exe'
- - '*\VISIO.exe'
- # - '*\OUTLOOK.EXE' too many FPs
+ ParentImage|endswith:
+ - '\WINWORD.EXE'
+ - '\EXCEL.EXE'
+ - '\POWERPNT.exe'
+ - '\MSPUB.exe'
+ - '\VISIO.exe'
+ # - '\OUTLOOK.EXE' too many FPs
+ Image|startswith: 'C:\users\'
+ Image|endswith: '.exe'
filter:
Image|endswith: '\Teams.exe'
- condition: selection
+ condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
index 557ac9154..73522132f 100644
--- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
+++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -7,6 +7,7 @@ references:
- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
author: Florian Roth
date: 2017/06/12
+modified: 2020/11/28
tags:
- attack.s0013
- attack.defense_evasion
@@ -17,75 +18,88 @@ logsource:
product: windows
detection:
selection_cammute:
- Image: '*\CamMute.exe'
+ Image|endswith: '\CamMute.exe'
filter_cammute:
- Image: '*\Lenovo\Communication Utility\\*'
+ Image|contains:
+ - '\Lenovo\Communication Utility\'
+ - '\Lenovo\Communications Utility\'
selection_chrome_frame:
- Image: '*\chrome_frame_helper.exe'
+ Image|endswith: '\chrome_frame_helper.exe'
filter_chrome_frame:
- Image: '*\Google\Chrome\application\\*'
+ Image|contains: '\Google\Chrome\application\'
selection_devemu:
- Image: '*\dvcemumanager.exe'
+ Image|endswith: '\dvcemumanager.exe'
filter_devemu:
- Image: '*\Microsoft Device Emulator\\*'
+ Image|contains: '\Microsoft Device Emulator\'
selection_gadget:
- Image: '*\Gadget.exe'
+ Image|endswith: '\Gadget.exe'
filter_gadget:
- Image: '*\Windows Media Player\\*'
+ Image|contains: '\Windows Media Player\'
selection_hcc:
- Image: '*\hcc.exe'
+ Image|endswith: '\hcc.exe'
filter_hcc:
- Image: '*\HTML Help Workshop\\*'
+ Image|contains: '\HTML Help Workshop\'
selection_hkcmd:
- Image: '*\hkcmd.exe'
+ Image|endswith: '\hkcmd.exe'
filter_hkcmd:
- Image:
- - '*\System32\\*'
- - '*\SysNative\\*'
- - '*\SysWowo64\\*'
+ Image|contains:
+ - '\System32\'
+ - '\SysNative\'
+ - '\SysWowo64\'
selection_mc:
- Image: '*\Mc.exe'
+ Image|endswith: '\Mc.exe'
filter_mc:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
selection_msmpeng:
- Image: '*\MsMpEng.exe'
+ Image|endswith: '\MsMpEng.exe'
filter_msmpeng:
- Image:
- - '*\Microsoft Security Client\\*'
- - '*\Windows Defender\\*'
- - '*\AntiMalware\\*'
+ Image|contains:
+ - '\Microsoft Security Client\'
+ - '\Windows Defender\'
+ - '\AntiMalware\'
selection_msseces:
- Image: '*\msseces.exe'
+ Image|endswith: '\msseces.exe'
filter_msseces:
- Image:
- - '*\Microsoft Security Center\\*'
- - '*\Microsoft Security Client\\*'
- - '*\Microsoft Security Essentials\\*'
+ Image|contains:
+ - '\Microsoft Security Center\'
+ - '\Microsoft Security Client\'
+ - '\Microsoft Security Essentials\'
selection_oinfo:
- Image: '*\OInfoP11.exe'
+ Image|endswith: '\OInfoP11.exe'
filter_oinfo:
- Image: '*\Common Files\Microsoft Shared\\*'
+ Image|contains: '\Common Files\Microsoft Shared\'
selection_oleview:
- Image: '*\OleView.exe'
+ Image|endswith: '\OleView.exe'
filter_oleview:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
- - '*\Windows Resource Kit\\*'
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
+ - '\Windows Resource Kit\'
selection_rc:
- Image: '*\rc.exe'
+ Image|endswith: '\rc.exe'
filter_rc:
- Image:
- - '*\Microsoft Visual Studio*'
- - '*\Microsoft SDK*'
- - '*\Windows Kit*'
- - '*\Windows Resource Kit\\*'
- - '*\Microsoft.NET\\*'
- condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
+ Image|contains:
+ - '\Microsoft Visual Studio'
+ - '\Microsoft SDK'
+ - '\Windows Kit'
+ - '\Windows Resource Kit\'
+ - '\Microsoft.NET\'
+ condition: ( selection_cammute and not filter_cammute ) or
+ ( selection_chrome_frame and not filter_chrome_frame ) or
+ ( selection_devemu and not filter_devemu ) or
+ ( selection_gadget and not filter_gadget ) or
+ ( selection_hcc and not filter_hcc ) or
+ ( selection_hkcmd and not filter_hkcmd ) or
+ ( selection_mc and not filter_mc ) or
+ ( selection_msmpeng and not filter_msmpeng ) or
+ ( selection_msseces and not filter_msseces ) or
+ ( selection_oinfo and not filter_oinfo ) or
+ ( selection_oleview and not filter_oleview ) or
+ ( selection_rc and not filter_rc )
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
index 3d1100239..23f128415 100644
--- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml
+++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
@@ -17,11 +17,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '*System.Management.Automation.AmsiUtils*'
+ CommandLine|contains:
+ - 'System.Management.Automation.AmsiUtils'
selection2:
- CommandLine:
- - '*amsiInitFailed*'
+ CommandLine|contains:
+ - 'amsiInitFailed'
condition: selection1 and selection2
falsepositives:
- Potential Admin Activity
diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml
index 3ae30acca..48b87eab2 100644
--- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml
+++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml
@@ -15,11 +15,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*AAAAYInlM*'
+ CommandLine|contains: 'AAAAYInlM'
selection2:
- CommandLine:
- - '*OiCAAAAYInlM*'
- - '*OiJAAAAYInlM*'
+ CommandLine|contains:
+ - 'OiCAAAAYInlM'
+ - 'OiJAAAAYInlM'
condition: selection1 and selection2
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml
new file mode 100644
index 000000000..c606d74da
--- /dev/null
+++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml
@@ -0,0 +1,26 @@
+title: Powershell Used To Disable Windows Defender AV Security Monitoring
+id: a7ee1722-c3c5-aeff-3212-c777e4733217
+status: experimental
+description: Detects attackers attempting to disable Windows Defender using Powershell
+author: 'ok @securonix invrep-de, oscd.community'
+date: 2020/10/12
+references:
+ - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
+ - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
+tags:
+ - attack.defense_evasion
+ - attack.t1089 # legacy
+ - attack.t1562.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains:
+ - '-DisableBehaviorMonitoring $true'
+ - '-DisableRuntimeMonitoring $true'
+ condition: selection
+falsepositives:
+ - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
+level: high
diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml
index 41dc3294d..4478fccdf 100644
--- a/rules/windows/process_creation/win_powershell_dll_execution.yml
+++ b/rules/windows/process_creation/win_powershell_dll_execution.yml
@@ -16,15 +16,15 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\rundll32.exe'
+ Image|endswith:
+ - '\rundll32.exe'
selection2:
- Description:
- - '*Windows-Hostprozess (Rundll32)*'
+ Description|contains:
+ - 'Windows-Hostprozess (Rundll32)'
selection3:
- CommandLine:
- - '*Default.GetString*'
- - '*FromBase64String*'
+ CommandLine|contains:
+ - 'Default.GetString'
+ - 'FromBase64String'
condition: (selection1 or selection2) and selection3
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml
index e142a17d2..3db56ae97 100644
--- a/rules/windows/process_creation/win_powershell_download.yml
+++ b/rules/windows/process_creation/win_powershell_download.yml
@@ -2,7 +2,7 @@ title: PowerShell Download from URL
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects a Powershell process that contains download commands in its command line string
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/01/16
tags:
- attack.t1086 # an old one
@@ -13,12 +13,14 @@ logsource:
product: windows
detection:
selection:
- Image: '*\powershell.exe'
- CommandLine:
- - '*new-object system.net.webclient).downloadstring(*'
- - '*new-object system.net.webclient).downloadfile(*'
- - '*new-object net.webclient).downloadstring(*'
- - '*new-object net.webclient).downloadfile(*'
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'new-object'
+ - 'net.webclient).'
+ - 'download'
+ CommandLine|contains:
+ - 'string('
+ - 'file('
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
index 4509852b1..4f722ef26 100644
--- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
+++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
@@ -12,15 +12,24 @@ logsource:
product: windows
category: process_creation
detection:
- selection:
- ParentImage:
- - '*\powershell.exe'
- CommandLine:
- - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*'
- - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*'
- condition: selection
+ selection1:
+ ParentImage|endswith: '\powershell.exe'
+ Image|endswith: '\schtasks.exe'
+ CommandLine|contains|all:
+ - '/Create'
+ - '/SC'
+ selection2:
+ CommandLine|contains:
+ - 'ONLOGON'
+ - 'DAILY'
+ - 'ONIDLE'
+ - 'Updater'
+ CommandLine|contains|all:
+ - '/TN'
+ - 'Updater'
+ - '/TR'
+ - 'powershell'
+ condition: selection1 and selection2
tags:
- attack.execution
- attack.persistence
diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml
index 19bb61cdc..f58e6cea4 100644
--- a/rules/windows/process_creation/win_proc_wrong_parent.yml
+++ b/rules/windows/process_creation/win_proc_wrong_parent.yml
@@ -9,7 +9,7 @@ references:
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/
date: 2019/02/23
-modified: 2020/03/15
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1036 # an old one
@@ -20,26 +20,29 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- - '*\taskhost.exe'
- - '*\lsm.exe'
- - '*\lsass.exe'
- - '*\services.exe'
- - '*\lsaiso.exe'
- - '*\csrss.exe'
- - '*\wininit.exe'
- - '*\winlogon.exe'
- filter:
- ParentImage:
- - '*\System32\\*'
- - '*\SysWOW64\\*'
- - '*\SavService.exe'
- - '*\Windows Defender\\*\MsMpEng.exe'
- - '*\Microsoft Security Client\\*\MsMpEng.exe'
+ Image|endswith:
+ - '\svchost.exe'
+ - '\taskhost.exe'
+ - '\lsm.exe'
+ - '\lsass.exe'
+ - '\services.exe'
+ - '\lsaiso.exe'
+ - '\csrss.exe'
+ - '\wininit.exe'
+ - '\winlogon.exe'
+ filter1:
+ - ParentImage|endswith: '\SavService.exe'
+ - ParentImage|contains:
+ - '\System32\'
+ - '\SysWOW64\'
+ filter2:
+ ParentImage|contains:
+ - '\Windows Defender\'
+ - '\Microsoft Security Client\'
+ ParentImage|endswith: '\MsMpEng.exe'
filter_null:
ParentImage: null
- condition: selection and not filter and not filter_null
+ condition: selection and not filter1 and not filter2 and not filter_null
falsepositives:
- Some security products seem to spawn these
level: low
diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
index 96051f6f0..4cbadca4c 100644
--- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
+++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
@@ -19,13 +19,13 @@ logsource:
product: windows
detection:
selection1:
- Image:
- - '*\bitsadmin.exe'
- CommandLine:
- - '* /transfer *'
+ Image|endswith:
+ - '\bitsadmin.exe'
+ CommandLine|contains:
+ - ' /transfer '
selection2:
- CommandLine:
- - '*copy bitsadmin.exe*'
+ CommandLine|contains:
+ - 'copy bitsadmin.exe'
condition: selection1 or selection2
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml
new file mode 100644
index 000000000..fef616b20
--- /dev/null
+++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml
@@ -0,0 +1,30 @@
+title: DLL Execution via Rasautou.exe
+id: cd3d1298-eb3b-476c-ac67-12847de55813
+description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
+status: experimental
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
+ - https://github.com/fireeye/DueDLLigence
+ - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ product: windows
+ category: process_creation
+ definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
+detection:
+ use_rasautou:
+ Image|endswith: '\rasautou.exe'
+ remaned_rasautou:
+ OriginalFileName: 'rasdlui.exe'
+ special_keys:
+ CommandLine|contains|all:
+ - '-d'
+ - '-p'
+ condition: (use_rasautou or remaned_rasautou) and special_keys
+level: medium
+falsepositives:
+ - Unlikely
diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml
new file mode 100644
index 000000000..472265a7c
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml
@@ -0,0 +1,35 @@
+title: Exports Critical Registry Keys To a File
+id: 82880171-b475-4201-b811-e9c826cd5eaa
+status: experimental
+description: Detects the export of a crital Registry key to a file.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.exfiltration
+ - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains: ' /E '
+ selection_2:
+ CommandLine|contains:
+ - 'hklm'
+ - 'hkey_local_machine'
+ selection_3:
+ CommandLine|endswith:
+ - '\system'
+ - '\sam'
+ - '\security'
+ condition: selection and selection_2 and selection_3
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+level: high
diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml
new file mode 100644
index 000000000..e3454faf4
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_export_keys.yml
@@ -0,0 +1,35 @@
+title: Exports Registry Key To a File
+id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
+status: experimental
+description: Detects the export of the target Registry key to a file.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.exfiltration
+ - attack.t1012
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains: ' /E '
+ filter_1: # filters to avoid intersection with critical keys rule
+ CommandLine|contains:
+ - 'hklm'
+ - 'hkey_local_machine'
+ filter_2:
+ CommandLine|endswith:
+ - '\system'
+ - '\sam'
+ - '\security'
+ condition: selection and not (filter_1 and filter_2)
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate export of keys
+level: low
diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml
new file mode 100644
index 000000000..176da7f72
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From a File
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+status: experimental
+description: Detects the import of the specified file to the registry with regedit.exe.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains:
+ - ' /i '
+ - '.reg'
+ filter:
+ CommandLine|contains:
+ - ' /e '
+ - ' /a '
+ - ' /c '
+ filter_2:
+ CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+ condition: selection and not filter and not filter_2
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate import of keys
+level: medium
diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
new file mode 100644
index 000000000..2d347763a
--- /dev/null
+++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml
@@ -0,0 +1,35 @@
+title: Imports Registry Key From an ADS
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+status: experimental
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regedit.exe'
+ CommandLine|contains:
+ - ' /i '
+ - '.reg'
+ selection_2:
+ CommandLine|re: ':[^ \\]'
+ filter:
+ CommandLine|contains:
+ - ' /e '
+ - ' /a '
+ - ' /c '
+ condition: selection and selection_2 and not filter
+fields:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml
new file mode 100644
index 000000000..51ab7d7f9
--- /dev/null
+++ b/rules/windows/process_creation/win_regini.yml
@@ -0,0 +1,28 @@
+title: Modifies the Registry From a File
+id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
+status: experimental
+description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/08
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regini.exe'
+ filter:
+ CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule
+ condition: selection and not filter
+fieds:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Legitimate modification of keys
+level: low
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml
new file mode 100644
index 000000000..f6a238593
--- /dev/null
+++ b/rules/windows/process_creation/win_regini_ads.yml
@@ -0,0 +1,27 @@
+title: Modifies the Registry From a ADS
+id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
+status: experimental
+description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+tags:
+ - attack.t1112
+ - attack.defense_evasion
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/12
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regini.exe'
+ CommandLine|re: ':[^ \\]'
+ condition: selection
+fieds:
+ - ParentImage
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
index 9e4d26755..ec8c67dc1 100644
--- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
@@ -33,20 +33,20 @@ detection:
- "cmstp.exe"
- "msiexec.exe"
filter:
- Image:
- - '*\powershell.exe'
- - '*\powershell_ise.exe'
- - '*\psexec.exe'
- - '*\psexec64.exe'
- - '*\cscript.exe'
- - '*\wscript.exe'
- - '*\mshta.exe'
- - '*\regsvr32.exe'
- - '*\wmic.exe'
- - '*\certutil.exe'
- - '*\rundll32.exe'
- - '*\cmstp.exe'
- - '*\msiexec.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\powershell_ise.exe'
+ - '\psexec.exe'
+ - '\psexec64.exe'
+ - '\cscript.exe'
+ - '\wscript.exe'
+ - '\mshta.exe'
+ - '\regsvr32.exe'
+ - '\wmic.exe'
+ - '\certutil.exe'
+ - '\rundll32.exe'
+ - '\cmstp.exe'
+ - '\msiexec.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml
index 04c1cbb3a..b062debd0 100644
--- a/rules/windows/process_creation/win_renamed_paexec.yml
+++ b/rules/windows/process_creation/win_renamed_paexec.yml
@@ -22,8 +22,8 @@ logsource:
product: windows
detection:
selection1:
- Product:
- - '*PAExec*'
+ Product|contains:
+ - 'PAExec'
selection2:
Imphash:
- 11D40A7B7876288F919AB819CC2D9802
@@ -31,5 +31,5 @@ detection:
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
filter1:
- Image: '*paexec*'
+ Image|contains: 'paexec'
condition: (selection1 and selection2) and not filter1
diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml
index 0b42596ed..84ff273fd 100644
--- a/rules/windows/process_creation/win_renamed_powershell.yml
+++ b/rules/windows/process_creation/win_renamed_powershell.yml
@@ -20,9 +20,9 @@ detection:
Description: 'Windows PowerShell'
Company: 'Microsoft Corporation'
filter:
- Image:
- - '*\powershell.exe'
- - '*\powershell_ise.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\powershell_ise.exe'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml
index fbcb1d6e5..6a8fe0a84 100644
--- a/rules/windows/process_creation/win_renamed_procdump.yml
+++ b/rules/windows/process_creation/win_renamed_procdump.yml
@@ -18,9 +18,9 @@ detection:
selection:
OriginalFileName: 'procdump'
filter:
- Image:
- - '*\procdump.exe'
- - '*\procdump64.exe'
+ Image|endswith:
+ - '\procdump.exe'
+ - '\procdump64.exe'
condition: selection and not filter
falsepositives:
- Procdump illegaly bundled with legitimate software
diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml
index 4a1ab2244..d599d6e0e 100644
--- a/rules/windows/process_creation/win_renamed_psexec.yml
+++ b/rules/windows/process_creation/win_renamed_psexec.yml
@@ -20,9 +20,9 @@ detection:
Description: 'Execute processes remotely'
Product: 'Sysinternals PsExec'
filter:
- Image:
- - '*\PsExec.exe'
- - '*\PsExec64.exe'
+ Image|endswith:
+ - '\PsExec.exe'
+ - '\PsExec64.exe'
condition: selection and not filter
falsepositives:
- Software that illegaly integrates PsExec in a renamed form
diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml
new file mode 100644
index 000000000..e8bda9dfc
--- /dev/null
+++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml
@@ -0,0 +1,25 @@
+title: Run PowerShell Script from Redirected Input Stream
+id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
+status: experimental
+description: Detects PowerShell script execution via input stream redirect
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml
+ - https://twitter.com/Moriarty_Meng/status/984380793383370752
+author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
+date: 2020/10/17
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1059
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ powershell_started:
+ Image|endswith: '\powershell.exe'
+ redirect_to_input_stream:
+ CommandLine|re: '\s-\s*<'
+ condition: powershell_started and redirect_to_input_stream
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
index 3abe5ff23..66b939845 100644
--- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
+++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
@@ -11,17 +11,20 @@ tags:
- attack.t1138 # an old one
author: Markus Neis
date: 2019/01/16
-modified: 2020/09/06
+modified: 2021/04/01
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\sdbinst.exe'
- CommandLine:
- - '*.sdb*'
- condition: selection
+ Image|endswith:
+ - '\sdbinst.exe'
+ CommandLine|contains:
+ - '.sdb'
+ filter:
+ - CommandLine|contains:
+ - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
+ condition: selection and not filter
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
index 326513aee..0463c67c6 100644
--- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
@@ -19,22 +19,22 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\mshta.exe'
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\mshta.exe'
+ - '\powershell.exe'
# - '*\cmd.exe' # too many false positives
- - '*\rundll32.exe'
- - '*\cscript.exe'
- - '*\wscript.exe'
- - '*\wmiprvse.exe'
- Image:
- - '*\schtasks.exe'
- - '*\nslookup.exe'
- - '*\certutil.exe'
- - '*\bitsadmin.exe'
- - '*\mshta.exe'
+ - '\rundll32.exe'
+ - '\cscript.exe'
+ - '\wscript.exe'
+ - '\wmiprvse.exe'
+ Image|endswith:
+ - '\schtasks.exe'
+ - '\nslookup.exe'
+ - '\certutil.exe'
+ - '\bitsadmin.exe'
+ - '\mshta.exe'
falsepositives:
- CurrentDirectory: '*\ccmcache\\*'
+ CurrentDirectory|contains: '\ccmcache\'
condition: selection and not falsepositives
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml
index 16cf006fd..c71eae33f 100644
--- a/rules/windows/process_creation/win_spn_enum.yml
+++ b/rules/windows/process_creation/win_spn_enum.yml
@@ -15,11 +15,13 @@ logsource:
product: windows
detection:
selection_image:
- Image: '*\setspn.exe'
+ Image|endswith: '\setspn.exe'
selection_desc:
- Description: '*Query or reset the computer* SPN attribute*'
+ Description|contains|all:
+ - 'Query or reset the computer'
+ - 'SPN attribute'
cmd:
- CommandLine: '*-q*'
+ CommandLine|contains: '-q'
condition: (selection_image or selection_desc) and cmd
falsepositives:
- Administrator Activity
diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml
new file mode 100644
index 000000000..5244e22ff
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml
@@ -0,0 +1,28 @@
+title: DLL Execution Via Register-cimprovider.exe
+id: a2910908-e86f-4687-aeba-76a5f996e652
+status: experimental
+description: Detects using register-cimprovider.exe to execute arbitrary dll file.
