From a2b309404b46f3dfe2e6147e697d44a654722e87 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 27 Feb 2019 17:52:20 +0300 Subject: [PATCH 0001/1335] Create win_rdp_session_hijacking.yml Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. This can be done remotely or locally and with active or disconnected sessions. It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. --- .../builtin/win_rdp_session_hijacking.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml new file mode 100644 index 000000000..0ea0829cc --- /dev/null +++ b/rules/windows/builtin/win_rdp_session_hijacking.yml @@ -0,0 +1,23 @@ +title: RDP Session Hijacking detected +description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. +references: + - http://blog.gentilkiwi.com/securite/vol-de-session-rdp + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html +date: 2019/02/27 +modified: 2019/02/27 +tags: + - attack.lateral_movement +status: experimental +author: vburov +logsource: + product: windows + service: security +detection: + selection: + EventID: 4688 + NewProcessName: "*\tscon.exe" + SecurityID: "System" + condition: selection +falsepositives: + - Unknown +level: high From 7efc704ccf4aa7663490b1ab26b1fe9c298d2054 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 27 Feb 2019 17:58:23 +0300 Subject: [PATCH 0002/1335] Update win_rdp_session_hijacking.yml --- rules/windows/builtin/win_rdp_session_hijacking.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml index 0ea0829cc..f50381960 100644 --- a/rules/windows/builtin/win_rdp_session_hijacking.yml +++ b/rules/windows/builtin/win_rdp_session_hijacking.yml @@ -12,6 +12,7 @@ author: vburov logsource: product: windows service: security +definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 From 1fc4a97dedd82fc37991a5ffe3673a618d2bc496 Mon Sep 17 00:00:00 2001 From: Abhijit Khinvasara Date: Fri, 2 Oct 2020 17:18:06 -0700 Subject: [PATCH 0003/1335] Update target list in readme page --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 68f2285ab..62ca0e7e8 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule ```bash usage: sigmac [-h] [--recurse] [--filter FILTER] - [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}] + [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}] [--target-list] [--config CONFIG] [--output OUTPUT] [--backend-option BACKEND_OPTION] [--defer-abort] [--ignore-backend-errors] [--verbose] [--debug] @@ -209,6 +209,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window * [LimaCharlie](https://limacharlie.io) * [ee-outliers](https://github.com/NVISO-BE/ee-outliers) * [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html) +* [LOGIQ](https://www.logiq.ai) Current work-in-progress * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels) From 00cf61cc5b368ebb7f0af4e121cbdfe8ad57a58a Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Sun, 4 Oct 2020 23:47:16 +0300 Subject: [PATCH 0004/1335] Added explorer.exe LOLbin, OSCD --- .../process_creation/win_susp_explorer.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_explorer.yml diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml new file mode 100644 index 000000000..fca5c70d5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -0,0 +1,32 @@ +title: Proxy execution via explorer.exe +id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e +description: Attackers can use explorer.exe for evading defense mechanisms +author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +status: experimental +date: 10/02/2020 +references: + - https://twitter.com/bohops/status/1276356245541335048 + - https://twitter.com/CyberRaiju/status/1273597319322058752 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - \explorer.exe + CommandLine|contains: + - /root + selection2: + Image|endswith: + - \explorer.exe + ParentImage|endswith: + - \cmd.exe + CommandLine|contains: + - explorer.exe + condition: selection1 or selection2 +falsepositives: + - Unknown +level: medium From bc947fefc1eb285098a5a4166bbeadb4a029958b Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 13:36:40 +1100 Subject: [PATCH 0005/1335] Create win_susp_wsl_lolbin.yml --- .../process_creation/win_susp_wsl_lolbin.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_wsl_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml new file mode 100644 index 000000000..da196a739 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml @@ -0,0 +1,27 @@ +title: WSL Execution +id: dec44ca7-61ad-493c-bfd7-8819c5faa09b +status: experimental +description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: Zach Stanford '@svch0st' +date: 2020/10/05 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\wsl.exe' + CommandLine|contains: + - ' -e ' + - ' --exec ' + condition: selection +falsepositives: + - Automation and orchestration scripts may use this method execute scripts etc +level: medium From 03b350ff0b7274735a41c1244d119813010ae1dd Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:15:48 +1030 Subject: [PATCH 0006/1335] Create win_remote_schtask.yml --- rules/windows/builtin/win_remote_schtask.yml | 36 ++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/builtin/win_remote_schtask.yml diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml new file mode 100644 index 000000000..40b923741 --- /dev/null +++ b/rules/windows/builtin/win_remote_schtask.yml @@ -0,0 +1,36 @@ +title: Remote Schtasks Creation +id: cf349c4b-99af-40fa-a051-823aa2307a84 +status: experimental +description: Detects remote execution via scheduled task creation or update on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4698 + - 4702 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + filter2: + Source_Network_Address: '-' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 and not filter2 +falsepositives: + - Unknown +level: medium From 79d9cbe2c70b08d53f036c96e8d006e13fc50293 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:23:00 +1030 Subject: [PATCH 0007/1335] Create win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml new file mode 100644 index 000000000..73db09935 --- /dev/null +++ b/rules/windows/builtin/win_remote_service.yml @@ -0,0 +1,33 @@ +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +logsource: + product: windows + service: security, system +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4697 + - 7045 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 +falsepositives: + - Unknown +level: medium From ad5b128d0d559ffdbdca9680f27d74364ed275ef Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:26:12 +1030 Subject: [PATCH 0008/1335] Delete win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 -------------------- 1 file changed, 33 deletions(-) delete mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml deleted file mode 100644 index 73db09935..000000000 --- a/rules/windows/builtin/win_remote_service.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Remote Service Creation -id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental -description: Detects remote execution via service creation on the destination host -author: Jai Minton -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1543.003 -logsource: - product: windows - service: security, system -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - selection2: - EventID: - - 4697 - - 7045 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 -falsepositives: - - Unknown -level: medium From c675be41e2802b72681725005bdeb9d04460ed83 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 13:57:50 +1100 Subject: [PATCH 0009/1335] Create win_net_use_admin_share.yml --- .../win_net_use_admin_share.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_net_use_admin_share.yml diff --git a/rules/windows/process_creation/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml new file mode 100644 index 000000000..2493c2fad --- /dev/null +++ b/rules/windows/process_creation/win_net_use_admin_share.yml @@ -0,0 +1,26 @@ +title: Mounted Windows Admin Shares with net.exe +id: 3abd6094-7027-475f-9630-8ab9be7b9725 +status: experimental +description: Detects when an admin share is mounted using net.exe +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' +date: 2020/10/05 +tags: + - attack.lateral_movement + - attack.T1021.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - ' use ' + - '\\\\*\*$*' + condition: selection +falsepositives: + - Administrators +level: medium From 3516819bf819cd01f010ccaa47592f9115e71925 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 14:00:36 +1100 Subject: [PATCH 0010/1335] Delete win_net_use_admin_share.yml --- .../win_net_use_admin_share.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/process_creation/win_net_use_admin_share.yml diff --git a/rules/windows/process_creation/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml deleted file mode 100644 index 2493c2fad..000000000 --- a/rules/windows/process_creation/win_net_use_admin_share.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Mounted Windows Admin Shares with net.exe -id: 3abd6094-7027-475f-9630-8ab9be7b9725 -status: experimental -description: Detects when an admin share is mounted using net.exe -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' -date: 2020/10/05 -tags: - - attack.lateral_movement - - attack.T1021.002 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains|all: - - ' use ' - - '\\\\*\*$*' - condition: selection -falsepositives: - - Administrators -level: medium From 99e52a6f7a4a60ccf28f0195f3af9e48695b0f67 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:37:55 +1030 Subject: [PATCH 0011/1335] Create win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml new file mode 100644 index 000000000..73db09935 --- /dev/null +++ b/rules/windows/builtin/win_remote_service.yml @@ -0,0 +1,33 @@ +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +logsource: + product: windows + service: security, system +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4697 + - 7045 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 +falsepositives: + - Unknown +level: medium From 6fc476b2a283f0faaf286ff1077017bbd5face84 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:40:57 +1030 Subject: [PATCH 0012/1335] Delete win_remote_schtask.yml --- rules/windows/builtin/win_remote_schtask.yml | 36 -------------------- 1 file changed, 36 deletions(-) delete mode 100644 rules/windows/builtin/win_remote_schtask.yml diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml deleted file mode 100644 index 40b923741..000000000 --- a/rules/windows/builtin/win_remote_schtask.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Remote Schtasks Creation -id: cf349c4b-99af-40fa-a051-823aa2307a84 -status: experimental -description: Detects remote execution via scheduled task creation or update on the destination host -author: Jai Minton -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1053.005 -logsource: - product: windows - service: security - definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - selection2: - EventID: - - 4698 - - 4702 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - filter2: - Source_Network_Address: '-' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 and not filter2 -falsepositives: - - Unknown -level: medium From 641f3031bde6bbb8aa88e62d80debdfd0190566f Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 14:27:39 +1100 Subject: [PATCH 0013/1335] Update win_susp_copy_lateral_movement.yml --- .../win_susp_copy_lateral_movement.yml | 43 +++++++++++++------ 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 53841c573..77d4ab783 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -1,31 +1,48 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share +description: Detects a suspicious copy command to or from an Admin share references: - https://twitter.com/SBousseaden/status/1211636381086339073 -author: Florian Roth + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Florian Roth, Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' date: 2019/12/30 -modified: 2020/09/05 +modified: 2020/10/05 tags: - attack.lateral_movement - - attack.t1021.002 - - attack.command_and_control - - attack.t1105 - - attack.s0106 - - attack.t1077 # an old one + - attack.collection + - attack.exfiltration + - attack.t1039 + - attack.t1105 # an old one + - attack.t1048 logsource: category: process_creation product: windows detection: - selection: + selection1: + Image|endswith: + - '\robocopy.exe' + - '\xcopy.exe' + selection2: + Image|endswith: + - '\cmd.exe' CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' - condition: selection + - 'copy' + selection4: + Image|contains: + - '\powershell' + CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + selection5: + CommandLine|contains: + - '\\\\*\*$*' + condition: (selection1 or selection2 or selection3 or selection4) and selection5 fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts -level: high +level: medium From dd2ab4082de05978844da406a726f654402b5338 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 14:33:00 +1100 Subject: [PATCH 0014/1335] Update win_susp_copy_lateral_movement.yml --- .../windows/process_creation/win_susp_copy_lateral_movement.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 77d4ab783..45ce9c7c2 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -45,4 +45,4 @@ fields: - ParentCommandLine falsepositives: - Administrative scripts -level: medium +level: High From 60bd6a369263918c2e3eaa441e9d84d5bdf6988d Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 14:35:20 +1100 Subject: [PATCH 0015/1335] Update win_susp_copy_lateral_movement.yml --- .../windows/process_creation/win_susp_copy_lateral_movement.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 45ce9c7c2..e3dac9ae0 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -15,6 +15,7 @@ tags: - attack.t1039 - attack.t1105 # an old one - attack.t1048 + - attack.t1021.002 logsource: category: process_creation product: windows From c82d5ac08e6ef5a839b9d5a60dbc5052ab775a67 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 14:43:45 +1100 Subject: [PATCH 0016/1335] Create win_net_use_admin_share.yml --- .../builtin/win_net_use_admin_share.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/builtin/win_net_use_admin_share.yml diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml new file mode 100644 index 000000000..2493c2fad --- /dev/null +++ b/rules/windows/builtin/win_net_use_admin_share.yml @@ -0,0 +1,26 @@ +title: Mounted Windows Admin Shares with net.exe +id: 3abd6094-7027-475f-9630-8ab9be7b9725 +status: experimental +description: Detects when an admin share is mounted using net.exe +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' +date: 2020/10/05 +tags: + - attack.lateral_movement + - attack.T1021.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - ' use ' + - '\\\\*\*$*' + condition: selection +falsepositives: + - Administrators +level: medium From c34cde7938f725d2f650ad0be4628358c506f6be Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:17:39 +1100 Subject: [PATCH 0017/1335] Create win_susp_logon_explicit_credentials.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml (source="WinEventLog:Security" (EventCode="4648" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\winrs.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost")) --- .../win_susp_logon_explicit_credentials.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/builtin/win_susp_logon_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml new file mode 100644 index 000000000..dc71394f1 --- /dev/null +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -0,0 +1,31 @@ +title: Suspicous Logon with Explicit Credentials +id: 941e5c45-cda7-4864-8cea-bbb7458d194a +status: experimental +description: Detects the attack technique pass the hash which is used to move laterally inside the network +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' +date: 2020/10/05 +tags: +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4648 + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\winrs.exe' + - '\wmic.exe' + - '\net.exe' + - '\net1.exe' + - '\reg.exe' + - '\winrs.exe' + filter: + Target_Server_Name: 'localhost' + condition: selection and not filter +falsepositives: +level: medium From 0249d330f5e4fc4d13746fd3215073fa34b000cb Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:23:23 +1100 Subject: [PATCH 0018/1335] Update win_susp_logon_explicit_credentials.yml --- .../builtin/win_susp_logon_explicit_credentials.