+references:
+ - https://twitter.com/PhilipTsukerman/status/992021361106268161
+ - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md
+tags:
+ - attack.defense_evasion
+ - attack.t1574
+author: Ivan Dyachkov, Yulia Fomina, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+ definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
+detection:
+ selection:
+ Image|endswith: '\register-cimprovider.exe'
+ CommandLine|contains|all:
+ - '-path'
+ - 'dll'
+ condition: selection
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index 503e79145..eca94458b 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -5,23 +5,28 @@ description: Detects the execution of a AdFind for Active Directory enumeration
references:
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
-author: FPT.EagleEye Team
+ - https://thedfirreport.com/2020/05/08/adfind-recon/
+author: FPT.EagleEye Team, omkar72, oscd.community
date: 2020/09/26
+modified: 2020/10/11
tags:
- attack.discovery
- - attack.t1016
- attack.t1018
+ - attack.t1087.002
- attack.t1482
- #- attack.t1069.002
- #- attack.t1087.002
+ - attack.t1069.002
logsource:
product: windows
service: process_creation
detection:
selection:
- ProcessCommandLine|contains: 'objectcategory'
- Image:
- - '*\adfind.exe'
+ CommandLine|contains:
+ - 'objectcategory'
+ - 'trustdmp'
+ - 'dcmodes'
+ - 'dclist'
+ - 'computers_pwdnotreqd'
+ Image|endswith: '\adfind.exe'
condition: selection
falsepositives:
- Administrative activity
diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml
new file mode 100644
index 000000000..ac9584df3
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_atbroker.yml
@@ -0,0 +1,53 @@
+title: Suspicious Atbroker Execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+description: Atbroker executing non-deafualt Assistive Technology applications
+references:
+ - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ - Image|endswith: 'AtBroker.exe'
+ selection2:
+ - CommandLine|contains: 'start'
+ filter:
+ - CommandLine|contains:
+ - animations
+ - audiodescription
+ - caretbrowsing
+ - caretwidth
+ - colorfiltering
+ - cursorscheme
+ - filterkeys
+ - focusborderheight
+ - focusborderwidth
+ - highcontrast
+ - keyboardcues
+ - keyboardpref
+ - magnifierpane
+ - messageduration
+ - minimumhitradius
+ - mousekeys
+ - Narrator
+ - osk
+ - overlappedcontent
+ - showsounds
+ - soundsentry
+ - stickykeys
+ - togglekeys
+ - windowarranging
+ - windowtracking
+ - windowtrackingtimeout
+ - windowtrackingzorder
+ condition: selection1 and selection2 and not filter
+falsepositives:
+ - Legitimate, non-default assistive technology applications execution
+level: high
diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml
index a852aa98f..f092c4c1d 100644
--- a/rules/windows/process_creation/win_susp_bcdedit.yml
+++ b/rules/windows/process_creation/win_susp_bcdedit.yml
@@ -17,10 +17,10 @@ logsource:
product: windows
detection:
selection:
- Image: '*\bcdedit.exe'
- CommandLine:
- - '*delete*'
- - '*deletevalue*'
- - '*import*'
+ Image|endswith: '\bcdedit.exe'
+ CommandLine|contains:
+ - 'delete'
+ - 'deletevalue'
+ - 'import'
condition: selection
level: medium
diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml
index 01bc71137..b0e6ec94b 100644
--- a/rules/windows/process_creation/win_susp_calc.yml
+++ b/rules/windows/process_creation/win_susp_calc.yml
@@ -14,11 +14,11 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: '*\calc.exe *'
+ CommandLine|contains: '\calc.exe '
selection2:
- Image: '*\calc.exe'
+ Image|endswith: '\calc.exe'
filter2:
- Image: '*\Windows\Sys*'
+ Image|contains: '\Windows\Sys'
condition: selection1 or ( selection2 and not filter2 )
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml
index 03d13f669..8137eafe6 100644
--- a/rules/windows/process_creation/win_susp_certutil_command.yml
+++ b/rules/windows/process_creation/win_susp_certutil_command.yml
@@ -5,7 +5,7 @@ description: Detects a suspicious Microsoft certutil execution with sub commands
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
date: 2019/01/16
-modified: 2020/09/05
+modified: 2020/11/28
references:
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://twitter.com/subTee/status/888102593838362624
@@ -18,23 +18,19 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- CommandLine:
- - '* -decode *'
- - '* /decode *'
- - '* -decodehex *'
- - '* /decodehex *'
- - '* -urlcache *'
- - '* /urlcache *'
- - '* -verifyctl *'
- - '* /verifyctl *'
- - '* -encode *'
- - '* /encode *'
- - '*certutil* -URL*'
- - '*certutil* /URL*'
- - '*certutil* -ping*'
- - '*certutil* /ping*'
- condition: selection
+ parameters:
+ CommandLine|contains:
+ - 'decode '
+ - 'decodehex '
+ - 'urlcache '
+ - 'verifyctl '
+ - 'encode '
+ certutil:
+ Image|endswith: '\certutil.exe'
+ CommandLine|contains:
+ - 'URL'
+ - 'ping'
+ condition: parameters or certutil
fields:
- CommandLine
- ParentCommandLine
@@ -49,7 +45,7 @@ tags:
- attack.g0045
- attack.g0049
- attack.g0075
- - attack.g0096
+ - attack.g0096
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml
index b0d187ed0..3ab6f3319 100644
--- a/rules/windows/process_creation/win_susp_certutil_encode.yml
+++ b/rules/windows/process_creation/win_susp_certutil_encode.yml
@@ -5,9 +5,9 @@ description: Detects suspicious a certutil command that used to encode files, wh
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/02/24
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1027
@@ -16,11 +16,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - certutil -f -encode *
- - certutil.exe -f -encode *
- - certutil -encode -f *
- - certutil.exe -encode -f *
+ Image|endswith: '\certutil.exe'
+ CommandLine|contains|all:
+ - '-f'
+ - '-encode'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml
index 019d2fcf8..d0efa1072 100644
--- a/rules/windows/process_creation/win_susp_cli_escape.yml
+++ b/rules/windows/process_creation/win_susp_cli_escape.yml
@@ -19,10 +19,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ CommandLine|contains:
# - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries)
- - '*h^t^t^p*'
- - '*h"t"t"p*'
+ - 'h^t^t^p'
+ - 'h"t"t"p'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
index ddbf7dd1a..93c3f436f 100644
--- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
+++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
@@ -5,9 +5,9 @@ description: Detects a suspicious command line execution that includes an URL an
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
-modified: 2020/09/05
+modified: 2020/11/20
tags:
- attack.execution
- attack.t1059.003
@@ -19,9 +19,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - cmd.exe /c *http://*%AppData%
- - cmd.exe /c *https://*%AppData%
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - 'http' # captures both http and https
+ - '://'
+ - '%AppData%'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml
index 6b68d66dc..09f0a7870 100644
--- a/rules/windows/process_creation/win_susp_codepage_switch.yml
+++ b/rules/windows/process_creation/win_susp_codepage_switch.yml
@@ -2,8 +2,9 @@ title: Suspicious Code Page Switch
id: c7942406-33dd-4377-a564-0f62db0593a3
status: experimental
description: Detects a code page switch in command line or batch scripts to a rare language
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/10/14
+modified: 2020/11/28
references:
- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://twitter.com/cglyer/status/1183756892952248325
@@ -12,13 +13,14 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - 'chcp* 936' # Chinese
- # - 'chcp* 1256' # Arabic
- - 'chcp* 1258' # Vietnamese
- # - 'chcp* 855' # Russian
- # - 'chcp* 866' # Russian
- # - 'chcp* 864' # Arabic
+ Image|endswith: '\chcp.com'
+ CommandLine|endswith:
+ - ' 936' # Chinese
+ # - ' 1256' # Arabic
+ - ' 1258' # Vietnamese
+ # - ' 855' # Russian
+ # - ' 866' # Russian
+ # - ' 864' # Arabic
condition: selection
fields:
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml
index 8810516ab..1f1037f95 100644
--- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml
+++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml
@@ -8,7 +8,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
date: 2018/08/22
-modified: 2018/12/11
+modified: 2020/11/28
tags:
- attack.discovery
- attack.t1087
@@ -19,24 +19,25 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ - CommandLine:
- tasklist
- net time
- systeminfo
- whoami
- nbtstat
- net start
- - '*\net1 start'
- qprocess
- nslookup
- hostname.exe
- - '*\net1 user /domain'
- - '*\net1 group /domain'
- - '*\net1 group "domain admins" /domain'
- - '*\net1 group "Exchange Trusted Subsystem" /domain'
- - '*\net1 accounts /domain'
- - '*\net1 user net localgroup administrators'
- - netstat -an
+ - 'netstat -an'
+ - CommandLine|endswith:
+ - '\net1 start'
+ - '\net1 user /domain'
+ - '\net1 group /domain'
+ - '\net1 group "domain admins" /domain'
+ - '\net1 group "Exchange Trusted Subsystem" /domain'
+ - '\net1 accounts /domain'
+ - '\net1 user net localgroup administrators'
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml
index e42122458..32655a9b0 100644
--- a/rules/windows/process_creation/win_susp_compression_params.yml
+++ b/rules/windows/process_creation/win_susp_compression_params.yml
@@ -22,15 +22,15 @@ detection:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
- CommandLine:
- - '* -p*'
- - '* -ta*'
- - '* -tb*'
- - '* -sdel*'
- - '* -dw*'
- - '* -hp*'
+ CommandLine|contains:
+ - ' -p'
+ - ' -ta'
+ - ' -tb'
+ - ' -sdel'
+ - ' -dw'
+ - ' -hp'
falsepositive:
- ParentImage: 'C:\Program*'
+ ParentImage|startswith: 'C:\Program'
condition: selection and not falsepositive
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
index 56832c754..2879adff8 100644
--- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
+++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
@@ -13,13 +13,14 @@ logsource:
product: windows
detection:
rundll_image:
- Image: '*\rundll32.exe'
+ Image|endswith: '\rundll32.exe'
rundll_ofn:
OriginalFileName: 'RUNDLL32.EXE'
selection:
- CommandLine:
- - '*comsvcs*MiniDump*full*'
- - '*comsvcs*MiniDumpW*full*'
+ CommandLine|contains|all:
+ - 'comsvcs'
+ - 'MiniDump' #Matches MiniDump and MinidumpW
+ - 'full'
condition: (rundll_image or rundll_ofn) and selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml
index 7d8927d85..726bb7ce1 100644
--- a/rules/windows/process_creation/win_susp_control_dll_load.yml
+++ b/rules/windows/process_creation/win_susp_control_dll_load.yml
@@ -16,10 +16,10 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\System32\control.exe'
- CommandLine: '*\rundll32.exe *'
+ ParentImage|endswith: '\System32\control.exe'
+ Image|endswith: '\rundll32.exe '
filter:
- CommandLine: '*Shell32.dll*'
+ CommandLine|contains: 'Shell32.dll'
condition: selection and not filter
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
index 53841c573..7041aa9dc 100644
--- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
+++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
@@ -1,28 +1,44 @@
title: Copy from Admin Share
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: experimental
-description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
+description: Detects a suspicious copy command to or from an Admin share
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
-author: Florian Roth
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
date: 2019/12/30
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.lateral_movement
+ - attack.collection
+ - attack.exfiltration
+ - attack.t1039
+ - attack.t1105 # an old one
+ - attack.t1048
- attack.t1021.002
- - attack.command_and_control
- - attack.t1105
- - attack.s0106
- - attack.t1077 # an old one
logsource:
category: process_creation
product: windows
detection:
- selection:
+ selection1:
+ Image|endswith:
+ - '\robocopy.exe'
+ - '\xcopy.exe'
+ selection2:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains: 'copy'
+ selection3:
+ Image|contains: '\powershell'
CommandLine|contains:
- - 'copy *\c$'
- - 'copy *\ADMIN$'
- condition: selection
+ - 'copy-item'
+ - 'copy'
+ - 'cpi '
+ - ' cp '
+ selection4:
+ CommandLine|contains|all:
+ - '\\\\'
+ - '$'
+ condition: (selection1 or selection2 or selection3) and selection4
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml
index 48de314d0..5a3535453 100644
--- a/rules/windows/process_creation/win_susp_copy_system32.yml
+++ b/rules/windows/process_creation/win_susp_copy_system32.yml
@@ -16,8 +16,10 @@ tags:
detection:
selection:
CommandLine|contains:
- - ' /c copy *\System32\'
- - 'xcopy*\System32\'
+ - ' /c copy'
+ - 'xcopy'
+ CommandLine|contains|all:
+ - '\System32\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
index d2440ff5c..0c323f1e7 100644
--- a/rules/windows/process_creation/win_susp_covenant.yml
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@@ -4,7 +4,7 @@ description: Detects suspicious command lines used in Covenant luanchers
status: experimental
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2020/06/04
tags:
- attack.execution
@@ -17,12 +17,19 @@ logsource:
product: windows
detection:
selection:
+ CommandLine|contains|all:
+ - '-Sta'
+ - '-Nop'
+ - '-Window'
+ - 'Hidden'
+ CommandLine|contains:
+ - '-Command'
+ - '-EncodedCommand'
+ selection2:
CommandLine|contains:
- - ' -Sta -Nop -Window Hidden -Command '
- - ' -Sta -Nop -Window Hidden -EncodedCommand '
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
- condition: selection
+ condition: selection or selection2
level: high
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
index b72016d49..9a5f1afb3 100644
--- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
+++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -1,6 +1,6 @@
title: CrackMapExec Command Execution
id: 058f4380-962d-40a5-afce-50207d36d7e2
-status: experimental
+status: stable
description: Detect various execution methods of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
@@ -8,7 +8,7 @@ tags:
- attack.execution
- attack.t1047
- attack.t1053
- - attack.t1059.003
+ - attack.t1059.003
- attack.t1059.001
- attack.s0106
- attack.t1086 # an old one
@@ -19,17 +19,18 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ CommandLine|endswith:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+ - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+ - 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- - '*cmd.exe /C * > *\\Temp\\* 2>&1'
+ - 'cmd.exe /C * > *\\Temp\\* 2>&1'
+ CommandLine|contains:
# cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
- - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+ - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
- - '*powershell.exe -noni -nop -w 1 -enc *'
+ - 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml
index 0d0c867a2..28f543963 100644
--- a/rules/windows/process_creation/win_susp_csc.yml
+++ b/rules/windows/process_creation/win_susp_csc.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1094924091256176641
author: Florian Roth
date: 2019/02/11
-modified: 2020/09/05
+modified: 2020/11/28
tags:
- attack.execution
- attack.t1059.005
@@ -20,11 +20,11 @@ logsource:
product: windows
detection:
selection:
- Image: '*\csc.exe*'
- ParentImage:
- - '*\wscript.exe'
- - '*\cscript.exe'
- - '*\mshta.exe'
+ Image|endswith: '\csc.exe'
+ ParentImage|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\mshta.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index f6ba760be..ceff85403 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -19,19 +19,18 @@ logsource:
product: windows
detection:
selection:
- Image: '*\csc.exe'
- CommandLine:
- - '*\AppData\\*'
- - '*\Windows\Temp\\*'
- filter1:
- ParentImage:
- - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897
- - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
- filter2:
- ParentCommandLine|contains:
+ Image|endswith: '\csc.exe'
+ CommandLine|contains:
+ - '\AppData\'
+ - '\Windows\Temp\'
+ filter:
+ - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897
+ - ParentImage|endswith:
+ - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
+ - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
+ - ParentCommandLine|contains:
- '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
- condition: selection and not filter1 and not filter2
+ condition: selection and not filter
falsepositives:
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://twitter.com/gabriele_pippi/status/1206907900268072962
diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml
new file mode 100644
index 000000000..6599c02b5
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_csi.yml
@@ -0,0 +1,37 @@
+title: Suspicious Csi.exe Usage
+id: 40b95d31-1afc-469e-8d34-9a3a667d058e
+description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/17
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml
+ - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+ - https://twitter.com/Z3Jpa29z/status/1317545798981324801
+tags:
+ - attack.execution
+ - attack.t1072
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ basic:
+ - Image|endswith: '\csi.exe'
+ - Image|endswith: '\rcsi.exe'
+ renamed:
+ - OriginalFilename: 'csi.exe'
+ - OriginalFilename: 'rcsi.exe'
+ selection:
+ Company: 'Microsoft Corporation'
+ condition: (basic or renamed) and selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Legitimate usage by software developers
+level: medium
diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml
index 57092fbb0..94584f795 100644
--- a/rules/windows/process_creation/win_susp_curl_start_combo.yml
+++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml
@@ -18,7 +18,9 @@ logsource:
detection:
condition: selection
selection:
- CommandLine|contains: 'curl* start '
+ CommandLine|contains|all:
+ - 'curl'
+ - ' start '
falsepositives:
- Administrative scripts (installers)
fields:
diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
index 2737be5c0..810f8be98 100644
--- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
+++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
@@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection_1:
- Image|endswith: '*\reg.exe'
+ Image|endswith: '\reg.exe'
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_2:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml
new file mode 100644
index 000000000..6c57237ed
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_diskshadow.yml
@@ -0,0 +1,27 @@
+title: Execution via Diskshadow.exe
+id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
+status: experimental
+description: Detects using Diskshadow.exe to execute arbitrary code in text file
+references:
+ - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+tags:
+ - attack.execution
+ - attack.t1218
+author: Ivan Dyachkov, oscd.community
+date: 2020/10/07
+logsource:
+ category: process_creation
+ product: windows
+ definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
+detection:
+ selection:
+ Image|endswith: '\diskshadow.exe'
+ CommandLine|contains:
+ - '/s'
+ - '-s'
+ condition: selection
+fields:
+ - CommandLine
+falsepositives:
+ - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts.