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index dc71394f1..7ae1a49d7 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -1,10 +1,10 @@ -title: Suspicous Logon with Explicit Credentials +title: Suspicous Remote Logon with Explicit Credentials id: 941e5c45-cda7-4864-8cea-bbb7458d194a status: experimental -description: Detects the attack technique pass the hash which is used to move laterally inside the network +description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' date: 2020/10/05 tags: logsource: @@ -28,4 +28,5 @@ detection: Target_Server_Name: 'localhost' condition: selection and not filter falsepositives: + - Administrators that use the RunAS command or scheduled tasks level: medium From a02f4840e5248c8c48e1d729ea25069caf839d43 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:31:30 +1100 Subject: [PATCH 0019/1335] Update win_susp_logon_explicit_credentials.yml --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 7ae1a49d7..1c5db8579 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -23,7 +23,6 @@ detection: - '\net.exe' - '\net1.exe' - '\reg.exe' - - '\winrs.exe' filter: Target_Server_Name: 'localhost' condition: selection and not filter From 85962665fd958ced1641248c982114c5b109f105 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Mon, 5 Oct 2020 10:49:54 +0300 Subject: [PATCH 0020/1335] Update win_susp_explorer.yml --- rules/windows/process_creation/win_susp_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index fca5c70d5..580a339af 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -1,4 +1,4 @@ -title: Proxy execution via explorer.exe +title: Proxy Execution Via Explorer.exe id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e description: Attackers can use explorer.exe for evading defense mechanisms author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' From ffc768e2621608c337b1e41c8ba0a806fc7fc14e Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Mon, 5 Oct 2020 11:30:24 +0300 Subject: [PATCH 0021/1335] Create win_susp_pcwutl.yml --- .../process_creation/win_susp_pcwutl.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_pcwutl.yml diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml new file mode 100644 index 000000000..c3e62534e --- /dev/null +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -0,0 +1,27 @@ +title: Code execution via Pcwutl.dll +id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 +description: Detects launch of executable by calling the LaunchApplication function pcwutl.dll. +status: experimental +references: + - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md + - https://twitter.com/harr0ey/status/989617817849876488 +author: Julia Fomina +date: 2020/10/2505 +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.execution # an old one + - attack.t1218 # an old one +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'pcwutl' + - 'LaunchApplication' + condition: selection +level: medium +falsepositives: + - Use of Program Compatibility Troubleshooter Helper From 577daa378a67c0adb7c0e9589a22226d98f77972 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Mon, 5 Oct 2020 12:22:50 +0300 Subject: [PATCH 0022/1335] Create win_susp_pester.yml --- .../process_creation/win_susp_pester.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_pester.yml diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml new file mode 100644 index 000000000..6e58751c5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -0,0 +1,32 @@ +title: Execute code using Pester +id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e +description: Detects code execution via Pester.bat (Pester Powershell Modulte) +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Scripts/pester/ + - https://twitter.com/Oddvarmoe/status/993383596244258816 +author: Julia Fomina, oscd.community +date: 2020/10/05 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '\poweshell.exe' + CommandLine|contains|all: + - 'Pester' + - 'Get-Help*;' + selection_2: + Image|endswith: '\cmd.exe' + CommandLine: '*Pester.bat*;*' + CommandLine:|contains: + - '/help' + - '/?' + - '-?' + condition: selection_1 or selection_2 +level: medium +falsepositives: + - Legitimate use of Pester for writing tests for Powershell scripts and modules From 39f955d24de6fb5945ce77d2e8094fe99cc71184 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Mon, 5 Oct 2020 13:14:35 +0300 Subject: [PATCH 0023/1335] Revert "Create win_susp_pester.yml" This reverts commit 577daa378a67c0adb7c0e9589a22226d98f77972. --- .../process_creation/win_susp_pester.yml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_pester.yml diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml deleted file mode 100644 index 6e58751c5..000000000 --- a/rules/windows/process_creation/win_susp_pester.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Execute code using Pester -id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e -description: Detects code execution via Pester.bat (Pester Powershell Modulte) -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Scripts/pester/ - - https://twitter.com/Oddvarmoe/status/993383596244258816 -author: Julia Fomina, oscd.community -date: 2020/10/05 -tags: - - attack.defense_evasion - - attack.t1216 -logsource: - category: process_creation - product: windows -detection: - selection_1: - Image|endswith: '\poweshell.exe' - CommandLine|contains|all: - - 'Pester' - - 'Get-Help*;' - selection_2: - Image|endswith: '\cmd.exe' - CommandLine: '*Pester.bat*;*' - CommandLine:|contains: - - '/help' - - '/?' - - '-?' - condition: selection_1 or selection_2 -level: medium -falsepositives: - - Legitimate use of Pester for writing tests for Powershell scripts and modules From b147fc3296389d16bd7addfc0d66c9b89349ce1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Mon, 5 Oct 2020 13:22:43 +0300 Subject: [PATCH 0024/1335] Update win_susp_explorer.yml Added known-fp --- rules/windows/process_creation/win_susp_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index 580a339af..8d5442865 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -28,5 +28,5 @@ detection: - explorer.exe condition: selection1 or selection2 falsepositives: - - Unknown + - Legitimate explorer.exe run from cmd.exe level: medium From 815aa3c719f25c46e0023f6b4089c1ce763dfbaa Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Mon, 5 Oct 2020 14:00:21 +0300 Subject: [PATCH 0025/1335] Edited win_susp_pcwutl --- rules/windows/process_creation/win_susp_pcwutl.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index c3e62534e..02484a40a 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -18,9 +18,7 @@ logsource: detection: selection: Image|endswith: '\rundll32.exe' - CommandLine|contains|all: - - 'pcwutl' - - 'LaunchApplication' + CommandLine|contains: 'pcwutl*LaunchApplication' condition: selection level: medium falsepositives: From 53f0261a622be8df5848b48d7d53b8b988cf23d5 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Mon, 5 Oct 2020 10:39:21 -0400 Subject: [PATCH 0026/1335] Add Stored Credentials in Fake Files rule --- ...ess_fake_files_with_stored_credentials.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml diff --git a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml b/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml new file mode 100644 index 000000000..ab2533ba9 --- /dev/null +++ b/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml @@ -0,0 +1,29 @@ +title: Stored Credentials in Fake Files +id: 692b979c-f747-41dc-ad72-1f11c01b110e +description: Search for accessing of fake files with stored credentials +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/05 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg +tags: + - attack.credential_access + - attack.t1555 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4663 + AccessList|contains: '%%4416' + ObjectName|endswith: + - '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml' + - '\Panther\Unattend.xml' + condition: selection +fields: + - EventID + - AccessList + - ObjectName +falsepositives: + - Unknown +level: high \ No newline at end of file From f455146a292358e05817008a6c1821826ab6b12f Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Mon, 5 Oct 2020 18:08:20 +0300 Subject: [PATCH 0027/1335] Detecting use PsExec via Pipe Creation/Access to pipes RULE (#29 #30) --- .../sysmon/sysmon_psexec_pipes_artifacts.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml diff --git a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml new file mode 100644 index 000000000..a81fea6ca --- /dev/null +++ b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml @@ -0,0 +1,29 @@ +title: PsExec Pipes Artifacts +id: 9e77ed63-2ecf-4c7b-b09d-640834882028 +status: experimental +description: Detecting use PsExec via Pipe Creation/Access to pipes +author: Nikita Nazarov +date: 2020/05/10 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.t1021.002 +logsource: + product: windows + service: sysmon + definition: 'Note that you have to configure logging for PipeEvents in Symson config' +detection: + selection: + EventID: + - 17 + - 18 + PipeName: + - 'psexec*' + - 'paexec*' + - 'remcom*' + - 'csexec*' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium From 364ef1e61f7d0ed4e76169c84f1438413d6d498f Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 5 Oct 2020 22:30:09 +0530 Subject: [PATCH 0028/1335] [OSCD] Security Eventlog Cleared Adding new changes to main --- rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index cc61bdf10..a24e9d470 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -12,6 +12,7 @@ detection: EventID: - 517 - 1102 + - 104 condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) From 1e7a47440f3d014ba2e57ddecca89376545400fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Mon, 5 Oct 2020 20:21:20 +0300 Subject: [PATCH 0029/1335] Install Root Certificate --- rules/linux/lnx_install_root_certificate | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/linux/lnx_install_root_certificate diff --git a/rules/linux/lnx_install_root_certificate b/rules/linux/lnx_install_root_certificate new file mode 100644 index 000000000..e63877953 --- /dev/null +++ b/rules/linux/lnx_install_root_certificate @@ -0,0 +1,20 @@ +title: Install Root Certificate +id: 78a80655-a51e-4669-bc6b-e9d206a462ee +description: Detects setting proxy +references: + - https://attack.mitre.org/techniques/T1553/004/ +author: Ömer Günal +date: 2020/10/05 +tags: + - attack.defense_evasion +level: low +logsource: + product: linux +detection: + keyword: + - 'mv * /usr/local/share/ca-certificates' + keyword2: + - '*update-ca-certificates*' + condition: keyword and keyword2 +falsepositives: + - Legitimate administration activities From 0e7eb32f62417b3df23a7d1e033826c7b857a85f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Mon, 5 Oct 2020 20:22:43 +0300 Subject: [PATCH 0030/1335] update description --- rules/linux/lnx_install_root_certificate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_install_root_certificate b/rules/linux/lnx_install_root_certificate index e63877953..528c78828 100644 --- a/rules/linux/lnx_install_root_certificate +++ b/rules/linux/lnx_install_root_certificate @@ -1,6 +1,6 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee -description: Detects setting proxy +description: Detects installed new certificate references: - https://attack.mitre.org/techniques/T1553/004/ author: Ömer Günal From 4d655138b245f245a352bdccb5af0995b220fcd6 Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Mon, 5 Oct 2020 23:03:05 +0300 Subject: [PATCH 0031/1335] Added findstr lolbin --- .../process_creation/win_susp_findstr.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_findstr.yml diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml new file mode 100644 index 000000000..88c3784d6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -0,0 +1,36 @@ +title: Abusing Findstr for Defense Evasion +id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism +author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +status: test +date: 10/05/2020 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selectionFindstr: + CommandLine|contains: + - findstr + selectionV: + CommandLine|contains: + - /V + selectionL: + CommandLine|contains: + - /L + selectionS: + CommandLine|contains: + - /S + selectionI: + CommandLine|contains: + - /I + condition: (selectionFindstr and selectionV and selectionL) or (selectionFindstr and selectionS and selectionI) +falsepositives: + - Administrative findstr usage +level: medium From ea6d60c58f82cf1244de4e0d90fa4d47ca954f60 Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Mon, 5 Oct 2020 23:26:57 +0300 Subject: [PATCH 0032/1335] Added print lolbin --- .../process_creation/win_susp_print.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_print.yml diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml new file mode 100644 index 000000000..c15c0c434 --- /dev/null +++ b/rules/windows/process_creation/win_susp_print.yml @@ -0,0 +1,28 @@ +title: Abusing Print Executable +id: bafac3d6-7de9-4dd9-8874-4a1194b493ed +description: Attackers can use print.exe for remote file copy +author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +status: experimental +date: 10/05/2020 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml + - https://twitter.com/Oddvarmoe/status/985518877076541440 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - \print.exe + CommandLine|contains: + - .exe + selection2: + CommandLine|contains: + - /D + condition: selection1 and selection2 +falsepositives: + - Unknown +level: medium From 5b31b8755d0ddcd5448c770f92394970049136a0 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Tue, 6 Oct 2020 08:55:01 +0300 Subject: [PATCH 0033/1335] Update win_susp_pcwutl.yml --- rules/windows/process_creation/win_susp_pcwutl.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index 02484a40a..86a5fcc26 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -1,12 +1,12 @@ -title: Code execution via Pcwutl.dll +title: Code Execution via Pcwutl.dll id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 -description: Detects launch of executable by calling the LaunchApplication function pcwutl.dll. +description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. status: experimental references: - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md - https://twitter.com/harr0ey/status/989617817849876488 -author: Julia Fomina -date: 2020/10/2505 +author: Julia Fomina, oscd.community +date: 2020/10/05 tags: - attack.defense_evasion - attack.t1218.011 From 759268108fe899fc20a119ee6f2bd69b9325d268 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 6 Oct 2020 09:04:36 +0300 Subject: [PATCH 0034/1335] rename filename --- ..._install_root_certificate => lnx_install_root_certificate.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/{lnx_install_root_certificate => lnx_install_root_certificate.yml} (100%) diff --git a/rules/linux/lnx_install_root_certificate b/rules/linux/lnx_install_root_certificate.yml similarity index 100% rename from rules/linux/lnx_install_root_certificate rename to rules/linux/lnx_install_root_certificate.yml From 6ae36993d9d410a992bf0e972bd8a92068b52b72 Mon Sep 17 00:00:00 2001 From: grikos Date: Tue, 6 Oct 2020 10:18:34 +0300 Subject: [PATCH 0035/1335] Create win_susp_vboxdrvInst.yml --- .../process_creation/win_susp_vboxdrvInst.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_vboxdrvInst.yml diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml new file mode 100644 index 000000000..4f568f193 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -0,0 +1,28 @@ +title: Set registry key-value via INF file call through VBoxDrvInst.exe +id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 +description: Detect run VBoxDrvInst.exe whith parameters allowing registry modify via INF file +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/06 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +tags: + - attack.defense_evasion + - attack.T1112 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\VBoxDrvInst.exe' + CommandLine: + - 'driver*executeinf' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process +level: medium \ No newline at end of file From cd4ce37e28d1ea7e6e02dfcd5fcacf275cb4d087 Mon Sep 17 00:00:00 2001 From: grikos Date: Tue, 6 Oct 2020 10:18:34 +0300 Subject: [PATCH 0036/1335] Create win_susp_vboxdrvInst.yml --- .../process_creation/win_susp_vboxdrvInst.