+level: high
diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml
index 3c06ded41..0bd70927f 100644
--- a/rules/windows/process_creation/win_susp_double_extension.yml
+++ b/rules/windows/process_creation/win_susp_double_extension.yml
@@ -15,18 +15,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*.doc.exe'
- - '*.docx.exe'
- - '*.xls.exe'
- - '*.xlsx.exe'
- - '*.ppt.exe'
- - '*.pptx.exe'
- - '*.rtf.exe'
- - '*.pdf.exe'
- - '*.txt.exe'
- - '* .exe'
- - '*______.exe'
+ Image|endswith:
+ - '.doc.exe'
+ - '.docx.exe'
+ - '.xls.exe'
+ - '.xlsx.exe'
+ - '.ppt.exe'
+ - '.pptx.exe'
+ - '.rtf.exe'
+ - '.pdf.exe'
+ - '.txt.exe'
+ - ' .exe'
+ - '______.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml
deleted file mode 100644
index f42c4c82d..000000000
--- a/rules/windows/process_creation/win_susp_exec_folder.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Executables Started in Suspicious Folder
-id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254
-status: experimental
-description: Detects process starts of binaries from a suspicious folder
-author: Florian Roth
-date: 2017/10/14
-modified: 2019/02/21
-references:
- - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
- - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
-tags:
- - attack.defense_evasion
- - attack.t1036
-logsource:
- category: process_creation
- product: windows
-detection:
- selection:
- Image:
- - C:\PerfLogs\\*
- - C:\$Recycle.bin\\*
- - C:\Intel\Logs\\*
- - C:\Users\Default\\*
- - C:\Users\Public\\*
- - C:\Users\NetworkService\\*
- - C:\Windows\Fonts\\*
- - C:\Windows\Debug\\*
- - C:\Windows\Media\\*
- - C:\Windows\Help\\*
- - C:\Windows\addins\\*
- - C:\Windows\repair\\*
- - C:\Windows\security\\*
- - '*\RSA\MachineKeys\\*'
- - C:\Windows\system32\config\systemprofile\\*
- - C:\Windows\Tasks\\*
- - C:\Windows\System32\Tasks\\*
- condition: selection
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml
index 69c3fa09e..ed571e472 100644
--- a/rules/windows/process_creation/win_susp_execution_path.yml
+++ b/rules/windows/process_creation/win_susp_execution_path.yml
@@ -1,9 +1,15 @@
-title: Execution in Non-Executable Folder
+title: Execution from Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: experimental
description: Detects a suspicious execution from an uncommon folder
author: Florian Roth
date: 2019/01/16
+modified: 2021/03/31
+references:
+ - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+ - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+ - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+ - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
tags:
- attack.defense_evasion
- attack.t1036
@@ -12,16 +18,27 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\$Recycle.bin'
- - '*\Users\All Users\\*'
- - '*\Users\Default\\*'
- - '*\Users\Public\\*'
- - 'C:\Perflogs\\*'
- - '*\config\systemprofile\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
+ - Image|contains:
+ - '\$Recycle.bin\'
+ - '\config\systemprofile\'
+ - '\Intel\Logs\'
+ - '\RSA\MachineKeys\'
+ - '\Users\All Users\'
+ - '\Users\Default\'
+ - '\Users\NetworkService\'
+ - '\Users\Public\'
+ - '\Windows\addins\'
+ - '\Windows\debug\'
+ - '\Windows\Fonts\'
+ - '\Windows\Help\'
+ - '\Windows\IME\'
+ - '\Windows\Media\'
+ - '\Windows\repair\'
+ - '\Windows\security\'
+ - '\Windows\system32\config\systemprofile\'
+ - '\Windows\System32\Tasks\'
+ - '\Windows\Tasks\'
+ - Image|startswith: 'C:\Perflogs\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
index bdc9cf05f..f1ab6a6e3 100644
--- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml
+++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
@@ -13,17 +13,17 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\wwwroot\\*'
- - '*\wmpub\\*'
- - '*\htdocs\\*'
+ Image|contains:
+ - '\wwwroot\'
+ - '\wmpub\'
+ - '\htdocs\'
filter:
- Image:
- - '*bin\\*'
- - '*\Tools\\*'
- - '*\SMSComponent\\*'
- ParentImage:
- - '*\services.exe'
+ Image|contains:
+ - 'bin\'
+ - '\Tools\'
+ - '\SMSComponent\'
+ ParentImage|endswith:
+ - '\services.exe'
condition: selection and not filter
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml
new file mode 100644
index 000000000..6d6d85388
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_explorer.yml
@@ -0,0 +1,26 @@
+title: Proxy Execution Via Explorer.exe
+id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
+description: Attackers can use explorer.exe for evading defense mechanisms
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://twitter.com/CyberRaiju/status/1273597319322058752
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - \explorer.exe
+ ParentImage|endswith:
+ - \cmd.exe
+ CommandLine|contains:
+ - explorer.exe
+ condition: selection
+falsepositives:
+ - Legitimate explorer.exe run from cmd.exe
+level: low
diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml
index 81b8fed82..f63de2b82 100644
--- a/rules/windows/process_creation/win_susp_file_characteristics.yml
+++ b/rules/windows/process_creation/win_susp_file_characteristics.yml
@@ -27,7 +27,7 @@ detection:
Description: '\?'
Company: '\?'
folder:
- Image: '*\Downloads\\*'
+ Image|contains: '\Downloads\\'
condition: (selection1 or selection2 or selection3) and folder
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
new file mode 100644
index 000000000..63ffa1398
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -0,0 +1,27 @@
+title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+id: eee00933-a761-4cd0-be70-c42fe91731e7
+status: experimental
+description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\GfxDownloadWrapper.exe'
+ cmd_known_url:
+ CommandLine|contains: 'gameplayapi.intel.com'
+ same_parent:
+ ParentImage|endswith: '\GfxDownloadWrapper.exe'
+ condition: image_path and not cmd_known_url and not same_parent
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
+tags:
+ - attack.command_and_control
+ - attack.t1105
diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml
new file mode 100644
index 000000000..1a5a58037
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_findstr.yml
@@ -0,0 +1,32 @@
+title: Abusing Findstr for Defense Evasion
+id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml
+ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selectionFindstr:
+ CommandLine|contains:
+ - findstr
+ selection_V_L:
+ CommandLine|contains|all:
+ - /V
+ - /L
+ selection_S_I:
+ CommandLine|contains|all:
+ - /S
+ - /I
+ condition: selectionFindstr and (selection_V_L or selection_S_I)
+falsepositives:
+ - Administrative findstr usage
+level: medium
diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml
index fd192eac2..2c9f39874 100644
--- a/rules/windows/process_creation/win_susp_findstr_lnk.yml
+++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml
@@ -17,8 +17,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\findstr.exe'
- CommandLine: '*.lnk'
+ Image|endswith: '\findstr.exe'
+ CommandLine|endswith: '.lnk'
condition: selection
fields:
- Image
diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml
index 0290955b0..87fd5ff30 100644
--- a/rules/windows/process_creation/win_susp_finger_usage.yml
+++ b/rules/windows/process_creation/win_susp_finger_usage.yml
@@ -1,11 +1,12 @@
title: Finger.exe Suspicious Invocation
id: af491bca-e752-4b44-9c86-df5680533dbc
description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
-author: Florian Roth
+author: Florian Roth, omkar72, oscd.community
date: 2021/02/24
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
+ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
tags:
- attack.command_and_control
- attack.t1105
diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml
new file mode 100644
index 000000000..7572cf22b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_ftp.yml
@@ -0,0 +1,32 @@
+title: Suspicious ftp.exe
+id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
+status: experimental
+description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ ftp_path:
+ Image|endswith: 'ftp.exe'
+ ftp_metadata:
+ OriginalFileName|contains: 'ftp.exe'
+ cmd_with_script_modifier:
+ CommandLine|contains: '-s:'
+ parent_path:
+ ParentImage|endswith: 'ftp.exe'
+ condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path
+fields:
+ - CommandLine
+ - ParentImage
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml
index 19acad192..a6d7d8e3f 100644
--- a/rules/windows/process_creation/win_susp_gup.yml
+++ b/rules/windows/process_creation/win_susp_gup.yml
@@ -16,13 +16,13 @@ logsource:
product: windows
detection:
selection:
- Image: '*\GUP.exe'
+ Image|endswith: '\GUP.exe'
filter:
Image|endswith:
- - ':\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
- - ':\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
- - ':\Program Files\Notepad++\updater\GUP.exe'
- - ':\Program Files (x86)\Notepad++\updater\GUP.exe'
+ - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
+ - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
+ - '\Program Files\Notepad++\updater\GUP.exe'
+ - '\Program Files (x86)\Notepad++\updater\GUP.exe'
condition: selection and not filter
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index 28305f82e..269e18518 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -6,6 +6,7 @@ references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
date: 2012/12/11
+modified: 2020/11/28
tags:
- attack.persistence
- attack.t1505.003
@@ -15,8 +16,11 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\APPCMD.EXE install module /name:*'
+ Image|endswith: '\appcmd.exe'
+ CommandLine|contains|all:
+ - 'install'
+ - 'module'
+ - '/name:'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml
new file mode 100644
index 000000000..e609f086e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml
@@ -0,0 +1,25 @@
+title: Mounted Share Deleted
+id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
+status: experimental
+description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/08
+tags:
+ - attack.defense_evasion
+ - attack.t1070.005
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\net.exe'
+ Image|endswith: '\net1.exe'
+ CommandLine|contains|all:
+ - 'share'
+ - '/delete'
+ condition: selection
+falsepositives:
+ - Administrators or Power users may remove their shares via cmd line
+level: low
diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
index 099b8fbd8..a22a717cd 100644
--- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml
+++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
@@ -15,12 +15,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\msiexec.exe'
+ Image|endswith: '\msiexec.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\WinSxS\\*'
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml
index 594d5ce32..3fbb4ca63 100644
--- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml
+++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml
@@ -11,14 +11,15 @@ tags:
- attack.t1105
author: Florian Roth
date: 2018/02/09
-modified: 2020/08/30
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '* msiexec*://*'
+ CommandLine|contains|all:
+ - ' msiexec'
+ - '://'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml
index a4c3a7711..5773c4244 100644
--- a/rules/windows/process_creation/win_susp_net_execution.yml
+++ b/rules/windows/process_creation/win_susp_net_execution.yml
@@ -9,7 +9,7 @@ references:
- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019/01/16
-modified: 2020/08/30
+modified: 2020/11/28
tags:
- attack.discovery
- attack.t1049
@@ -29,19 +29,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\net.exe'
- - '*\net1.exe'
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
cmdline:
- CommandLine:
- - '* group*'
- - '* localgroup*'
- - '* user*'
- - '* view*'
- - '* share'
- - '* accounts*'
- - '* use*'
- - '* stop *'
+ CommandLine|contains:
+ - ' group'
+ - ' localgroup'
+ - ' user'
+ - ' view'
+ - ' share'
+ - ' accounts'
+ - ' stop '
condition: selection and cmdline
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml
index 979a09213..45e867f75 100644
--- a/rules/windows/process_creation/win_susp_ntdsutil.yml
+++ b/rules/windows/process_creation/win_susp_ntdsutil.yml
@@ -6,17 +6,18 @@ references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019/01/16
+modified: 2020/11/28
tags:
- attack.credential_access
- attack.t1003.003
- - attack.t1003 # an old one
+ - attack.t1003 # an old one
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine: '*\ntdsutil*'
+ Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
-level: high
+level: medium
diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml
index c45220166..4401ff162 100644
--- a/rules/windows/process_creation/win_susp_outlook.yml
+++ b/rules/windows/process_creation/win_susp_outlook.yml
@@ -11,15 +11,19 @@ tags:
- attack.t1202
author: Markus Neis
date: 2018/12/27
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
clientMailRules:
- CommandLine: '*EnableUnsafeClientMailRules*'
+ CommandLine|contains: 'EnableUnsafeClientMailRules'
outlookExec:
- ParentImage: '*\outlook.exe'
- CommandLine: \\\\*\\*.exe
+ ParentImage|endswith: '\outlook.exe'
+ CommandLine|contains|all:
+ - '\\\\'
+ - '\\'
+ - '.exe'
condition: clientMailRules or outlookExec
falsepositives:
- unknown
diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml
index 25e0f2d62..f0f708474 100644
--- a/rules/windows/process_creation/win_susp_outlook_temp.yml
+++ b/rules/windows/process_creation/win_susp_outlook_temp.yml
@@ -13,7 +13,7 @@ logsource:
product: windows
detection:
selection:
- Image: '*\Temporary Internet Files\Content.Outlook\\*'
+ Image|contains: '\Temporary Internet Files\Content.Outlook\\'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml
new file mode 100644
index 000000000..a3f3ddd23
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_pcwutl.yml
@@ -0,0 +1,27 @@
+title: Code Execution via Pcwutl.dll
+id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
+description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
+status: experimental
+references:
+ - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md
+ - https://twitter.com/harr0ey/status/989617817849876488
+author: Julia Fomina, oscd.community
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+ - attack.execution # an old one
+ - attack.t1218 # an old one
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\rundll32.exe'
+ CommandLine|contains|all:
+ - 'pcwutl'
+ - 'LaunchApplication'
+ condition: selection
+level: medium
+falsepositives:
+ - Use of Program Compatibility Troubleshooter Helper
diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml
new file mode 100644
index 000000000..a549111f6
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_pester.yml
@@ -0,0 +1,35 @@
+title: Execute Code with Pester.bat
+id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
+description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
+status: experimental
+references:
+ - https://twitter.com/Oddvarmoe/status/993383596244258816
+author: Julia Fomina, oscd.community
+date: 2020/10/08
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ powershell_module:
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains|all:
+ - 'Pester'
+ - 'Get-Help'
+ cmd_execution:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - 'pester'
+ - ';'
+ get_help:
+ CommandLine|contains:
+ - 'help'
+ - '?'