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_vboxdrvInst.yml diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml new file mode 100644 index 000000000..4f568f193 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -0,0 +1,28 @@ +title: Set registry key-value via INF file call through VBoxDrvInst.exe +id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 +description: Detect run VBoxDrvInst.exe whith parameters allowing registry modify via INF file +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/06 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml +tags: + - attack.defense_evasion + - attack.T1112 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\VBoxDrvInst.exe' + CommandLine: + - 'driver*executeinf' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process +level: medium \ No newline at end of file From 6c89ad17a71b278eec0982e755aad8c11df2b48e Mon Sep 17 00:00:00 2001 From: grikos Date: Tue, 6 Oct 2020 10:25:06 +0300 Subject: [PATCH 0037/1335] newline at the end of file --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 4f568f193..2b2b4b7e8 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -25,4 +25,4 @@ fields: - ParentCommandLine falsepositives: - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process -level: medium \ No newline at end of file +level: medium From 2638e2a80eeccba997e5721648429d75d3d3573d Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Tue, 6 Oct 2020 10:35:12 +0300 Subject: [PATCH 0038/1335] newline at the end of file --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 4f568f193..2b2b4b7e8 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -25,4 +25,4 @@ fields: - ParentCommandLine falsepositives: - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process -level: medium \ No newline at end of file +level: medium From b93e64cd96ee6a57ca1cdeb0a2ddaa6b0b5008b1 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Tue, 6 Oct 2020 11:59:20 +0300 Subject: [PATCH 0039/1335] Update title according with the guideline --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 2b2b4b7e8..5b3351b67 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -1,4 +1,4 @@ -title: Set registry key-value via INF file call through VBoxDrvInst.exe +title: Registry Modify via VBoxDrvInst.exe id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 description: Detect run VBoxDrvInst.exe whith parameters allowing registry modify via INF file status: experimental From 79503c63dd2379f39a4b0d865ffdb512745224d6 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Tue, 6 Oct 2020 12:22:19 +0300 Subject: [PATCH 0040/1335] fixed typo in att&ck mapping tag --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 5b3351b67..4093b1484 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -8,7 +8,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml tags: - attack.defense_evasion - - attack.T1112 + - attack.t1112 logsource: category: process_creation product: windows From 52edc13d1553366b277a35e15d0e23e2db611803 Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Tue, 6 Oct 2020 19:10:33 +0300 Subject: [PATCH 0041/1335] Fixed dates --- rules/windows/process_creation/win_susp_explorer.yml | 2 +- rules/windows/process_creation/win_susp_findstr.yml | 2 +- rules/windows/process_creation/win_susp_print.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index 8d5442865..cfda75064 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -3,7 +3,7 @@ id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e description: Attackers can use explorer.exe for evading defense mechanisms author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' status: experimental -date: 10/02/2020 +date: 2020/10/05 references: - https://twitter.com/bohops/status/1276356245541335048 - https://twitter.com/CyberRaiju/status/1273597319322058752 diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml index 88c3784d6..bbf116f53 100644 --- a/rules/windows/process_creation/win_susp_findstr.yml +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -3,7 +3,7 @@ id: bf6c39fc-e203-45b9-9538-05397c1b4f3f description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' status: test -date: 10/05/2020 +date: 2020/10/05 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml index c15c0c434..6f9260015 100644 --- a/rules/windows/process_creation/win_susp_print.yml +++ b/rules/windows/process_creation/win_susp_print.yml @@ -3,7 +3,7 @@ id: bafac3d6-7de9-4dd9-8874-4a1194b493ed description: Attackers can use print.exe for remote file copy author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' status: experimental -date: 10/05/2020 +date: 2020/10/05 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml - https://twitter.com/Oddvarmoe/status/985518877076541440 From a5ceba93a972fa815a17f37c5d0dee72efb4317d Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Tue, 6 Oct 2020 19:15:30 +0300 Subject: [PATCH 0042/1335] Fixed conditions --- .../windows/process_creation/win_susp_findstr.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml index bbf116f53..6bfa56331 100644 --- a/rules/windows/process_creation/win_susp_findstr.yml +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -18,19 +18,15 @@ detection: selectionFindstr: CommandLine|contains: - findstr - selectionV: - CommandLine|contains: + selection_V_L: + CommandLine|contains|all: - /V - selectionL: - CommandLine|contains: - /L - selectionS: - CommandLine|contains: + selection_S_I: + CommandLine|contains|all: - /S - selectionI: - CommandLine|contains: - /I - condition: (selectionFindstr and selectionV and selectionL) or (selectionFindstr and selectionS and selectionI) + condition: selectionFindstr and (selection_V_L or selection_S_I) falsepositives: - Administrative findstr usage level: medium From 0023a22ead5b3f3df5e41482d03de2d50a937efe Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Tue, 6 Oct 2020 19:20:19 +0300 Subject: [PATCH 0043/1335] Added FP conditions and fileshare part for cmdline --- rules/windows/process_creation/win_susp_print.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml index 6f9260015..5459ccb4c 100644 --- a/rules/windows/process_creation/win_susp_print.yml +++ b/rules/windows/process_creation/win_susp_print.yml @@ -17,12 +17,13 @@ detection: selection1: Image|endswith: - \print.exe - CommandLine|contains: + CommandLine|contains|all: - .exe + - \\ selection2: CommandLine|contains: - /D condition: selection1 and selection2 falsepositives: - - Unknown + - Legitimate printer actions from a fileshare for an exe file level: medium From 60b3450fa83fd2c8ea81477bed23a58d5803b513 Mon Sep 17 00:00:00 2001 From: ensar-pcs <53811649+ensar-pcs@users.noreply.github.com> Date: Tue, 6 Oct 2020 19:22:16 +0300 Subject: [PATCH 0044/1335] [OSCD] win_syncappvpublishingserver_exe.yml added --- .../win_syncappvpublishingserver_exe.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_syncappvpublishingserver_exe.yml diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml new file mode 100644 index 000000000..d1e5e4769 --- /dev/null +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -0,0 +1,30 @@ +action: global +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: fde7929d-8beb-4a4c-b922-be9974671667 +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/05 +tags: + - attack.defense_evasion + - attack.t1218 +detection: + condition: 1 of them +falsepositives: + - App-V clients +level: medium +--- +logsource: + product: windows + category: process_creation +detection: + selection1: + Image|endswith: '\SyncAppvPublishingServer.exe' +--- +logsource: + product: windows + service: powershell +detection: + selection2: + Message|contains: 'SyncAppvPublishingServer.exe' \ No newline at end of file From bbb9fed3e643c8f74f956c368eacb66ff9d8d5ee Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Tue, 6 Oct 2020 19:51:55 +0300 Subject: [PATCH 0045/1335] Fixed for FP issues --- rules/windows/process_creation/win_susp_print.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml index 5459ccb4c..e1dd41b54 100644 --- a/rules/windows/process_creation/win_susp_print.yml +++ b/rules/windows/process_creation/win_susp_print.yml @@ -17,13 +17,18 @@ detection: selection1: Image|endswith: - \print.exe - CommandLine|contains|all: - - .exe - - \\ + CommandLine|startswith: + - print selection2: CommandLine|contains: - /D - condition: selection1 and selection2 + exeCondition: + CommandLine|contains: + - .exe + cmdExclude: + CommandLine|contains: + - print.exe + condition: selection1 and selection2 and exeCondition and not cmdExclude falsepositives: - - Legitimate printer actions from a fileshare for an exe file + - Unknown level: medium From 6e02e6ac193d0eab96c3afc7c0995019368c20d9 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Tue, 6 Oct 2020 19:52:31 +0300 Subject: [PATCH 0046/1335] Change title and update description --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index 4093b1484..a7157354a 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -1,11 +1,13 @@ -title: Registry Modify via VBoxDrvInst.exe +title: Suspicious VBoxDrvInst.exe Parameters id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 -description: Detect run VBoxDrvInst.exe whith parameters allowing registry modify via INF file +description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers. + For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/06 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml + - https://twitter.com/pabraeken/status/993497996179492864 tags: - attack.defense_evasion - attack.t1112 From c90d99c0f9f949e0f72e0b6f6a2386a52ee9fcbb Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Tue, 6 Oct 2020 19:57:57 +0300 Subject: [PATCH 0047/1335] Accessing WinAPI in PowerShell --- .../powershell_accessing_win_api.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 rules/windows/powershell/powershell_accessing_win_api.yml diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml new file mode 100644 index 000000000..8ffa3338c --- /dev/null +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -0,0 +1,71 @@ +title: Accessing WinAPI in PowerShell +id: 03d83090-8cba-44a0-b02f-0b756a050306 +status: experimental +description: Detecting use WinAPI Functions in PowerShell +author: Nikita Nazarov +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 + - attack.t1106 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4104 + Message|contains:: + - 'WaitForSingleObject' + - 'QueueUserApc' + - 'RtlCreateUserThread' + - 'OpenProcess' + - 'VirtualAlloc' + - 'VirtualFree' + - 'WriteProcessMemory' + - 'CreateUserThread' + - 'CloseHanlde' + - 'GetDelegateForFunctionPointer' + - 'CreateThread' + - 'memcpy' + - 'LoadLibrary' + - 'GetModuleHandle' + - 'GetProcAdress' + - 'VirtualProtect' + - 'FreeLibrary' + - 'ReadProcessMemory' + - 'CreateRemoteThread' + - 'AdjustTokenPrivileges' + - 'WriteByte' + - 'WriteInt32' + - 'OpenThreadToken' + - 'PtrToString' + - 'FreeHGlobal' + - 'ZeroFreeGlobalAllocUnicode' + - 'OpenProcessToken' + - 'GetTokenInformation' + - 'SetThreadToken' + - 'ImpersonateLoggedOnUser' + - 'RevertToSelf' + - 'GetLogonSessionData' + - 'CreateProcessWithToken' + - 'DuplicateRokenEx' + - 'OpenWindowStation' + - 'OpenDesktop' + - 'MiniDumpWrireDump' + - 'AddSecurityPackage' + - 'EnumerateSecurityPackages' + - 'GetProcessHandle' + - 'DangerousGetHandle' + - 'Kernel32' + - 'Advapi32' + - 'Msvcrt' + - 'ntdll' + - 'User32' + - 'Secur32' + condition: selection +falsepositives: + - Unknown +level: high From 4c5d6923286934b73a9190c8fa084f2c2195025e Mon Sep 17 00:00:00 2001 From: ensar-pcs <53811649+ensar-pcs@users.noreply.github.com> Date: Tue, 6 Oct 2020 20:30:56 +0300 Subject: [PATCH 0048/1335] [OSCD] sysmon_tttracer_mod_load.yml added --- .../image_load/sysmon_tttracer_mod_load.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/image_load/sysmon_tttracer_mod_load.yml diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml new file mode 100644 index 000000000..69308aacf --- /dev/null +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -0,0 +1,38 @@ +action: global +title: Time Travel Debugging Utility Usage +id: e76c8240-d68f-4773-8880-5c6f63595aaf +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ + - https://twitter.com/mattifestation/status/1196390321783025666 + - https://twitter.com/oulusoyum/status/1191329746069655553 +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.credential_access + - attack.t1218 + - attack.t1003.001 +detection: + condition: 1 of them +falsepositives: + - Legitimate usage by software developers/testers +level: high +--- +logsource: + product: windows + category: image_load +detection: + selection1: + ImageLoaded|endswith: + - '\ttdrecord.dll' + - '\ttdwriter.dll' + - '\ttdloader.dll' +--- +logsource: + product: windows + category: process_creation +detection: + selection2: + ParentImage|endswith: + - '\tttracer.exe' \ No newline at end of file From 944a11074990894cdd065eb4e0ab81a9636e96bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Tue, 6 Oct 2020 20:42:32 +0300 Subject: [PATCH 0049/1335] Delete sysmon_tttracer_mod_load.yml --- .../image_load/sysmon_tttracer_mod_load.yml | 38 ------------------- 1 file changed, 38 deletions(-) delete mode 100644 rules/windows/image_load/sysmon_tttracer_mod_load.yml diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml deleted file mode 100644 index 69308aacf..000000000 --- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml +++ /dev/null @@ -1,38 +0,0 @@ -action: global -title: Time Travel Debugging Utility Usage -id: e76c8240-d68f-4773-8880-5c6f63595aaf -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - - https://twitter.com/mattifestation/status/1196390321783025666 - - https://twitter.com/oulusoyum/status/1191329746069655553 -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' -date: 2020/10/06 -tags: - - attack.defense_evasion - - attack.credential_access - - attack.t1218 - - attack.t1003.001 -detection: - condition: 1 of them -falsepositives: - - Legitimate usage by software developers/testers -level: high ---- -logsource: - product: windows - category: image_load -detection: - selection1: - ImageLoaded|endswith: - - '\ttdrecord.dll' - - '\ttdwriter.dll' - - '\ttdloader.dll' ---- -logsource: - product: windows - category: process_creation -detection: - selection2: - ParentImage|endswith: - - '\tttracer.exe' \ No newline at end of file From 0ad9fc61de3b60e8adfc90a0a1709ab15eef304f Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Tue, 6 Oct 2020 20:52:18 +0300 Subject: [PATCH 0050/1335] Detecting Code injection with PowerShell in another process --- .../powershell/powershell_code_injection.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/powershell/powershell_code_injection.yml diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml new file mode 100644 index 000000000..aa90fe428 --- /dev/null +++ b/rules/windows/powershell/powershell_code_injection.yml @@ -0,0 +1,24 @@ +title: Accessing WinAPI in PowerShell. Code Injection. +id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 +status: experimental +description: Detecting Code injection with PowerShell in another process +author: Nikita Nazarov +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: sysmon + definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' +detection: + selection: + EventID: + - 8 + SourceImage: '*\powershell.exe' + condition: selection +falsepositives: + - Unknown +level: high From 7b39e761929b806476800ee0971a747b6825d227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 6 Oct 2020 23:48:25 +0300 Subject: [PATCH 0051/1335] Create at_command.yml --- rules/linux/at_command.