+ condition: powershell_module or (cmd_execution and get_help)
+level: medium
+falsepositives:
+ - Legitimate use of Pester for writing tests for Powershell scripts and modules
diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml
index 91c49cbef..9d9cf2862 100644
--- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml
+++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml
@@ -6,7 +6,7 @@ references:
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth
date: 2018/03/23
-modified: 2020/10/16
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1140
@@ -16,11 +16,8 @@ logsource:
product: windows
detection:
selection:
- CommandLine|contains:
- - '\ping.exe 0x'
- - '\ping 0x'
- Image|contains:
- - 'ping.exe'
+ Image|endswith: '\ping.exe'
+ CommandLine|contains: '0x'
condition: selection
fields:
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
index de818f0f2..f54f9fc6d 100644
--- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
+++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
@@ -12,9 +12,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
- - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
+ CommandLine|contains:
+ - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)'
+ - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index a384047e8..760907af5 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -4,9 +4,9 @@ description: Detects suspicious powershell process starts with base64 encoded co
status: experimental
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
-author: Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018/09/03
-modified: 2020/10/20
+modified: 2021/03/02
tags:
- attack.execution
- attack.t1059.001
@@ -16,32 +16,30 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -e JAB*'
- - '* -en JAB*'
- - '* -enc JAB*'
- - '* -enc* JAB*'
- - '* -w hidden -e* JAB*'
- - '* BA^J e-'
- - '* -e SUVYI*'
- - '* -e aWV4I*'
- - '* -e SQBFAFgA*'
- - '* -e aQBlAHgA*'
- - '* -enc SUVYI*'
- - '* -enc aWV4I*'
- - '* -enc SQBFAFgA*'
- - '* -enc aQBlAHgA*'
- - '* -e* IAA*'
- - '* -e* IAB*'
- - '* -e* UwB*'
- - '* -e* cwB*'
- - '*.exe -ENCOD *'
+ CommandLine|contains: ' -e' # covers -en and -enc
+ selection2:
+ CommandLine|contains: ' JAB'
+ selection3:
+ CommandLine|contains|all:
+ - ' -w'
+ - ' hidden '
+ selection4:
+ CommandLine|contains:
+ - ' BA^J'
+ - ' SUVYI'
+ - ' SQBFAFgA'
+ - ' aQBlAHgA'
+ - ' aWV4I'
+ - ' IAA'
+ - ' IAB'
+ - ' UwB'
+ - ' cwB'
+ selection5:
+ CommandLine|contains:
+ - '.exe -ENCOD '
falsepositive1:
- CommandLine: '* -ExecutionPolicy remotesigned *'
- condition: selection and not falsepositive1
+ CommandLine|contains|all:
+ - ' -ExecutionPolicy'
+ - 'remotesigned '
+ condition: ((selection and selection2) or (selection and selection2 and selection3) or (selection and selection4) or selection5) and not falsepositive1
level: high
diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
index d004c1e13..68771de9d 100644
--- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
@@ -15,58 +15,58 @@ logsource:
product: windows
detection:
encoded:
- Image: '*\powershell.exe'
- CommandLine: '* hidden *'
+ Image|endswith: '\powershell.exe'
+ CommandLine|contains: ' hidden '
selection:
- CommandLine:
- - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
- - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
- - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
- - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
- - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
- - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
- - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
- - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
- - '*JGNodW5rX3Npem*'
- - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
- - '*RjaHVua19zaXpl*'
- - '*Y2h1bmtfc2l6Z*'
- - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
- - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
- - '*lPLkNvbXByZXNzaW9u*'
- - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
- - '*SU8uQ29tcHJlc3Npb2*'
- - '*Ty5Db21wcmVzc2lvb*'
- - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
- - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
- - '*lPLk1lbW9yeVN0cmVhb*'
- - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
- - '*SU8uTWVtb3J5U3RyZWFt*'
- - '*Ty5NZW1vcnlTdHJlYW*'
- - '*4ARwBlAHQAQwBoAHUAbgBrA*'
- - '*5HZXRDaHVua*'
- - '*AEcAZQB0AEMAaAB1AG4Aaw*'
- - '*LgBHAGUAdABDAGgAdQBuAGsA*'
- - '*LkdldENodW5r*'
- - '*R2V0Q2h1bm*'
- - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
- - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
- - '*RIUkVBRF9JTkZPNj*'
- - '*SFJFQURfSU5GTzY0*'
- - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
- - '*VEhSRUFEX0lORk82N*'
- - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
- - '*cmVhdGVSZW1vdGVUaHJlYW*'
- - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
- - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
- - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
- - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
- - '*0AZQBtAG0AbwB2AGUA*'
- - '*1lbW1vdm*'
- - '*AGUAbQBtAG8AdgBlA*'
- - '*bQBlAG0AbQBvAHYAZQ*'
- - '*bWVtbW92Z*'
- - '*ZW1tb3Zl*'
+ CommandLine|contains:
+ - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
+ - 'aXRzYWRtaW4gL3RyYW5zZmVy'
+ - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
+ - 'JpdHNhZG1pbiAvdHJhbnNmZX'
+ - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
+ - 'Yml0c2FkbWluIC90cmFuc2Zlc'
+ - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
+ - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
+ - 'JGNodW5rX3Npem'
+ - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
+ - 'RjaHVua19zaXpl'
+ - 'Y2h1bmtfc2l6Z'
+ - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
+ - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
+ - 'lPLkNvbXByZXNzaW9u'
+ - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
+ - 'SU8uQ29tcHJlc3Npb2'
+ - 'Ty5Db21wcmVzc2lvb'
+ - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
+ - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
+ - 'lPLk1lbW9yeVN0cmVhb'
+ - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
+ - 'SU8uTWVtb3J5U3RyZWFt'
+ - 'Ty5NZW1vcnlTdHJlYW'
+ - '4ARwBlAHQAQwBoAHUAbgBrA'
+ - '5HZXRDaHVua'
+ - 'AEcAZQB0AEMAaAB1AG4Aaw'
+ - 'LgBHAGUAdABDAGgAdQBuAGsA'
+ - 'LkdldENodW5r'
+ - 'R2V0Q2h1bm'
+ - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
+ - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
+ - 'RIUkVBRF9JTkZPNj'
+ - 'SFJFQURfSU5GTzY0'
+ - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
+ - 'VEhSRUFEX0lORk82N'
+ - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
+ - 'cmVhdGVSZW1vdGVUaHJlYW'
+ - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
+ - 'NyZWF0ZVJlbW90ZVRocmVhZ'
+ - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
+ - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
+ - '0AZQBtAG0AbwB2AGUA'
+ - '1lbW1vdm'
+ - 'AGUAbQBtAG8AdgBlA'
+ - 'bQBlAG0AbQBvAHYAZQ'
+ - 'bWVtbW92Z'
+ - 'ZW1tb3Zl'
condition: encoded and selection
falsepositives:
- Penetration tests
diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
index 7ddebda00..d135cc636 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
@@ -4,6 +4,7 @@ status: experimental
description: Detects suspicious powershell invocations from interpreters or unusual programs
author: Florian Roth
date: 2019/01/16
+modified: 2020/11/28
references:
- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
tags:
@@ -15,13 +16,12 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\wscript.exe'
- - '*\cscript.exe'
- Image:
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ Image|endswith: '\powershell.exe'
falsepositive:
- CurrentDirectory: '*\Health Service State\\*'
+ CurrentDirectory|contains: '\Health Service State\'
condition: selection and not falsepositive
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml
new file mode 100644
index 000000000..bc3ddc59e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_print.yml
@@ -0,0 +1,34 @@
+title: Abusing Print Executable
+id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
+description: Attackers can use print.exe for remote file copy
+author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
+status: experimental
+date: 2020/10/05
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+ - https://twitter.com/Oddvarmoe/status/985518877076541440
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith:
+ - \print.exe
+ CommandLine|startswith:
+ - print
+ selection2:
+ CommandLine|contains:
+ - /D
+ exeCondition:
+ CommandLine|contains:
+ - .exe
+ cmdExclude:
+ CommandLine|contains:
+ - print.exe
+ condition: selection1 and selection2 and exeCondition and not cmdExclude
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml
index 30676b8de..299ed2930 100644
--- a/rules/windows/process_creation/win_susp_procdump_lsass.yml
+++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml
@@ -19,14 +19,13 @@ logsource:
product: windows
detection:
selection1:
- CommandLine:
- - '* -ma *'
+ CommandLine|contains: ' -ma '
selection2:
- CommandLine:
- - '* lsass*'
+ CommandLine|contains: ' lsass'
selection3:
- CommandLine:
- - '* -ma ls*'
+ CommandLine|contains|all:
+ - ' -ma '
+ - ' ls'
condition: ( selection1 and selection2 ) or selection3
falsepositives:
- Unlikely, because no one should dump an lsass process memory
diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
deleted file mode 100644
index fef504ffc..000000000
--- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Suspicious Program Location Process Starts
-id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
-status: experimental
-description: Detects programs running in suspicious files system locations
-references:
- - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-tags:
- - attack.defense_evasion
- - attack.t1036
-author: Florian Roth
-date: 2019/01/15
-logsource:
- category: process_creation
- product: windows
-detection:
- selection:
- Image:
- - '*\$Recycle.bin'
- - '*\Users\Public\\*'
- - 'C:\Perflogs\\*'
- - '*\Windows\Fonts\\*'
- - '*\Windows\IME\\*'
- - '*\Windows\addins\\*'
- - '*\Windows\debug\\*'
- condition: selection
-falsepositives:
- - unknown
-level: high
diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml
index b110943c1..bf9c48a62 100644
--- a/rules/windows/process_creation/win_susp_ps_appdata.yml
+++ b/rules/windows/process_creation/win_susp_ps_appdata.yml
@@ -8,17 +8,22 @@ references:
tags:
- attack.execution
- attack.t1059.001
- - attack.t1086 # an old one
-author: Florian Roth
+ - attack.t1086 # an old one
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2019/01/09
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '* /c powershell*\AppData\Local\\*'
- - '* /c powershell*\AppData\Roaming\\*'
+ CommandLine|contains|all:
+ - '/c'
+ - 'powershell'
+ - '\AppData\'
+ CommandLine|contains:
+ - 'Local\'
+ - 'Roaming\'
condition: selection
falsepositives:
- Administrative scripts
diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
index b4e4cc09b..8f8353422 100644
--- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
+++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
@@ -2,9 +2,9 @@ title: Regsvr32 Anomaly
id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2019/01/16
-modified: 2020/08/28
+modified: 2020/11/28
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
tags:
@@ -14,31 +14,33 @@ tags:
- attack.t1117 # an old one
- car.2019-04-002
- car.2019-04-003
-
logsource:
category: process_creation
product: windows
detection:
selection1:
- Image: '*\regsvr32.exe'
- CommandLine: '*\Temp\\*'
+ Image|endswith: '\regsvr32.exe'
+ CommandLine|contains: '\Temp\'
selection2:
- Image: '*\regsvr32.exe'
- ParentImage: '*\powershell.exe'
+ Image|endswith: '\regsvr32.exe'
+ ParentImage|endswith: '\powershell.exe'
selection3:
- Image: '*\regsvr32.exe'
- ParentImage: '*\cmd.exe'
+ Image|endswith: '\regsvr32.exe'
+ ParentImage|endswith: '\cmd.exe'
selection4:
- Image: '*\regsvr32.exe'
- CommandLine:
- - '*/i:http* scrobj.dll'
- - '*/i:ftp* scrobj.dll'
+ Image|endswith: '\regsvr32.exe'
+ CommandLine|contains|all:
+ - '/i:'
+ CommandLine|contains:
+ - 'http'
+ - 'ftp'
+ CommandLine|endswith: 'scrobj.dll'
selection5:
- Image: '*\wscript.exe'
- ParentImage: '*\regsvr32.exe'
+ Image|endswith: '\wscript.exe'
+ ParentImage|endswith: '\regsvr32.exe'
selection6:
- Image: '*\EXCEL.EXE'
- CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
+ Image|endswith: '\EXCEL.EXE'
+ CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe '
condition: 1 of them
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml
new file mode 100644
index 000000000..f8656ab4e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rpcping.yml
@@ -0,0 +1,41 @@
+title: Capture Credentials with Rpcping.exe
+id: 93671f99-04eb-4ab4-a161-70d446a84003
+description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
+status: experimental
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
+ - https://twitter.com/vysecurity/status/974806438316072960
+ - https://twitter.com/vysecurity/status/873181705024266241
+ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+tags:
+ - attack.credential_access
+ - attack.t1003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ use_rpcping:
+ Image|endswith: '\rpcping.exe'
+ remote_server:
+ CommandLine|contains:
+ - '-s'
+ - '/s'
+ ntlm_auth:
+ - CommandLine|contains|all:
+ - '-u'
+ - 'NTLM'
+ - CommandLine|contains|all:
+ - '/u'
+ - 'NTLM'
+ - CommandLine|contains|all:
+ - '-t'
+ - 'ncacn_np'
+ - CommandLine|contains|all:
+ - '/t'
+ - 'ncacn_np'
+ condition: use_rpcping and remote_server and ntlm_auth
+level: medium
+falsepositives:
+ - Unlikely
diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml
index c00c297d4..2119c1e0e 100644
--- a/rules/windows/process_creation/win_susp_run_locations.yml
+++ b/rules/windows/process_creation/win_susp_run_locations.yml
@@ -4,8 +4,9 @@ description: Detects suspicious process run from unusual locations
status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
-author: juju4
+author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
+modified: 2020/11/28
tags:
- attack.defense_evasion
- attack.t1036
@@ -15,18 +16,18 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*:\RECYCLER\\*'
- - '*:\SystemVolumeInformation\\*'
- - 'C:\\Windows\\Tasks\\*'
- - 'C:\\Windows\\debug\\*'
- - 'C:\\Windows\\fonts\\*'
- - 'C:\\Windows\\help\\*'
- - 'C:\\Windows\\drivers\\*'
- - 'C:\\Windows\\addins\\*'
- - 'C:\\Windows\\cursors\\*'
- - 'C:\\Windows\\system32\tasks\\*'
-
+ - Image|contains:
+ - ':\RECYCLER\'
+ - ':\SystemVolumeInformation\'
+ - Image|startswith:
+ - 'C:\Windows\Tasks\'
+ - 'C:\Windows\debug\'
+ - 'C:\Windows\fonts\'
+ - 'C:\Windows\help\'
+ - 'C:\Windows\drivers\'
+ - 'C:\Windows\addins\'
+ - 'C:\Windows\cursors\'
+ - 'C:\Windows\system32\tasks\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml
index 5e810d444..f04faf4d7 100644
--- a/rules/windows/process_creation/win_susp_rundll32_activity.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml
@@ -11,27 +11,67 @@ tags:
- attack.execution # an old one
- attack.t1218.011
- attack.t1085 # an old one
-author: juju4
+author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '*\rundll32.exe* url.dll,*OpenURL *'
- - '*\rundll32.exe* url.dll,*OpenURLA *'
- - '*\rundll32.exe* url.dll,*FileProtocolHandler *'
- - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *'
- - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *'
- - '*\rundll32.exe javascript:*'
- - '* url.dll,*OpenURL *'
- - '* url.dll,*OpenURLA *'
- - '* url.dll,*FileProtocolHandler *'
- - '* zipfldr.dll,*RouteTheCall *'
- - '* Shell32.dll,*Control_RunDLL *'
- - '* javascript:*'
- - '*.RegisterXLL*'
+ - CommandLine|contains:
+ - 'javascript:'
+ - '.RegisterXLL'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'OpenURLA'
+ - CommandLine|contains|all:
+ - 'url.dll'
+ - 'FileProtocolHandler'
+ - CommandLine|contains|all:
+ - 'zipfldr.dll'
+ - 'RouteTheCall'
+ - CommandLine|contains|all:
+ - 'shell32.dll'
+ - 'Control_RunDLL'
+ - CommandLine|contains|all:
+ - 'shell32.dll'
+ - 'ShellExec_RunDLL'
+ - CommandLine|contains|all:
+ - 'mshtml.dll'
+ - 'PrintHTML'
+ - CommandLine|contains|all:
+ - 'advpack.dll'
+ - 'LaunchINFSection'
+ - CommandLine|contains|all:
+ - 'advpack.dll'
+ - 'RegisterOCX'
+ - CommandLine|contains|all:
+ - 'ieadvpack.dll'
+ - 'LaunchINFSection'
+ - CommandLine|contains|all:
+ - 'ieadvpack.dll'
+ - 'RegisterOCX'
+ - CommandLine|contains|all:
+ - 'ieframe.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'shdocvw.dll'
+ - 'OpenURL'
+ - CommandLine|contains|all:
+ - 'syssetup.dll'
+ - SetupInfObjectInstallAction'
+ - CommandLine|contains|all:
+ - 'setupapi.dll'
+ - 'InstallHinfSection'
+ - CommandLine|contains|all:
+ - 'pcwutl.dll'
+ - 'LaunchApplication'
+ - CommandLine|contains|all:
+ - 'dfshim.dll'
+ - 'ShOpenVerbApplication'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
index 3e0116596..2a850916d 100644
--- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@@ -1,7 +1,7 @@
title: Suspicious Call by Ordinal
id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
-status: experimental
+status: stable
references:
- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://github.com/Neo23x0/DLLRunner
@@ -13,12 +13,15 @@ tags:
- attack.t1085 # an old one
author: Florian Roth
date: 2019/10/22
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine: '*\rundll32.exe *,#*'
+ CommandLine|contains|all:
+ - '\rundll32.exe'
+ - ',#'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
new file mode 100644
index 000000000..f1f6dafe9
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
@@ -0,0 +1,35 @@
+title: Suspicious Rundll32 Setupapi.dll Activity
+id: 285b85b1-a555-4095-8652-a8a4106af63f
+description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers.