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/at_command.yml diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml new file mode 100644 index 000000000..1d0da032b --- /dev/null +++ b/rules/linux/at_command.yml @@ -0,0 +1,27 @@ +title: Scheduled Task/Job: At +id: d2d642d7-b393-43fe-bae4-e81ed5915c4b +status: stable +description: Detects the use of at/atd +author: Ömer Günal +date: 2020/10/06 +references: + - https://attack.mitre.org/techniques/T1053/001/ +logsource: + product: linux +detection: + keywords: + - at|contains: + - '* at *' + - atd|contains: + - '* atd *' + - enumeration|contains: + - 'which atd' + - 'which at' + - 'systemctl status atd' + - 'service atd status ' + condition: keywords +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence From b0b72de94d03475f7cbf33ab9d0f9a0158402f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 6 Oct 2020 23:52:06 +0300 Subject: [PATCH 0052/1335] Create lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/linux/lnx_process_discovery.yml diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml new file mode 100644 index 000000000..d9cb82b79 --- /dev/null +++ b/rules/linux/lnx_process_discovery.yml @@ -0,0 +1,21 @@ +title: Process Discovery +id: 4e2f5868-08d4-413d-899f-dc2f1508627b +status: stable +description: Detects process discovery commands +author: Ömer Günal +date: 2020/10/06 +references: + - https://attack.mitre.org/techniques/T1057/ +logsource: + product: linux +detection: + keywords: + - commands|contains: + - 'ps *' + - 'top' + condition: keywords +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery From 8ea054ff0bc972b1183b3bbbf31c41ff010b356a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 00:07:30 +0300 Subject: [PATCH 0053/1335] Update at_command.yml --- rules/linux/at_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml index 1d0da032b..e2043af6b 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/at_command.yml @@ -1,4 +1,4 @@ -title: Scheduled Task/Job: At +title: Scheduled Task/Job At id: d2d642d7-b393-43fe-bae4-e81ed5915c4b status: stable description: Detects the use of at/atd From ee2c79745f73a4a701491afd6547b7c0c4c1cf76 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:12:51 +1100 Subject: [PATCH 0054/1335] Update win_susp_wsl_lolbin.yml --- rules/windows/process_creation/win_susp_wsl_lolbin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml index da196a739..71c561a9b 100644 --- a/rules/windows/process_creation/win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 -author: Zach Stanford '@svch0st' +author: 'oscd.community, Zach Stanford @svch0st' date: 2020/10/05 logsource: category: process_creation From 3d048ceba05e70f78c68eee8468c4defa8901823 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:18:09 +1100 Subject: [PATCH 0055/1335] Update win_susp_copy_lateral_movement.yml --- .../win_susp_copy_lateral_movement.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index e3dac9ae0..3b0611bcf 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -5,7 +5,7 @@ description: Detects a suspicious copy command to or from an Admin share references: - https://twitter.com/SBousseaden/status/1211636381086339073 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Florian Roth, Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' +author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2019/12/30 modified: 2020/10/05 tags: @@ -29,7 +29,7 @@ detection: - '\cmd.exe' CommandLine|contains: - 'copy' - selection4: + selection3: Image|contains: - '\powershell' CommandLine|contains: @@ -37,13 +37,13 @@ detection: - 'copy' - 'cpi ' - ' cp ' - selection5: + selection4: CommandLine|contains: - '\\\\*\*$*' - condition: (selection1 or selection2 or selection3 or selection4) and selection5 + condition: (selection1 or selection2 or selection3) and selection4 fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts -level: High +level: high From 9d9f0bc37350d71b8d2e0f05bc396c87936c00aa Mon Sep 17 00:00:00 2001 From: grikos Date: Wed, 7 Oct 2020 00:18:41 +0300 Subject: [PATCH 0056/1335] Create win_susp_rundll32_setupapi_installhinfsection.yml --- ...p_rundll32_setupapi_installhinfsection.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml new file mode 100644 index 000000000..6bd4d6cb6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -0,0 +1,32 @@ +title: Suspicious Rundll32 Setupapi.dll Activity +id: 285b85b1-a555-4095-8652-a8a4106af63f +description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. + This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/07 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf + - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\runonce.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine: + - 'setupapi.dll*InstallHinfSection' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll +level: medium \ No newline at end of file From ca0f2146abb1bf1caee1ef273a536c28015bda38 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:23:31 +1100 Subject: [PATCH 0057/1335] Update win_net_use_admin_share.yml --- rules/windows/builtin/win_net_use_admin_share.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml index 2493c2fad..6bf752976 100644 --- a/rules/windows/builtin/win_net_use_admin_share.yml +++ b/rules/windows/builtin/win_net_use_admin_share.yml @@ -4,11 +4,11 @@ status: experimental description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' +author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 tags: - attack.lateral_movement - - attack.T1021.002 + - attack.t1021.002 logsource: category: process_creation product: windows From e68e212d23c43bf5a7af5395cccfefb4ce470a72 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:26:43 +1100 Subject: [PATCH 0058/1335] Update win_susp_logon_explicit_credentials.yml --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 1c5db8579..df8fbcf8a 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' +author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 tags: logsource: From a5478950c7534c7f8c20b3f047d3e64b316c95ea Mon Sep 17 00:00:00 2001 From: grikos Date: Wed, 7 Oct 2020 00:34:00 +0300 Subject: [PATCH 0059/1335] Create win_susp_rundll32_setupapi_installhinfsection.yml --- ...p_rundll32_setupapi_installhinfsection.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml new file mode 100644 index 000000000..1cdf86dc9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -0,0 +1,32 @@ +title: Suspicious Rundll32 Setupapi.dll Activity +id: 285b85b1-a555-4095-8652-a8a4106af63f +description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. + This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/07 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf + - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\runonce.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine: + - 'setupapi.dll*InstallHinfSection' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll +level: medium From 49119e162fe60614cd07dac8c0d1d39e7fa8789a Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Wed, 7 Oct 2020 01:04:59 +0300 Subject: [PATCH 0060/1335] Delete win_susp_rundll32_setupapi_installhinfsection.yml --- ...p_rundll32_setupapi_installhinfsection.yml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml deleted file mode 100644 index 6bd4d6cb6..000000000 --- a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious Rundll32 Setupapi.dll Activity -id: 285b85b1-a555-4095-8652-a8a4106af63f -description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. - This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) -status: experimental -author: Konstantin Grishchenko, oscd.community -date: 2020/10/07 -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml - - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf - - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf -tags: - - attack.defense_evasion - - attack.t1218.011 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\runonce.exe' - ParentImage|endswith: '\rundll32.exe' - ParentCommandLine: - - 'setupapi.dll*InstallHinfSection' - condition: selection -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine -falsepositives: - - Scripts and administrative tools that use INF files for driver installation with setupapi.dll -level: medium \ No newline at end of file From dbb76b5856ef0b4d1b6ba94cf104fcec1fe1e4c6 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Tue, 6 Oct 2020 22:01:18 -0400 Subject: [PATCH 0061/1335] Add Usage of reg or Powershell by Non-privileged Users rule --- .../builtin/win_non_priv_reg_or_ps.