+ This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references)
+ InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/07
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
+ - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+ - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+ - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\runonce.exe'
+ ParentImage|endswith: '\rundll32.exe'
+ ParentCommandLine|contains|all:
+ - 'setupapi.dll'
+ - 'InstallHinfSection'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Scripts and administrative tools that use INF files for driver installation with setupapi.dll
+level: medium
diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml
new file mode 100644
index 000000000..f36b66f6f
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_runonce_execution.yml
@@ -0,0 +1,29 @@
+title: Run Once Task Execution as Configured in Registry
+id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
+description: This rule detects the execution of Run Once task as configured in the registry
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/10/18
+references:
+ - https://twitter.com/pabraeken/status/990717080805789697
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ process_name:
+ Image|endswith:
+ - '\runonce.exe'
+ process_description:
+ Description:
+ - 'Run Once Wrapper'
+ command_line:
+ CommandLine|contains:
+ - ' /AlternateShellStartup'
+ condition: (process_name or process_description) and command_line
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml
new file mode 100644
index 000000000..3bea7fb7e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_runscripthelper.yml
@@ -0,0 +1,27 @@
+title: Suspicious Runscripthelper.exe
+id: eca49c87-8a75-4f13-9c73-a5a29e845f03
+status: experimental
+description: Detects execution of powershell scripts via Runscripthelper.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\Runscripthelper.exe'
+ cmd:
+ CommandLine|contains: 'surfacecheck'
+ condition: image_path and cmd
+fields:
+ - CommandLine
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml
index 491f18dd0..1647d2f54 100644
--- a/rules/windows/process_creation/win_susp_schtask_creation.yml
+++ b/rules/windows/process_creation/win_susp_schtask_creation.yml
@@ -9,8 +9,8 @@ logsource:
product: windows
detection:
selection:
- Image: '*\schtasks.exe'
- CommandLine: '* /create *'
+ Image|endswith: '\schtasks.exe'
+ CommandLine|contains: ' /create '
filter:
User: NT AUTHORITY\SYSTEM
condition: selection and not filter
diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml
new file mode 100644
index 000000000..82f5e0f35
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml
@@ -0,0 +1,33 @@
+title: Suspicious Service DACL Modification
+id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
+description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable
+author: Jonhnathan Ribeiro, oscd.community
+status: experimental
+date: 2020/10/16
+references:
+ - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+ - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
+tags:
+ - attack.persistence
+ - attack.t1543.003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\sc.exe'
+ CommandLine|contains|all:
+ - 'sdset'
+ - 'D;;'
+ sids:
+ CommandLine|contains:
+ - ';;;IU'
+ - ';;;SU'
+ - ';;;BA'
+ - ';;;SY'
+ - ';;;WD'
+ condition: selection and sids
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
new file mode 100644
index 000000000..41b2a3c2e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml
@@ -0,0 +1,28 @@
+title: Dumping Process via Sqldumper.exe
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+description: Detects process dump via legitimate sqldumper.exe binary
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+ - https://twitter.com/countuponsec/status/910977826853068800
+ - https://twitter.com/countuponsec/status/910969424215232518
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\sqldumper.exe'
+ CommandLine|contains:
+ - '0x0110'
+ - '0x01100:40'
+ condition: selection
+falsepositives:
+ - Legitimate MSSQL Server actions
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
index b07788187..f64de8c5d 100644
--- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
@@ -9,9 +9,9 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
-author: Karneades / Markus Neis
+author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2019/11/12
-modified: 2020/08/28
+modified: 2020/11/28
falsepositives:
- 1Clipboard
- Beaker Browser
@@ -51,10 +51,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
- CommandLine:
- - '*--processStart*.exe*'
- - '*--processStartAndWait*.exe*'
- - '*--createShortcut*.exe*'
+ Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
+ CommandLine|contains:
+ - '--processStart'
+ - '--processStartAndWait'
+ - '--createShortcut'
+ CommandLine|contains|all:
+ - '.exe'
condition: selection
diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 717a7bea2..39c9ae4cf 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -14,14 +14,14 @@ logsource:
product: windows
detection:
selection:
- Image: '*\svchost.exe'
+ Image|endswith: '\svchost.exe'
filter:
- ParentImage:
- - '*\services.exe'
- - '*\MsMpEng.exe'
- - '*\Mrt.exe'
- - '*\rpcnet.exe'
- - '*\svchost.exe'
+ ParentImage|endswith:
+ - '\services.exe'
+ - '\MsMpEng.exe'
+ - '\Mrt.exe'
+ - '\rpcnet.exe'
+ - '\svchost.exe'
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
index 68c4260f4..dea91d765 100644
--- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml
+++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
@@ -15,9 +15,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
- - '*\sysprep.exe *\AppData\\*'
- - sysprep.exe *\AppData\\*
+ Image|endswith:
+ - '\sysprep.exe'
+ CommandLine|contains:
+ - '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml
index 3c8c2be83..f6ac9d331 100644
--- a/rules/windows/process_creation/win_susp_sysvol_access.yml
+++ b/rules/windows/process_creation/win_susp_sysvol_access.yml
@@ -5,9 +5,9 @@ description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
-author: Markus Neis
+author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018/04/09
-modified: 2020/08/28
+modified: 2020/11/28
tags:
- attack.credential_access
- attack.t1552.006
@@ -17,7 +17,9 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*\SYSVOL\\*\policies\\*'
+ CommandLine|contains|all:
+ - '\SYSVOL\'
+ - '\policies\'
condition: selection
falsepositives:
- administrative activity
diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
index 4b515c7f8..4ac61fed9 100644
--- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
@@ -13,7 +13,7 @@ logsource:
detection:
selection:
User: NT AUTHORITY\SYSTEM
- Image: '*\taskmgr.exe'
+ Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml
index 70d852123..f58197239 100644
--- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml
@@ -12,12 +12,12 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\taskmgr.exe'
+ ParentImage|endswith: '\taskmgr.exe'
filter:
- Image:
- - '*\resmon.exe'
- - '*\mmc.exe'
- - '*\taskmgr.exe'
+ Image|endswith:
+ - '\resmon.exe'
+ - '\mmc.exe'
+ - '\taskmgr.exe'
condition: selection and not filter
fields:
- Image
diff --git a/rules/windows/process_creation/win_susp_tracker_execution.yml b/rules/windows/process_creation/win_susp_tracker_execution.yml
new file mode 100644
index 000000000..08ef303cc
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_tracker_execution.yml
@@ -0,0 +1,31 @@
+title: DLL Injection with Tracker.exe
+id: 148431ce-4b70-403d-8525-fcc2993f29ea
+description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/10/18
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1055.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ process_name:
+ Image|endswith:
+ - '\tracker.exe'
+ process_description:
+ Description:
+ - 'Tracker'
+ commandline_param1:
+ CommandLine|contains:
+ - ' /d '
+ commandline_param2:
+ CommandLine|contains:
+ - ' /c '
+ condition: (process_name or process_description) and commandline_param1 and commandline_param2
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
index 6691257e4..b11145b61 100644
--- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
User: NT AUTHORITY\SYSTEM
- Image: '*\tscon.exe'
+ Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
index 927cbef62..15b5dfc31 100644
--- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@@ -19,7 +19,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '* /dest:rdp-tcp:*'
+ CommandLine|contains: ' /dest:rdp-tcp:'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml
new file mode 100644
index 000000000..28b3928a0
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml
@@ -0,0 +1,31 @@
+title: Detection of PowerShell Execution via Sqlps.exe
+id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
+status: experimental
+description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+references:
+ - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
+ - https://twitter.com/bryon_/status/975835709587075072
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1127
+author: 'Agro (@agro_sev) oscd.community'
+date: 2020/10/10
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\sqlps.exe'
+ selection2:
+ ParentImage|endswith: '\sqlps.exe'
+ selection3:
+ OriginalFileName: '\sqlps.exe'
+ reduction:
+ ParentImage|endswith: '\sqlagent.exe'
+ condition: selection1 or selection2 or selection3 and not reduction
+falsepositives:
+ - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
+level: medium
diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
new file mode 100644
index 000000000..0e74bea2b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
@@ -0,0 +1,31 @@
+title: SQL Client Tools PowerShell Session Detection
+id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
+status: experimental
+description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml
+ - https://twitter.com/pabraeken/status/993298228840992768
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.defense_evasion
+ - attack.t1127
+author: 'Agro (@agro_sev) oscd.communitly'
+date: 2020/10/13
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\sqltoolsps.exe'
+ selection2:
+ ParentImage|endswith: '\sqltoolsps.exe'
+ selection3:
+ OriginalFileName: '\sqltoolsps.exe'
+ reduction:
+ ParentImage|endswith: '\smss.exe'
+ condition: selection1 or selection2 or selection3 and not reduction
+falsepositives:
+ - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml
new file mode 100644
index 000000000..d74b74b0b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml
@@ -0,0 +1,27 @@
+title: Malicious Windows Script Components File Execution by TAEF Detection
+id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
+status: experimental
+description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml
+ - https://twitter.com/pabraeken/status/993298228840992768
+ - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
+tags:
+ - attack.t1218
+author: 'Agro (@agro_sev) oscd.community'
+date: 2020/10/13
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Image|endswith: '\te.exe'
+ selection2:
+ ParentImage|endswith: '\te.exe'
+ selection3:
+ OriginalFileName: '\te.exe'
+ condition: selection1 or selection2 or selection3
+falsepositives:
+ - It's not an uncommon to use te.exe directly to execute legal TAEF tests
+level: low
+
diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 000000000..529aff91d
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,28 @@
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+status: experimental
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
+references:
+ - https://twitter.com/pabraeken/status/990758590020452353
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+ - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+tags:
+ - attack.t1218
+ - attack.defense_evasion
+author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
+date: 2020/10/14
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\vsjitdebugger.exe'
+ reduction1:
+ ChildImage|endswith: '\vsimmersiveactivatehelper*.exe'
+ reduction2:
+ ChildImage|endswith: '\devenv.exe'
+ condition: selection and not (reduction1 or reduction2)
+falsepositives:
+ - the process spawned by vsjitdebugger.exe is uncommon.
+level: medium
+
diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml
index c07a989c6..de93c141c 100644
--- a/rules/windows/process_creation/win_susp_userinit_child.yml
+++ b/rules/windows/process_creation/win_susp_userinit_child.yml
@@ -11,11 +11,11 @@ logsource:
product: windows
detection:
selection:
- ParentImage: '*\userinit.exe'
+ ParentImage|endswith: '\userinit.exe'
filter1:
- CommandLine: '*\\netlogon\\*'
+ CommandLine|contains: '\\netlogon\\'
filter2:
- Image: '*\explorer.exe'
+ Image|endswith: '\explorer.exe'
condition: selection and not filter1 and not filter2
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml
new file mode 100644
index 000000000..024b51499
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml
@@ -0,0 +1,31 @@
+title: Suspicious VBoxDrvInst.exe Parameters
+id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
+description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers.
+ For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
+status: experimental
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/06
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+ - https://twitter.com/pabraeken/status/993497996179492864
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\VBoxDrvInst.exe'
+ CommandLine|contains|all:
+ - 'driver'
+ - 'executeinf'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
+level: medium
diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml
index 1d3ec9ced..5fab95fae 100644
--- a/rules/windows/process_creation/win_susp_whoami.yml
+++ b/rules/windows/process_creation/win_susp_whoami.yml
@@ -16,11 +16,12 @@ logsource:
product: windows
detection:
selection:
- Image: '*\whoami.exe'
+ Image|endswith: '\whoami.exe'
selection2:
OriginalFileName: 'whoami.exe'
condition: selection or selection2
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
-level: high
+ - Monitoring activity
+level: medium
diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml
new file mode 100644
index 000000000..5ed592814
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml
@@ -0,0 +1,47 @@
+action: global
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
+status: experimental
+references:
+ - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+level: medium
+falsepositives:
+ - Unlikely
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ contains_format_pretty_arg:
+ CommandLine|contains:
+ - 'format:pretty'
+ - 'format:"pretty"'
+ - 'format:"text"'
+ - 'format:text'
+ image_from_system_folder:
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ contains_winrm:
+ CommandLine|contains: 'winrm'
+ condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
+---
+logsource:
+ product: windows
+ category: file_event
+detection:
+ system_files:
+ TargetFilename|endswith:
+ - 'WsmPty.xsl'
+ - 'WsmTxt.xsl'
+ in_system_folder:
+ TargetFilename|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ condition: system_files and not in_system_folder
diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml
new file mode 100644
index 000000000..2ecb2b39e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_winrm_execution.yml
@@ -0,0 +1,27 @@
+title: Remote Code Execute via Winrm.vbs
+id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
+description: Detects an attempt to execude code or create service on remote host via winrm.vbs.
+status: experimental
+references:
+ - https://twitter.com/bohops/status/994405551751815170
+ - https://redcanary.com/blog/lateral-movement-winrm-wmi/
+author: Julia Fomina, oscd.community
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1216
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\cscript.exe'
+ CommandLine|contains|all:
+ - 'winrm'
+ - 'invoke Create wmicimv2/Win32_'
+ - '-r:http'
+ condition: selection
+level: medium
+falsepositives:
+ - Legitimate use for administartive purposes. Unlikely
+
diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml
index 3c33aca3b..6c53498dc 100644
--- a/rules/windows/process_creation/win_susp_wmi_execution.yml
+++ b/rules/windows/process_creation/win_susp_wmi_execution.yml
@@ -6,21 +6,32 @@ references:
- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
-author: Michael Haag, Florian Roth, juju4
+author: Michael Haag, Florian Roth, juju4, oscd.community
date: 2019/01/16
+modified: 2020/11/28
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\wmic.exe'
- CommandLine:
- - '*/NODE:*process call create *'
- - '* path AntiVirusProduct get *'
- - '* path FirewallProduct get *'
- - '* shadowcopy delete *'
- condition: selection
+ Image|endswith: '\wmic.exe'
+ selection2:
+ CommandLine|contains|all:
+ - '/NODE:'
+ - 'process'
+ - 'call'
+ - 'create '
+ recon_part1:
+ CommandLine|contains: ' path '
+ recon_part2:
+ CommandLine|contains:
+ - 'AntiVirus'
+ - 'Firewall'
+ CommandLine|contains|all:
+ - 'Product'
+ - ' get '
+ condition: selection and selection2 or
+ selection and recon_part1 and recon_part2
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
new file mode 100644
index 000000000..71c561a9b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -0,0 +1,27 @@
+title: WSL Execution
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+status: experimental
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
+references:
+ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.t1202
+author: 'oscd.community, Zach Stanford @svch0st'
+date: 2020/10/05
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\wsl.exe'
+ CommandLine|contains:
+ - ' -e '
+ - ' --exec '
+ condition: selection
+falsepositives:
+ - Automation and orchestration scripts may use this method execute scripts etc
+level: medium
diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml
new file mode 100644
index 000000000..203fefb92
--- /dev/null
+++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml
@@ -0,0 +1,30 @@
+action: global
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+id: fde7929d-8beb-4a4c-b922-be9974671667
+description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
+date: 2020/10/05
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+detection:
+ condition: selection
+falsepositives:
+ - App-V clients
+level: medium
+---
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ Image|endswith: '\SyncAppvPublishingServer.exe'
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ Message|contains: 'SyncAppvPublishingServer.exe'
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 41475ce25..da03e08cd 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
- https://twitter.com/GelosSnake/status/934900723426439170
-author: Florian Roth, Patrick Bareiss
+author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
date: 2017/11/27
modified: 2021/03/02
tags:
@@ -15,40 +15,40 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\svchost.exe'
- - '*\rundll32.exe'
- - '*\services.exe'
- - '*\powershell.exe'
- - '*\regsvr32.exe'
- - '*\spoolsv.exe'
- - '*\lsass.exe'
- - '*\smss.exe'
- - '*\csrss.exe'
- - '*\conhost.exe'
- - '*\wininit.exe'
- - '*\lsm.exe'
- - '*\winlogon.exe'
- - '*\explorer.exe'
- - '*\taskhost.exe'
- - '*\Taskmgr.exe'
- - '*\sihost.exe'
- - '*\RuntimeBroker.exe'
- - '*\smartscreen.exe'
- - '*\dllhost.exe'
- - '*\audiodg.exe'
- - '*\wlanext.exe'
+ Image|endswith:
+ - '\svchost.exe'
+ - '\rundll32.exe'
+ - '\services.exe'
+ - '\powershell.exe'
+ - '\regsvr32.exe'
+ - '\spoolsv.exe'
+ - '\lsass.exe'
+ - '\smss.exe'
+ - '\csrss.exe'
+ - '\conhost.exe'
+ - '\wininit.exe'
+ - '\lsm.exe'
+ - '\winlogon.exe'
+ - '\explorer.exe'
+ - '\taskhost.exe'
+ - '\Taskmgr.exe'
+ - '\sihost.exe'
+ - '\RuntimeBroker.exe'
+ - '\smartscreen.exe'
+ - '\dllhost.exe'
+ - '\audiodg.exe'
+ - '\wlanext.exe'
filter:
- Image:
- - 'C:\Windows\System32\\*'
- - 'C:\Windows\system32\\*'
- - 'C:\Windows\SysWow64\\*'
- - 'C:\Windows\SysWOW64\\*'
- - 'C:\Windows\explorer.exe'
- - 'C:\Windows\winsxs\\*'
- - 'C:\Windows\WinSxS\\*'
- - '*\SystemRoot\System32\\*'
- - 'C:\avast! sandbox*'
+ - Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\system32\'
+ - 'C:\Windows\SysWow64\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\winsxs\'
+ - 'C:\Windows\WinSxS\'
+ - 'C:\avast! sandbox'
+ - Image|contains: '\SystemRoot\System32\'
+ - Image: 'C:\Windows\explorer.exe'
condition: selection and not filter
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml
index 0e4767335..f49573a1d 100644
--- a/rules/windows/process_creation/win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml
@@ -18,10 +18,12 @@ logsource:
category: process_creation
detection:
selection:
- ParentCommandLine: '*\svchost.exe*termsvcs'
+ ParentCommandLine|contains|all:
+ - '\svchost.exe'
+ - 'termsvcs'
filter:
- Image: '*\rdpclip.exe'
+ Image|endswith: '\rdpclip.exe'
condition: selection and not filter
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
new file mode 100644
index 000000000..aa3b63073
--- /dev/null
+++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
@@ -0,0 +1,33 @@
+title: Using SettingSyncHost.exe as LOLBin
+description: Detects using SettingSyncHost.exe to run hijacked binary
+id: b2ddd389-f676-4ac4-845a-e00781a48e5f
+status: experimental
+references:
+ - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1574.008
+author: Anton Kutepov, oscd.community
+date: 2020/02/05
+modified: 2020/10/10
+level: high
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ system_utility:
+ Image|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
+ parent_is_settingsynchost:
+ ParentCommandLine|contains|all:
+ - 'cmd.exe /c'
+ - 'RoamDiag.cmd'
+ - '-outputpath'
+ condition: not system_utility and parent_is_settingsynchost
+fields:
+ - TargetFilename
+ - Image
+falsepositives:
+ - unknown
diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml
new file mode 100644
index 000000000..99c649aec
--- /dev/null
+++ b/rules/windows/process_creation/win_verclsid_runs_com.yml
@@ -0,0 +1,29 @@
+title: Verclsid.exe Runs COM Object
+id: d06be4b9-8045-428b-a567-740a26d9db25
+status: experimental
+description: Detects when verclsid.exe is used to run COM object via GUID
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml
+ - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+ - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\verclsid.exe'
+ cmd_s:
+ CommandLine|contains: '/S'
+ cmd_c:
+ CommandLine|contains: '/C'
+ condition: image_path and cmd_c and cmd_s
+fields:
+ - CommandLine
+falsepositives:
+ - Unknown
+level: medium
+tags:
+ - attack.defense_evasion
+ - attack.t1218
diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml
new file mode 100644
index 000000000..3682987bf
--- /dev/null
+++ b/rules/windows/process_creation/win_visual_basic_compiler.yml
@@ -0,0 +1,22 @@
+title: Visual Basic Command Line Compiler Usage
+id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
+status: experimental
+description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
+references:
+ - https://lolbas-project.github.io/lolbas/Binaries/Vbc/
+author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
+date: 2020/10/07
+tags:
+ - attack.defense_evasion
+ - attack.t1027.004
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\vbc.exe'
+ Image|endswith: '\cvtres.exe'
+ condition: selection
+falsepositives:
+ - Utilization of this tool should not be seen in enterprise environment
+level: high
diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
index 654135a43..06b658f96 100644
--- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml
+++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
@@ -9,10 +9,10 @@ logsource:
product: windows
detection:
selection:
- CommandLine: '*transport=dt_socket,address=*'
+ CommandLine|contains: 'transport=dt_socket,address='
exclusion:
- - CommandLine: '*address=127.0.0.1*'
- - CommandLine: '*address=localhost*'
+ - CommandLine|contains: 'address=127.0.0.1'
+ - CommandLine|contains: 'address=localhost'
condition: selection and not exclusion
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index a5d273e44..09d432656 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -1,12 +1,12 @@
title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
description: Detects certain command line parameters often used during reconnaissance activity via web shells
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
date: 2017/01/01
-modified: 2021/01/11
+modified: 2021/03/02
tags:
- attack.persistence
- attack.t1505.003
@@ -19,36 +19,51 @@ logsource:
category: process_creation
product: windows
detection:
- selection:
- ParentImage:
- - '*\apache*'
- - '*\tomcat*'
- - '*\w3wp.exe'
- - '*\php-cgi.exe'
- - '*\nginx.exe'
- - '*\httpd.exe'
- CommandLine:
- - '*whoami*'
- - '*net user *'
- - '*net use *'
- - '*net group *'
- - '*quser*'
- - '*ping -n *'
- - '*systeminfo'
- - '*&cd&echo*'
- - '*cd /d*' # https://www.computerhope.com/cdhlp.htm
- - '*ipconfig*'
- - '*pathping*'
- - '*tracert*'
- - '*netstat*'
- - '*schtasks*'
- - '*vssadmin*'
- - '*wevtutil*'
- - '*tasklist*'
- - '*wmic /node:*'
- - '*Test-NetConnection*'
- - '*dir \*' # remote dir: dir \\C$:\windows\temp\*.exe
- condition: selection
+ parent_is_web_server_process:
+ - ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\php-cgi.exe'
+ - '\nginx.exe'
+ - '\httpd.exe'
+ - ParentImage|contains:
+ - '\apache'
+ - '\tomcat'
+ net_utility:
+ Image|endswith:
+ - '\net.exe'
+ - '\net1.exe'
+ CommandLine|contains:
+ - ' user '
+ - ' use '
+ - ' group '
+ ping_utility:
+ Image|endswith: '\ping.exe'
+ CommandLine|contains: ' -n '
+ change_dir:
+ CommandLine|contains:
+ - '&cd&echo' # china chopper web shell
+ - 'cd /d ' # https://www.computerhope.com/cdhlp.htm
+ wmic_utility:
+ Image|endswith: '\wmic.exe'
+ CommandLine|contains: ' /node:'
+ misc_discovery_binaries:
+ Image|endswith:
+ - '\whoami.exe'
+ - '\systeminfo.exe'
+ - '\quser.exe'
+ - '\ipconfig.exe'
+ - '\pathping.exe'
+ - '\tracert.exe'
+ - '\netstat.exe'
+ - '\schtasks.exe'
+ - '\vssadmin.exe'
+ - '\wevtutil.exe'
+ - '\tasklist.exe'
+ misc_discovery_commands:
+ CommandLine|contains:
+ - ' Test-NetConnection '
+ - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe
+ condition: parent_is_web_server_process and (net_utility or ping_utility or change_dir or wmic_utility or misc_discovery_binaries or misc_discovery_commands)
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml
index a6004cc22..5c9663ce7 100644
--- a/rules/windows/process_creation/win_webshell_recon_detection.yml
+++ b/rules/windows/process_creation/win_webshell_recon_detection.yml
@@ -16,21 +16,23 @@ logsource:
product: windows
detection:
selection:
- ParentImage|contains:
- - '*\apache*'
- - '*\tomcat*'
- - '*\w3wp.exe'
- - '*\php-cgi.exe'
- - '*\nginx.exe'
- - '*\httpd.exe'
+ - ParentImage|contains:
+ - '\apache'
+ - '\tomcat'
+ - ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\php-cgi.exe'
+ - '\nginx.exe'
+ - '\httpd.exe'
+ selection2:
Image|endswith:
- - '*\cmd.exe'
+ - '\cmd.exe'
CommandLine|contains:
- - '*perl --help*'
- - '*python --help*'
- - '*wget --help*'
- - '*perl -h*'
- condition: selection
+ - 'perl --help'
+ - 'python --help'
+ - 'wget --help'
+ - 'perl -h'
+ condition: selection and selection2
fields:
- Image
- CommandLine
diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index c65a8a9bf..197567f6a 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -10,19 +10,19 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\w3wp.exe'
- - '*\httpd.exe'
- - '*\nginx.exe'
- - '*\php-cgi.exe'
- - '*\tomcat.exe'
- - '*\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- Image:
- - '*\cmd.exe'
- - '*\sh.exe'
- - '*\bash.exe'
- - '*\powershell.exe'
- - '*\bitsadmin.exe'
+ ParentImage|endswith:
+ - '\w3wp.exe'
+ - '\httpd.exe'
+ - '\nginx.exe'
+ - '\php-cgi.exe'
+ - '\tomcat.exe'
+ - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
+ Image|endswith:
+ - '\cmd.exe'
+ - '\sh.exe'
+ - '\bash.exe'
+ - '\powershell.exe'
+ - '\bitsadmin.exe'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml
index 93db4c7d2..282891345 100644
--- a/rules/windows/process_creation/win_win10_sched_task_0day.yml
+++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml
@@ -13,7 +13,11 @@ logsource:
detection:
selection:
Image|endswith: '\schtasks.exe'
- CommandLine: '*/change*/TN*/RU*/RP*'
+ CommandLine|contains|all:
+ - '/change'
+ - '/TN'
+ - '/RU'
+ - '/RP'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml
new file mode 100644
index 000000000..cae14f604
--- /dev/null
+++ b/rules/windows/process_creation/win_winword_dll_load.yml
@@ -0,0 +1,25 @@
+title: Winword.exe Loads Suspicious DLL
+id: 2621b3a6-3840-4810-ac14-a02426086171
+status: experimental
+description: Detects Winword.exe loading of custmom dll via /l cmd switch
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ image_path:
+ Image|endswith: '\winword.exe'
+ cmd:
+ CommandLine|contains: '/l'
+ condition: image_path and cmd
+fields:
+ - CommandLine
+tags:
+ - attack.defense_evasion
+ - attack.t1202
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
index ef2451168..4e8ce30d6 100644
--- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
+++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
@@ -1,7 +1,7 @@
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: experimental
-description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters
+description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
author: Florian Roth
date: 2019/10/11
references:
@@ -16,7 +16,7 @@ tags:
- attack.t1084 # an old one
detection:
selection:
- ParentImage: '*\EdgeTransport.exe'
+ ParentImage|endswith: '\EdgeTransport.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
index b083acfbf..dcd52ef39 100644
--- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml
+++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
@@ -19,10 +19,10 @@ logsource:
product: windows
detection:
selection:
- ParentImage:
- - '*\wmiprvse.exe'
- Image:
- - '*\powershell.exe'
+ ParentImage|endswith:
+ - '\wmiprvse.exe'
+ Image|endswith:
+ - '\powershell.exe'
filter_null1:
CommandLine: 'null'
filter_null2: # some backends need the null value in a seperate expression
diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
index bf99d9eb3..042df7de0 100644
--- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
+++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -20,13 +20,18 @@ detection:
- LogonId:
- '0x3e7' # LUID 999 for SYSTEM
- 'null' # too many false positives
+ - SubjectLogonId:
+ - '0x3e7' # LUID 999 for SYSTEM
+ - 'null' # too many false positives
- User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
- Image|endswith:
- '\WmiPrvSE.exe'
- '\WerFault.exe'
- filter_null: # some backends need the null value in a seperate expression
+ filter_null1: # some backends need the null value in a seperate expression
LogonId: null
- condition: selection and not filter and not filter_null
+ filter_null2: # some backends need the null value in a seperate expression
+ SubjectLogonId: null
+ condition: selection and not filter and not filter_null1 and not filter_null2
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml
index 496138fde..9347f2b35 100644
--- a/rules/windows/process_creation/win_workflow_compiler.yml
+++ b/rules/windows/process_creation/win_workflow_compiler.yml
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
- Image: '*\Microsoft.Workflow.Compiler.exe'
+ Image|endswith: '\Microsoft.Workflow.Compiler.exe'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
index 916d4773d..243d2d7ec 100755
--- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
+++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
@@ -7,7 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1112
-author: megan201296
+author: megan201296, Jonhnathan Ribeiro
date: 2019/04/14
modified: 2020/09/06
logsource:
@@ -17,21 +17,26 @@ detection:
selection:
TargetObject:
- 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ TargetObject|endswith:
# covers HKU\* and HKLM..
- - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+ - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
+ - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
+ - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
+ - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
+ - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
+ - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+ selection2:
+ TargetObject|startswith:
+ - 'HKU\'
+ TargetObject|contains:
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
+ - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
- - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
+ - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\'
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
- condition: selection
+ - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
+ - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ condition: selection or selection2
falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index 80f4a8237..a8bb54d79 100755
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -1,38 +1,213 @@
title: Autorun Keys Modification
id: 17f878b8-9968-4578-b814-c4217fc5768c
-description: Detects modification of autostart extensibility point (ASEP) in registry
+description: Detects modification of autostart extensibility point (ASEP) in registry.
status: experimental
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+ - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
+ - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
tags:
- attack.persistence
- - attack.t1060 # an old one
- attack.t1547.001
-date: 2019/10/21
-modified: 2020/09/06
-author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+ - attack.t1060 # an old one
+date: 2019/10/25
+modified: 2020/11/04
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community
logsource:
category: registry_event
product: windows
+level: medium
detection:
- selection:
+ main_selection:
TargetObject|contains:
- - '\software\Microsoft\Windows\CurrentVersion\Run'
- - '\software\Microsoft\Windows\CurrentVersion\RunOnce'
- - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- - '\software\Microsoft\Windows\CurrentVersion\RunServices'
- - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
- - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU
- - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU
- - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU
- - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
- condition: selection
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
+ - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
+ - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
+ - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
+ - '\SYSTEM\Setup\CmdLine'
+ - '\Software\Microsoft\Ctf\LangBarAddin'
+ - '\Software\Microsoft\Command Processor\Autorun'
+ - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
+ - '\SOFTWARE\Classes\Protocols\Handler'
+ - '\SOFTWARE\Classes\Protocols\Filter'
+ - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
+ - '\Environment\UserInitMprLogonScript'
+ - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
+ - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
+ - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
+ - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
+ - '\Control Panel\Desktop\Scrnsave.exe'
+ session_manager_base:
+ TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
+ session_manager:
+ TargetObject|contains:
+ - '\SetupExecute'
+ - '\S0InitialCommand'
+ - '\KnownDlls'
+ - '\Execute'
+ - '\BootExecute'
+ - '\AppCertDlls'
+ current_version_base:
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
+ current_version:
+ TargetObject|contains:
+ - '\ShellServiceObjectDelayLoad'
+ - '\Run'
+ - '\Policies\System\Shell'
+ - '\Policies\Explorer\Run'
+ - '\Group Policy\Scripts\Startup'
+ - '\Group Policy\Scripts\Shutdown'
+ - '\Group Policy\Scripts\Logon'
+ - '\Group Policy\Scripts\Logoff'
+ - '\Explorer\ShellServiceObjects'
+ - '\Explorer\ShellIconOverlayIdentifiers'
+ - '\Explorer\ShellExecuteHooks'
+ - '\Explorer\SharedTaskScheduler'
+ - '\Explorer\Browser Helper Objects'
+ - '\Authentication\PLAP Providers'
+ - '\Authentication\Credential Providers'
+ - '\Authentication\Credential Provider Filters'
+ nt_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+ nt_current_version:
+ TargetObject|contains:
+ - '\Winlogon\VmApplet'
+ - '\Winlogon\Userinit'
+ - '\Winlogon\Taskman'
+ - '\Winlogon\Shell'
+ - '\Winlogon\GpExtensions'
+ - '\Winlogon\AppSetup'
+ - '\Winlogon\AlternateShells\AvailableShells'
+ - '\Windows\IconServiceLib'
+ - '\Windows\Appinit_Dlls'
+ - '\Image File Execution Options'
+ - '\Font Drivers'
+ - '\Drivers32'
+ - '\Windows\Run'
+ - '\Windows\Load'
+ wow_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
+ wow_current_version:
+ TargetObject|contains:
+ - '\ShellServiceObjectDelayLoad'
+ - '\Run'
+ - '\Explorer\ShellServiceObjects'
+ - '\Explorer\ShellIconOverlayIdentifiers'
+ - '\Explorer\ShellExecuteHooks'
+ - '\Explorer\SharedTaskScheduler'
+ - '\Explorer\Browser Helper Objects'
+ wow_nt_current_version_base:
+ TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
+ wow_nt_current_version:
+ TargetObject|contains:
+ - '\Windows\Appinit_Dlls'
+ - '\Image File Execution Options'
+ - '\Drivers32'
+ wow_office:
+ TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office'
+ office:
+ TargetObject|contains: '\Software\Microsoft\Office'
+ wow_office_details:
+ TargetObject|contains:
+ - '\Word\Addins'
+ - '\PowerPoint\Addins'
+ - '\Outlook\Addins'
+ - '\Onenote\Addins'
+ - '\Excel\Addins'
+ - '\Access\Addins'
+ - 'test\Special\Perf'
+ wow_ie:
+ TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer'
+ ie:
+ TargetObject|contains: '\Software\Microsoft\Internet Explorer'
+ wow_ie_details:
+ TargetObject|contains:
+ - '\Toolbar'
+ - '\Extensions'
+ - '\Explorer Bars'
+ wow_classes_base:
+ TargetObject|contains: '\Software\Wow6432Node\Classes'
+ wow_classes:
+ TargetObject|contains:
+ - '\Folder\ShellEx\ExtShellFolderViews'
+ - '\Folder\ShellEx\DragDropHandlers'
+ - '\Folder\ShellEx\ColumnHandlers'
+ - '\Directory\Shellex\DragDropHandlers'
+ - '\Directory\Shellex\CopyHookHandlers'
+ - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
+ - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
+ - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
+ - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
+ - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
+ - '\ShellEx\PropertySheetHandlers'
+ - '\ShellEx\ContextMenuHandlers'
+ classes_base:
+ TargetObject|contains: '\Software\Classes'
+ classes:
+ TargetObject|contains:
+ - '\Folder\ShellEx\ExtShellFolderViews'
+ - '\Folder\ShellEx\DragDropHandlers'
+ - '\Folder\Shellex\ColumnHandlers'
+ - '\Filter'
+ - '\Exefile\Shell\Open\Command\(Default)'
+ - '\Directory\Shellex\DragDropHandlers'
+ - '\Directory\Shellex\CopyHookHandlers'
+ - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
+ - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
+ - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
+ - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
+ - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
+ - '\.exe'
+ - '\.cmd'
+ - '\ShellEx\PropertySheetHandlers'
+ - '\ShellEx\ContextMenuHandlers'
+ scripts_base:
+ TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
+ scripts:
+ TargetObject|contains:
+ - '\Startup'
+ - '\Shutdown'
+ - '\Logon'
+ - '\Logoff'
+ winsock_parameters_base:
+ TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
+ winsock_parameters:
+ TargetObject|contains:
+ - '\Protocol_Catalog9\Catalog_Entries'
+ - '\NameSpace_Catalog5\Catalog_Entries'
+ system_control_base:
+ TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
+ system_control:
+ TargetObject|contains:
+ - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
+ - '\Terminal Server\Wds\rdpwd\StartupPrograms'
+ - '\SecurityProviders\SecurityProviders'
+ - '\SafeBoot\AlternateShell'
+ - '\Print\Providers'
+ - '\Print\Monitors'
+ - '\NetworkProvider\Order'
+ - '\Lsa\Notification Packages'
+ - '\Lsa\Authentication Packages'
+ - '\BootVerificationProgram\ImagePath'
+ condition: main_selection OR
+ session_manager_base AND session_manager OR
+ current_version_base AND current_version OR
+ nt_current_version_base AND nt_current_version OR
+ wow_current_version_base AND wow_current_version OR
+ wow_nt_current_version_base AND wow_nt_current_version OR
+ (wow_office OR office) AND wow_office_details OR
+ (wow_ie OR ie) AND wow_ie_details OR
+ wow_classes_base AND wow_classes OR
+ classes_base AND classes OR
+ scripts_base AND scripts OR
+ winsock_parameters_base AND winsock_parameters OR
+ system_control_base AND system_control
+fields:
+ - SecurityID
+ - ObjectName
+ - OldValueType
+ - NewValueType
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
-level: medium
diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
new file mode 100644
index 000000000..d20032bda
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
@@ -0,0 +1,29 @@
+title: UAC Bypass Via Wsreset
+id: 6ea3bf32-9680-422d-9f50-e90716b12a66
+status: experimental
+description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
+references:
+ - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
+ - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith:
+ - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+ condition: selection
+fields:
+ - ComputerName
+ - Image
+ - EventType
+ - TargetObject
+falsepositives:
+ - unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml
index 81302dfea..10c7f0b17 100755
--- a/rules/windows/registry_event/sysmon_cmstp_execution.yml
+++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml
@@ -25,11 +25,6 @@ logsource:
category: registry_event
product: windows
detection:
- # Registry Object Add
- selection1:
- TargetObject: '*\cmmgr32.exe*'
- EventType: 'CreateKey'
- # Registry Object Value Set
- selection2:
- TargetObject: '*\cmmgr32.exe*'
- condition: 1 of them
+ selection:
+ TargetObject|contains: '\cmmgr32.exe'
+ condition: selection
diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
index c2cff4812..d8b7daf7c 100755
--- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
+++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
@@ -19,10 +19,9 @@ logsource:
product: windows
detection:
selection:
-
- TargetObject:
- - '*\Services\DHCPServer\Parameters\CalloutDlls'
- - '*\Services\DHCPServer\Parameters\CalloutEnabled'
+ TargetObject|endswith:
+ - '\Services\DHCPServer\Parameters\CalloutDlls'
+ - '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
index 59849ff88..fd7d5d2c1 100755
--- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
+++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
@@ -30,7 +30,7 @@ logsource:
category: registry_event
detection:
dnsregmod:
- TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
+ TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: 1 of them
---
logsource:
@@ -38,5 +38,8 @@ logsource:
product: windows
detection:
dnsadmin:
- CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
- condition: 1 of them
\ No newline at end of file
+ Image|endswith: '\dnscmd.exe'
+ CommandLine|contains|all:
+ - '/config'
+ - '/serverlevelplugindll'
+ condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
index 647282408..e3f50de16 100755
--- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml
+++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
@@ -15,9 +15,9 @@ logsource:
category: registry_event
product: windows
detection:
- selection:
+ selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- - 'Another service that uses a single -s command line switch'
-level: critical
\ No newline at end of file
+ - Unknown
+level: critical
diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
index 069aaa501..e9ee2839a 100644
--- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
+++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
@@ -17,9 +17,9 @@ logsource:
product: windows
detection:
create_keywords_reg:
- TargetObject: '*UserInitMprLogonScript*'
+ TargetObject|contains: 'UserInitMprLogonScript'
condition: create_keywords_reg
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
new file mode 100644
index 000000000..8dd2cc28f
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
@@ -0,0 +1,27 @@
+title: Path To Screensaver Binary Modified
+id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
+status: experimental
+description: Detects value modification of registry key containing path to binary used as screensaver.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+ - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.002
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/11
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
+ filter:
+ Image|endswith:
+ - '\rundll32.exe'
+ - '\explorer.exe'
+ condition: selection and not filter
+level: medium
+falsepositives:
+ - 'Legitimate modification of screensaver.'
diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
index 0007bb601..820a65f60 100755
--- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -17,13 +17,13 @@ logsource:
product: windows
detection:
selection:
- - TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - TargetObject|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- # key rename
- NewName:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ NewName|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
condition: selection
fields:
- EventID
diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml
new file mode 100644
index 000000000..a26556cb7
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml
@@ -0,0 +1,24 @@
+title: PowerShell as a Service in Registry
+id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
+description: Detects that a powershell code is written to the registry as a service.
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1569.002
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: '\Services\'
+ TargetObject|endswith: '\ImagePath'
+ Details|contains:
+ - 'powershell'
+ - 'pwsh'
+ condition: selection
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
index 425c550b6..4a9041570 100755
--- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
+++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
@@ -11,10 +11,10 @@ logsource:
product: windows
detection:
selection_reg:
- TargetObject:
- - '*\services\TermService\Parameters\ServiceDll*'
- - '*\Control\Terminal Server\fSingleSessionPerUser*'
- - '*\Control\Terminal Server\fDenyTSConnections*'
+ TargetObject|contains:
+ - '\services\TermService\Parameters\ServiceDll'
+ - '\Control\Terminal Server\fSingleSessionPerUser'
+ - '\Control\Terminal Server\fDenyTSConnections'
condition: selection_reg
tags:
- attack.defense_evasion
diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml
index 8e538be85..fb3975c6a 100644
--- a/rules/windows/registry_event/sysmon_reg_office_security.yml
+++ b/rules/windows/registry_event/sysmon_reg_office_security.yml
@@ -16,9 +16,9 @@ logsource:
detection:
sec_settings:
TargetObject|endswith:
- - '*\Security\Trusted Documents\TrustRecords'
- - '*\Security\AccessVBOM'
- - '*\Security\VBAWarnings'
+ - '\Security\Trusted Documents\TrustRecords'
+ - '\Security\AccessVBOM'
+ - '\Security\VBAWarnings'
EventType:
- SetValue
- DeleteValue
@@ -26,4 +26,4 @@ detection:
condition: sec_settings
falsepositives:
- Valid Macros and/or internal documents
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
index 3cb36716a..2ede1d708 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
@@ -16,7 +16,10 @@ logsource:
detection:
selection:
EventType: 'CreateKey' # don't want DeleteKey events
- TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
+ TargetObject|contains|all:
+ - 'HKU\'
+ - '_Classes\CLSID\'
+ - '\TreatAs'
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index ed0c58392..8e31caf6f 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -4,9 +4,9 @@ status: experimental
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
-author: Maxime Thiebaut (@0xThiebaut)
+author: Maxime Thiebaut (@0xThiebaut), oscd.community
date: 2020/04/14
-modified: 2020/09/06
+modified: 2020/11/28
tags:
- attack.persistence
- attack.t1038 # an old one
@@ -16,14 +16,23 @@ logsource:
product: windows
detection:
selection: # Detect new COM servers in the user hive
- TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
+ TargetObject|contains|all:
+ - 'HKU\'
+ - '_Classes\CLSID\'
+ - '\InProcServer32\(Default)'
filter:
- Details: # Exclude privileged directories and observed FPs
- - '%%systemroot%%\system32\\*'
- - '%%systemroot%%\SysWow64\\*'
- - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll'
- - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll'
- - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll'
+ - Details|contains: # Exclude privileged directories and observed FPs
+ - '%%systemroot%%\system32\'
+ - '%%systemroot%%\SysWow64\'
+ - Details|contains|all:
+ - '\AppData\Local\Microsoft\OneDrive\'
+ - '\FileCoAuthLib64.dll'
+ - Details|contains|all:
+ - '\AppData\Local\Microsoft\OneDrive\'
+ - '\FileSyncShell64.dll'
+ - Details|contains|all:
+ - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
+ - '\Microsoft.Teams.AddinLoader.dll'
condition: selection and not filter
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml
new file mode 100644
index 000000000..aff6c60e7
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml
@@ -0,0 +1,24 @@
+title: Run Once Task Configuration in Registry
+id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
+description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
+author: 'Avneet Singh @v3t0_, oscd.community'
+status: experimental
+date: 2020/11/15
+references:
+ - https://twitter.com/pabraeken/status/990717080805789697
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ EventType: 'SetValue'
+ TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components'
+ TargetObject|endswith: '\StubPath'
+ condition: selection
+falsepositives:
+ - Legitimate modification of the registry key by legitimate program
+level: medium
diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
index 06e822d14..667c8448a 100755
--- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
@@ -12,9 +12,9 @@ tags:
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
-author: Florian Roth, @twjackomo
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
-modified: 2020/09/06
+modified: 2020/11/28
falsepositives:
- Unlikely
level: critical
@@ -23,14 +23,14 @@ logsource:
category: registry_event
product: windows
detection:
- selection_registry:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
+ selection_registry:
+ TargetObject|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue'
condition: 1 of them
---
@@ -39,13 +39,13 @@ logsource:
product: windows
detection:
selection_process:
- ParentImage:
- - '*\winlogon.exe'
- CommandLine:
- - '*cmd.exe sethc.exe *'
- - '*cmd.exe utilman.exe *'
- - '*cmd.exe osk.exe *'
- - '*cmd.exe Magnify.exe *'
- - '*cmd.exe Narrator.exe *'
- - '*cmd.exe DisplaySwitch.exe *'
+ ParentImage|endswith: '\winlogon.exe'
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains:
+ - 'sethc.exe'
+ - 'utilman.exe'
+ - 'osk.exe'
+ - 'Magnify.exe'
+ - 'Narrator.exe'
+ - 'DisplaySwitch.exe'
condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
new file mode 100644
index 000000000..9f36c3763
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,25 @@
+title: Atbroker Registry Change
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs
+author: Mateusz Wydra, oscd.community
+references:
+ - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+date: 2020/10/13
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.persistence
+ - attack.t1547
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ creation:
+ TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
+ persistance:
+ TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
+ condition: creation or persistance
+falsepositives:
+ - Creation of non-default, legitimate AT.
+level: High
diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
index 963cbfc92..fcc8c3b45 100755
--- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml
+++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -1,4 +1,4 @@
-title: Suspicious RUN Key from Download
+title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: experimental
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
@@ -16,11 +16,11 @@ logsource:
product: windows
detection:
selection:
- Image:
- - '*\Downloads\\*'
- - '*\Temporary Internet Files\Content.Outlook\\*'
- - '*\Local Settings\Temporary Internet Files\\*'
- TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+ Image|contains:
+ - '\Downloads\'
+ - '\Temporary Internet Files\Content.Outlook\'
+ - '\Local Settings\Temporary Internet Files\'
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
condition: selection
falsepositives:
- Software installers downloaded and used by users
diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
index e7ff37013..d17f68a15 100644
--- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
+++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
@@ -13,9 +13,9 @@ logsource:
product: windows
detection:
selection:
- TargetObject:
- - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
+ TargetObject|contains:
+ - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
+ - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
condition: selection
tags:
- attack.execution
diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
index 0729a3207..f8ffaeb6f 100644
--- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
+++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -14,8 +14,9 @@ logsource:
product: windows
detection:
selection_1:
- TargetObject|contains:
- - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+ TargetObject|contains|all:
+ - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
+ - '\NonPackaged'
selection_2:
TargetObject|contains:
- microphone
diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
index 8a84eff4c..2c6ae5ca2 100755
--- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: experimental
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-author: Florian Roth
+author: Florian Roth, oscd.community
date: 2018/07/18
modified: 2020/09/06
references:
@@ -12,16 +12,18 @@ logsource:
product: windows
detection:
selection:
- TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- Details:
- - 'C:\Windows\Temp\\*'
- - 'C:\ProgramData\\*'
- - '*\AppData\\*'
- - 'C:\$Recycle.bin\\*'
- - 'C:\Temp\\*'
- - 'C:\Users\Public\\*'
- - 'C:\Users\Default\\*'
- condition: selection
+ TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+ selection2:
+ - Details|startswith:
+ - 'C:\Windows\Temp\'
+ - 'C:\ProgramData\'
+ - 'C:\$Recycle.bin\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - Details|contains:
+ - '\AppData\'
+ condition: selection and selection2
tags:
- attack.persistence
- attack.t1060 # an old one
diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
index 309d978d8..af430e49a 100755
--- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -16,20 +16,22 @@ logsource:
product: windows
detection:
selection:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
- Details:
- - '*C:\Windows\Temp\\*'
- - '*C:\$Recycle.bin\\*'
- - '*C:\Temp\\*'
- - '*C:\Users\Public\\*'
- - '%Public%\\*'
- - '*C:\Users\Default\\*'
- - '*C:\Users\Desktop\\*'
- - 'wscript*'
- - 'cscript*'
- condition: selection
+ TargetObject|contains:
+ - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
+ - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
+ selection2:
+ - Details|contains:
+ - 'C:\Windows\Temp\'
+ - 'C:\$Recycle.bin\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - 'C:\Users\Desktop\'
+ - Details|startswith:
+ - '%Public%\'
+ - 'wscript'
+ - 'cscript'
+ condition: selection and selection2
fields:
- Image
falsepositives:
diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml
index 2d302e4f3..00e4022e6 100755
--- a/rules/windows/registry_event/sysmon_susp_service_installed.yml
+++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml
@@ -19,14 +19,14 @@ detection:
- 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
selection_2:
- Image|contains:
- - '*\procexp64.exe'
- - '*\procexp.exe'
- - '*\procmon64.exe'
- - '*\procmon.exe'
+ Image|endswith:
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
selection_3:
Details|contains:
- - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS'
+ - '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection_1 and not selection_2 and not selection_3
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
index 125d927da..0cd426a5b 100755
--- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -14,9 +14,9 @@ logsource:
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
- TargetObject:
- - '*\Keyboard Layout\Preload\\*'
- - '*\Keyboard Layout\Substitutes\\*'
+ TargetObject|contains:
+ - '\Keyboard Layout\Preload\'
+ - '\Keyboard Layout\Substitutes\'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
index 056d98d40..717e6b93a 100755
--- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@@ -17,7 +17,7 @@ logsource:
category: registry_event
detection:
selection1:
- TargetObject: '*\EulaAccepted'
+ TargetObject|endswith: '\EulaAccepted'
condition: 1 of them
---
logsource:
@@ -25,5 +25,5 @@ logsource:
product: windows
detection:
selection2:
- CommandLine: '* -accepteula*'
- condition: 1 of them
\ No newline at end of file
+ CommandLine|contains: ' -accepteula'
+ condition: 1 of them
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index f566bc863..065779e19 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -24,7 +24,8 @@ logsource:
category: registry_event
detection:
methregistry:
- TargetObject: 'HKU\\*\mscfile\shell\open\command'
+ TargetObject|startswith: 'HKU\'
+ TargetObject|endswith: '\mscfile\shell\open\command'
condition: methregistry
---
logsource:
@@ -32,9 +33,9 @@ logsource:
product: windows
detection:
methprocess:
- ParentImage: '*\eventvwr.exe'
+ ParentImage|endswith: '\eventvwr.exe'
filterprocess:
- Image: '*\mmc.exe'
+ Image|endswith: '\mmc.exe'
condition: methprocess and not filterprocess
fields:
- CommandLine
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
index 79063257e..5a91724f2 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
@@ -13,7 +13,8 @@ logsource:
detection:
selection:
# usrclass.dat is mounted on HKU\USERSID_Classes\...
- TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand'
+ TargetObject|startswith: 'HKU\'
+ TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
new file mode 100644
index 000000000..63a654317
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
@@ -0,0 +1,24 @@
+title: Execution DLL of Choice Using WAB.EXE
+id: fc014922-5def-4da9-a0fc-28c973f41bfb
+description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
+status: experimental
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
+ - https://twitter.com/Hexacorn/status/991447379864932352
+ - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+date: 2020/10/13
+author: oscd.community, Natalia Shornikova
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
+ filter:
+ Details: '%CommonProgramFiles%\System\wab32.dll'
+ condition: selection and not filter
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
index 25f5ef43a..dea029f4f 100755
--- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -5,18 +5,26 @@ references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
modified: 2020/09/06
-author: Karneades
+author: Karneades, Jonhnathan Ribeiro
logsource:
category: registry_event
product: windows
detection:
selection_reg1:
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
- - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
+ TargetObject|contains:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
EventType: SetValue
- condition: selection_reg1
+ selection_reg2:
+ - TargetObject|contains|all:
+ - '\Image File Execution Options\'
+ - '\GlobalFlag'
+ - TargetObject|contains|all:
+ - 'SilentProcessExit\'
+ - '\ReportingMode'
+ - TargetObject|contains|all:
+ - 'SilentProcessExit\'
+ - '\MonitorProcess'
+ condition: selection_reg1 and selection_reg2
tags:
- attack.privilege_escalation
- attack.persistence
diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
new file mode 100644
index 000000000..67963ff93
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -0,0 +1,30 @@
+title: Registry Persistence Mechanism via Windows Telemetry
+id: 73a883d0-0348-4be4-a8d8-51031c2564f8
+description: Detects persistence method using windows telemetry
+status: experimental
+date: 2020/10/16
+references:
+ - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+author: Lednyov Alexey, oscd.community
+tags:
+ - attack.persistence
+ - attack.t1053.005
+logsource:
+ category: registry_event
+ product: windows
+ definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+detection:
+ selection:
+ TargetObject|contains|all:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
+ - '\Command'
+ Details|contains: '.exe'
+ EventType: 'SetValue'
+ filter:
+ Details|contains:
+ - '\system32\CompatTelRunner.exe'
+ - '\system32\DeviceCensus.exe'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: critical
diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
new file mode 100644
index 000000000..96e861348
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -0,0 +1,24 @@
+title: Accessing WinAPI in PowerShell for Credentials Dumping
+id: 3f07b9d1-2082-4c56-9277-613a621983cc
+description: Detects Accessing to lsass.exe by Powershell
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tag:
+ - attack.credential_access
+ - attack.t1003.001
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID:
+ - 8
+ - 10
+ SourceImage|endswith: '\powershell.exe'
+ TargetImage|endswith: '\lsass.exe'
+ condition: selection
+falsepositives: Unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml
index 9b8b5ec95..45ab4e3a0 100644
--- a/rules/windows/sysmon/sysmon_cactustorch.yml
+++ b/rules/windows/sysmon/sysmon_cactustorch.yml
@@ -14,13 +14,13 @@ logsource:
detection:
selection:
EventID: 8
- SourceImage:
- - '*\System32\cscript.exe'
- - '*\System32\wscript.exe'
- - '*\System32\mshta.exe'
- - '*\winword.exe'
- - '*\excel.exe'
- TargetImage: '*\SysWOW64\\*'
+ SourceImage|endswith:
+ - '\System32\cscript.exe'
+ - '\System32\wscript.exe'
+ - '\System32\mshta.exe'
+ - '\winword.exe'
+ - '\excel.exe'
+ TargetImage|contains: '\SysWOW64\'
StartModule: null
condition: selection
tags:
diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
index a8d8db9b7..b26ae3c35 100644
--- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
+++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
@@ -6,6 +6,7 @@ references:
status: stable
author: Thomas Patzke
date: 2017/02/19
+modified: 2021/04/01
logsource:
product: windows
service: sysmon
@@ -21,5 +22,5 @@ tags:
- attack.s0005
- attack.t1003.001
falsepositives:
- - unknown
+ - Antivirus products
level: high
diff --git a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml
new file mode 100644
index 000000000..8ac9f2e3a
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml
@@ -0,0 +1,29 @@
+title: PsExec Pipes Artifacts
+id: 9e77ed63-2ecf-4c7b-b09d-640834882028
+status: experimental
+description: Detecting use PsExec via Pipe Creation/Access to pipes
+author: Nikita Nazarov, oscd.community
+date: 2020/05/10
+references:
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
+logsource:
+ product: windows
+ service: sysmon
+ definition: 'Note that you have to configure logging for PipeEvents in Symson config'
+detection:
+ selection:
+ EventID:
+ - 17
+ - 18
+ PipeName|startswith:
+ - 'psexec'
+ - 'paexec'
+ - 'remcom'
+ - 'csexec'
+ condition: selection
+falsepositives:
+ - Legitimate Administrator activity
+level: medium
diff --git a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml
new file mode 100644
index 000000000..bfd3bb138
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml
@@ -0,0 +1,25 @@
+title: Exports Registry Key To an Alternate Data Stream
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+status: experimental
+description: Exports the target Registry key and hides it in the specified alternate data stream.
+references:
+ - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+tags:
+ - attack.defense_evasion
+ - attack.t1564.004
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID: 15
+ Image|endswith: '\regedit.exe'
+ condition: selection
+fields:
+ - TargetFilename
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
index c5d046bfc..c7671d870 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
@@ -12,8 +12,8 @@ logsource:
detection:
selection:
EventID: 8
- SourceImage: '*\powershell.exe'
- TargetImage: '*\rundll32.exe'
+ SourceImage|endswith: '\powershell.exe'
+ TargetImage|endswith: '\rundll32.exe'
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
index e1f150b77..cf33afa51 100644
--- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
@@ -2,7 +2,7 @@ title: Suspicious Scripting in a WMI Consumer
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
status: experimental
description: Detects suspicious scripting in WMI Event Consumers
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
@@ -17,18 +17,23 @@ logsource:
detection:
selection:
EventID: 20
- Destination:
- - '*new-object system.net.webclient).downloadstring(*'
- - '*new-object system.net.webclient).downloadfile(*'
- - '*new-object net.webclient).downloadstring(*'
- - '*new-object net.webclient).downloadfile(*'
- - '* iex(*'
- - '*WScript.shell*'
- - '* -nop *'
- - '* -noprofile *'
- - '* -decode *'
- - '* -enc *'
- condition: selection
+ selection_destination:
+ - Destination|contains|all:
+ - 'new-object'
+ - 'net.webclient'
+ - '.downloadstring'
+ - Destination|contains|all:
+ - 'new-object'
+ - 'net.webclient'
+ - '.downloadfile'
+ - Destination|contains:
+ - ' iex('
+ - 'WScript.shell'
+ - ' -nop '
+ - ' -noprofile '
+ - ' -decode '
+ - ' -enc '
+ condition: selection and selection_destination
fields:
- CommandLine
- ParentCommandLine
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index a70d4d1a2..7e91eb360 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -84,7 +84,7 @@ fieldmappings:
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
- CommandLine: process.args
+ CommandLine: process.command_line
ComputerName: winlog.ComputerName
CurrentDirectory: process.working_directory
Description: winlog.event_data.Description
@@ -125,13 +125,14 @@ fieldmappings:
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
- ParentCommandLine: process.parent.args
+ ParentCommandLine: process.parent.command_line
ParentProcessName: process.parent.name
ParentImage: process.parent.executable
Path: winlog.event_data.Path
PipeName: file.name
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
+ Product: winlog.event_data.Product
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
SecurityID: winlog.event_data.SecurityID
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 8f88f05cb..34fef1fdd 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -117,6 +117,7 @@ fieldmappings:
PipeName: event_data.PipeName
ProcessCommandLine: event_data.ProcessCommandLine
ProcessName: event_data.ProcessName
+ Product: event_data.Product
Properties: event_data.Properties
SecurityID: event_data.SecurityID
ServiceFileName: event_data.ServiceFileName
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 74e991b7d..9bb3c5559 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -121,6 +121,7 @@ fieldmappings:
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
+ Product: winlog.event_data.Product
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
SAMAccountName: winlog.event_data.SamAccountName
diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt
deleted file mode 100644
index 3665b6ee4..000000000
--- a/tools/requirements-devel.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-coverage~=5.0
-yamllint~=1.21
-elasticsearch~=7.6
-elasticsearch-async~=6.2
-setuptools
-wheel
-pytest~=5.4
-colorama
-stix2
-attackcti
\ No newline at end of file
diff --git a/tools/requirements.txt b/tools/requirements.txt
deleted file mode 100644
index 3debba0b4..000000000
--- a/tools/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-pyyaml>=4.2b1
-requests~=2.23
-urllib3~=1.25
-progressbar2~=3.47
-pymisp~=2.4.123
diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py
index 1ef7e175a..e9901e06d 100644
--- a/tools/sigma/backends/base.py
+++ b/tools/sigma/backends/base.py
@@ -114,6 +114,8 @@ class BaseBackend:
def generate(self, sigmaparser):
"""Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
+ if len(sigmaparser.condparsed) > 1:
+ raise NotImplementedError("Base backend doesn't support multiple conditions")
for parsed in sigmaparser.condparsed:
query = self.generateQuery(parsed)
before = self.generateBefore(parsed)
diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index b901be0da..e7bf3ec21 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -25,7 +25,7 @@ from distutils.util import strtobool
import sigma
import yaml
from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier
-from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression
+from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser
from sigma.config.mapping import ConditionalFieldMapping
from .base import BaseBackend, SingleTextQueryBackend
@@ -1220,6 +1220,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
super().__init__(*args, **kwargs)
self.tactics = self._load_mitre_file("tactics")
self.techniques = self._load_mitre_file("techniques")
+ self.rule_type = "query"
+ self.rule_threshold = {}
def _load_mitre_file(self, mitre_type):
try:
@@ -1246,6 +1248,20 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
rule = self.create_rule(configs, index)
return rule
+ def generateAggregation(self, agg):
+ if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
+ if agg.cond_op not in [">", ">="]:
+ raise NotImplementedError("Threshold rules can only handle > and >= operators")
+ if agg.aggfield:
+ raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield)
+ self.rule_type = "threshold"
+ self.rule_threshold = {
+ "field": agg.groupfield if agg.groupfield else [],
+ "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1
+ }
+ return ""
+ raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans)
+
def create_threat_description(self, tactics_list, techniques_list):
threat_list = list()
for tactic in tactics_list:
@@ -1351,10 +1367,12 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
"severity": configs.get("level", "medium"),
"tags": new_tags,
"to": "now",
- "type": "query",
+ "type": self.rule_type,
"threat": threat,
"version": 1
}
+ if self.rule_type == "threshold":
+ rule.update({"threshold": self.rule_threshold})
if references:
rule.update({"references": references})
return json.dumps(rule)
diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py
index 854dec74c..4ae813633 100644
--- a/tools/sigma/backends/limacharlie.py
+++ b/tools/sigma/backends/limacharlie.py
@@ -23,11 +23,16 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
# A few helper functions for cases where field mapping cannot be done
# as easily one by one, or can be done more efficiently.
-def _windowsEventLogFieldName(fieldName):
+def _windowsEventLogArtifactFieldName(fieldName):
if 'EventID' == fieldName:
return 'Event/System/EventID'
return 'Event/EventData/%s' % (fieldName,)
+def _windowsEventLogEDRFieldName(fieldName):
+ if 'EventID' == fieldName:
+ return 'event/EVENT/System/EventID'
+ return 'event/EVENT/EventData/%s' % (fieldName,)
+
def _mapProcessCreationOperations(node):
# Here we fix some common pitfalls found in rules
# in a consistent fashion (already processed to D&R rule).
@@ -65,132 +70,160 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [
'postOpMapper',
])
_allFieldMappings = {
- "windows/process_creation/": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is windows",
- },
- fieldMappings = {
- "CommandLine": "event/COMMAND_LINE",
- "Image": "event/FILE_PATH",
- "ParentImage": "event/PARENT/FILE_PATH",
- "ParentCommandLine": "event/PARENT/COMMAND_LINE",
- "User": "event/USER_NAME",
- "OriginalFileName": "event/ORIGINAL_FILE_NAME",
- # Custom field names coming from somewhere unknown.
- "NewProcessName": "event/FILE_PATH",
- "ProcessCommandLine": "event/COMMAND_LINE",
- # Another one-off command line.
- "Command": "event/COMMAND_LINE",
- },
- isAllStringValues = False,
- keywordField = "event/COMMAND_LINE",
- postOpMapper = _mapProcessCreationOperations
- ),
- "windows//": SigmaLCConfig(
- topLevelParams = {
- "target": "log",
- "log type": "wel",
- },
- preConditions = None,
- fieldMappings = _windowsEventLogFieldName,
- isAllStringValues = True,
- keywordField = None,
- postOpMapper = None
- ),
- "windows_defender//": SigmaLCConfig(
- topLevelParams = {
- "target": "log",
- "log type": "wel",
- },
- preConditions = None,
- fieldMappings = _windowsEventLogFieldName,
- isAllStringValues = True,
- keywordField = None,
- postOpMapper = None
- ),
- "dns//": SigmaLCConfig(
- topLevelParams = {
- "event": "DNS_REQUEST",
- },
- preConditions = None,
- fieldMappings = {
- "query": "event/DOMAIN_NAME",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
- "linux//": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is linux",
- },
- fieldMappings = {
- "exe": "event/FILE_PATH",
- "type": None,
- },
- isAllStringValues = False,
- keywordField = 'event/COMMAND_LINE',
- postOpMapper = None
- ),
- "unix//": SigmaLCConfig(
- topLevelParams = {
- "events": [
- "NEW_PROCESS",
- "EXISTING_PROCESS",
- ]
- },
- preConditions = {
- "op": "is linux",
- },
- fieldMappings = {
- "exe": "event/FILE_PATH",
- "type": None,
- },
- isAllStringValues = False,
- keywordField = 'event/COMMAND_LINE',
- postOpMapper = None
- ),
- "netflow//": SigmaLCConfig(
- topLevelParams = {
- "event": "NETWORK_CONNECTIONS",
- },
- preConditions = None,
- fieldMappings = {
- "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT",
- "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
- "/proxy/": SigmaLCConfig(
- topLevelParams = {
- "event": "HTTP_REQUEST",
- },
- preConditions = None,
- fieldMappings = {
- "c-uri|contains": "event/URL",
- "c-uri": "event/URL",
- "URL": "event/URL",
- "cs-uri-query": "event/URL",
- "cs-uri-stem": "event/URL",
- },
- isAllStringValues = False,
- keywordField = None,
- postOpMapper = None
- ),
+ 'edr': {
+ "windows//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "WEL",
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = _windowsEventLogEDRFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ "windows_defender//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "WEL",
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = _windowsEventLogEDRFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ "windows/process_creation/": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is windows",
+ },
+ fieldMappings = {
+ "CommandLine": "event/COMMAND_LINE",
+ "Image": "event/FILE_PATH",
+ "ParentImage": "event/PARENT/FILE_PATH",
+ "ParentCommandLine": "event/PARENT/COMMAND_LINE",
+ "User": "event/USER_NAME",
+ "OriginalFileName": "event/ORIGINAL_FILE_NAME",
+ # Custom field names coming from somewhere unknown.
+ "NewProcessName": "event/FILE_PATH",
+ "ProcessCommandLine": "event/COMMAND_LINE",
+ # Another one-off command line.
+ "Command": "event/COMMAND_LINE",
+ },
+ isAllStringValues = False,
+ keywordField = "event/COMMAND_LINE",
+ postOpMapper = _mapProcessCreationOperations
+ ),
+ "dns//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "DNS_REQUEST",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "query": "event/DOMAIN_NAME",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ "linux//": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is linux",
+ },
+ fieldMappings = {
+ "exe": "event/FILE_PATH",
+ "type": None,
+ },
+ isAllStringValues = False,
+ keywordField = 'event/COMMAND_LINE',
+ postOpMapper = None
+ ),
+ "unix//": SigmaLCConfig(
+ topLevelParams = {
+ "events": [
+ "NEW_PROCESS",
+ "EXISTING_PROCESS",
+ ]
+ },
+ preConditions = {
+ "op": "is linux",
+ },
+ fieldMappings = {
+ "exe": "event/FILE_PATH",
+ "type": None,
+ },
+ isAllStringValues = False,
+ keywordField = 'event/COMMAND_LINE',
+ postOpMapper = None
+ ),
+ "netflow//": SigmaLCConfig(
+ topLevelParams = {
+ "event": "NETWORK_CONNECTIONS",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT",
+ "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ "/proxy/": SigmaLCConfig(
+ topLevelParams = {
+ "event": "HTTP_REQUEST",
+ },
+ preConditions = None,
+ fieldMappings = {
+ "c-uri|contains": "event/URL",
+ "c-uri": "event/URL",
+ "URL": "event/URL",
+ "cs-uri-query": "event/URL",
+ "cs-uri-stem": "event/URL",
+ },
+ isAllStringValues = False,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ },
+ "artifact": {
+ "windows//": SigmaLCConfig(
+ topLevelParams = {
+ "target": "log",
+ "log type": "wel",
+ },
+ preConditions = None,
+ fieldMappings = _windowsEventLogArtifactFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ "windows_defender//": SigmaLCConfig(
+ topLevelParams = {
+ "target": "log",
+ "log type": "wel",
+ },
+ preConditions = None,
+ fieldMappings = _windowsEventLogArtifactFieldName,
+ isAllStringValues = True,
+ keywordField = None,
+ postOpMapper = None
+ ),
+ }
}
class LimaCharlieBackend(BaseBackend):
@@ -200,6 +233,15 @@ class LimaCharlieBackend(BaseBackend):
config_required = False
default_config = ["limacharlie"]
+ options = (
+ (
+ "lc_target",
+ "edr",
+ "Generate LimaCharlie D&R rules for the following target, one of: edr, artifact.",
+ None,
+ ),
+ )
+
def generate(self, sigmaparser):
# Take the log source information and figure out which set of mappings to use.
ruleConfig = sigmaparser.parsedyaml
@@ -230,7 +272,7 @@ class LimaCharlieBackend(BaseBackend):
# See if we have a definition for the source combination.
mappingKey = "%s/%s/%s" % (product, category, service)
- topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None, None]))
+ topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None]))
if mappings is None:
raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service))
diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index 348227bb1..9a2a6387f 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -19,8 +19,6 @@ from functools import wraps
from .base import SingleTextQueryBackend
from .exceptions import NotSupportedError
from ..parser.modifiers.base import SigmaTypeModifier
-from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier
-from ..parser.modifiers.type import SigmaRegularExpressionModifier
def wrapper(method):
@@ -42,10 +40,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
active = True
config_required = False
- # \ -> \\
- # \* -> \*
- # \\* -> \\*
- reEscape = re.compile('("|(?', val)
val = re.sub('\\*', '.*', val)
val = re.sub('\\?', '.', val)
- else: # value possibly only starts and/or ends with *, use prefix/postfix match
+ else:
+ # value possibly only starts and/or ends with *, use prefix/postfix match
if val.endswith("*") and val.startswith("*"):
op = "contains"
val = self.cleanValue(val[1:-1])
@@ -215,6 +215,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
return "%s \"%s\"" % (op, val)
+ def porttype_mapping(self, val):
+ return "%s \"%s\"" % ("==", val)
+
def logontype_mapping(self, src):
"""Value mapping for logon events to reduced ATP LogonType set"""
logontype_mapping = {
@@ -299,6 +302,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
return "%s" % generated
return generated
+ def cleanValue(self, val):
+ if self.reEscape:
+ val = self.reEscape.sub(self.escapeSubst, val)
+ return val
def mapEventId(self, event_id):
if self.product == "windows":
diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py
index e580b259c..62506337b 100644
--- a/tools/sigma/backends/netwitness-epl.py
+++ b/tools/sigma/backends/netwitness-epl.py
@@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend):
listSeparator = ", "
valueExpression = "\'%s\'"
keyExpression = "%s"
- nullExpression = "%s exists"
- notNullExpression = "%s exists"
+ nullExpression = "%s is null"
+ notNullExpression = "%s is not null"
mapExpression = "(%s=%s)"
mapListsSpecialHandling = True
diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py
index 25aed08d0..c8898ec67 100644
--- a/tools/sigma/backends/netwitness.py
+++ b/tools/sigma/backends/netwitness.py
@@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend):
listSeparator = ", "
valueExpression = "\'%s\'"
keyExpression = "%s"
- nullExpression = "%s exists"
+ nullExpression = "%s !exists"
notNullExpression = "%s exists"
mapExpression = "(%s=%s)"
mapListsSpecialHandling = True