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/windows/builtin/win_non_priv_reg_or_ps.yml diff --git a/rules/windows/builtin/win_non_priv_reg_or_ps.yml b/rules/windows/builtin/win_non_priv_reg_or_ps.yml new file mode 100644 index 000000000..48abc2c73 --- /dev/null +++ b/rules/windows/builtin/win_non_priv_reg_or_ps.yml @@ -0,0 +1,46 @@ +title: Usage of reg or Powershell by Non-privileged Users +id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d +description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/05 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + service: security +detection: + selection: + EventID: 1 + IntegrityLevel: Medium + commandline_1: + CommandLine|contains|all: + - reg + - add + commandline_2: + CommandLine|contains|all: + - powershell + CommandLine|contains: + - set-itemproperty + - " sp " + - new-itemproperty + commandline_3: + CommandLine|contains|all: + - ControlSet + - Services + commandline_4: + CommandLine|contains: + - ImagePath + - FailureCommand + - ServiceDLL + condition: selection and (commandline_1 or commandline_2) and commandline_3 and commandline_4 +fields: + - EventID + - IntegrityLevel + - CommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file From 5d01f71f623ed2045dca668e823c94e4bce9d5c7 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:43:22 +0300 Subject: [PATCH 0062/1335] CommandLine|contains -> CommandLine|contains|all: Replaced wildcard expression with list of values --- rules/windows/process_creation/win_susp_pcwutl.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index 86a5fcc26..a3f3ddd23 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -18,7 +18,9 @@ logsource: detection: selection: Image|endswith: '\rundll32.exe' - CommandLine|contains: 'pcwutl*LaunchApplication' + CommandLine|contains|all: + - 'pcwutl' + - 'LaunchApplication' condition: selection level: medium falsepositives: From 986c80e593c2e8bc8ff85d6ad039651e9c06fb88 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 7 Oct 2020 08:20:26 +0200 Subject: [PATCH 0063/1335] Added oscd branch to CI --- .github/workflows/sigma-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..8703e1bfd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -8,7 +8,7 @@ on: branches: - "*" pull_request: - branches: [ master ] + branches: [ master, oscd ] jobs: test-sigma: From d7acbb369ed8f37f9b6728d28d8848dad3619ab4 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:22:09 +1100 Subject: [PATCH 0064/1335] Created powershell_suspicious_mounted_share_deletion.yml --- ...hell_suspicious_mounted_share_deletion.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml new file mode 100644 index 000000000..aa341c167 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -0,0 +1,24 @@ +title: Mounted Share was Deleted using PowerShell +id: 66a4d409-451b-4151-94f4-a55d559c49b0 +status: experimental +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Remove-SmbShare' + - 'Remove-FileShare' + condition: selection +falsepositives: + - Administrators or Power users may remove their shares via cmd line +level: medium \ No newline at end of file From c878d55ac0fd97d7f7fedebc3e15e4ad85326405 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 7 Oct 2020 16:59:18 +1030 Subject: [PATCH 0065/1335] Add oscd.community author --- rules/windows/builtin/win_remote_schtask.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml index 40b923741..aa7b54cc1 100644 --- a/rules/windows/builtin/win_remote_schtask.yml +++ b/rules/windows/builtin/win_remote_schtask.yml @@ -2,7 +2,7 @@ title: Remote Schtasks Creation id: cf349c4b-99af-40fa-a051-823aa2307a84 status: experimental description: Detects remote execution via scheduled task creation or update on the destination host -author: Jai Minton +author: Jai Minton, oscd.community date: 2020/10/05 references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view From 5c2ef0dd354f9cf4052995c2d757bdd4c5f74ce7 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:33:12 +1100 Subject: [PATCH 0066/1335] Update powershell_suspicious_mounted_share_deletion.yml --- .../powershell/powershell_suspicious_mounted_share_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index aa341c167..ff9ec1efd 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Administrators or Power users may remove their shares via cmd line -level: medium \ No newline at end of file +level: medium From dabc092ab9c20d9eac2a3455b18d33f849473ad9 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:34:48 +1100 Subject: [PATCH 0067/1335] Create win_susp_mounted_share_deletion.yml --- .../win_susp_mounted_share_deletion.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_mounted_share_deletion.yml diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml new file mode 100644 index 000000000..b5e70f9ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -0,0 +1,25 @@ +title: Mounted Share was Deleted +id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 +status: experimental +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: + - '/delete' + condition: selection +falsepositives: + - Administrators or Power users may remove their shares via cmd line +level: medium From 3dafef411f656fe62bb5a82df2af770d9287765c Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:42:25 +1100 Subject: [PATCH 0070/1335] Delete powershell_suspicious_mounted_share_deletion.yml --- ...hell_suspicious_mounted_share_deletion.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml deleted file mode 100644 index ff9ec1efd..000000000 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Mounted Share was Deleted using PowerShell -id: 66a4d409-451b-4151-94f4-a55d559c49b0 -status: experimental -description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md -author: 'oscd.community, @redcanary, Zach Stanford @svch0st' -date: 2020/10/08 -tags: - - attack.defense_evasion - - attack.t1070.005 -logsource: - product: windows - service: powershell -detection: - selection: - EventID: 4104 - ScriptBlockText|contains: - - 'Remove-SmbShare' - - 'Remove-FileShare' - condition: selection -falsepositives: - - Administrators or Power users may remove their shares via cmd line -level: medium From a7442328ebe1a9ff4c4fa77a076ec0e7e7aed0a8 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:44:05 +1100 Subject: [PATCH 0071/1335] Create powershell_suspicious_mounted_share_deletion.yml --- ...hell_suspicious_mounted_share_deletion.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml new file mode 100644 index 000000000..7b73322ca --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -0,0 +1,24 @@ +title: Mounted Share was Deleted using PowerShell +id: 66a4d409-451b-4151-94f4-a55d559c49b0 +status: experimental +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Remove-SmbShare' + - 'Remove-FileShare' + condition: selection +falsepositives: + - Administrators or Power users may remove their shares via cmd line +level: medium From c879378e351fb4830cb7b45e0f19f31310c6da96 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:46:13 +1100 Subject: [PATCH 0072/1335] Update win_susp_mounted_share_deletion.yml --- .../process_creation/win_susp_mounted_share_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index b5e70f9ad..5e360079b 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -1,4 +1,4 @@ -title: Mounted Share was Deleted +title: Mounted Share Deleted id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 status: experimental description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation From 0fe1850bf4f7e0d520950e9eaca8329628e519cb Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 17:54:48 +1100 Subject: [PATCH 0073/1335] Update powershell_suspicious_mounted_share_deletion.yml --- .../powershell/powershell_suspicious_mounted_share_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index 7b73322ca..f0ca3127e 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -1,4 +1,4 @@ -title: Mounted Share was Deleted using PowerShell +title: PowerShell Deleted Mounted Share id: 66a4d409-451b-4151-94f4-a55d559c49b0 status: experimental description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation From bf43344858b1d6a3ed8c46821a7ac8c6595e369b Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 7 Oct 2020 17:25:34 +1030 Subject: [PATCH 0074/1335] Refactor for multiple log sources --- rules/windows/builtin/win_remote_service.yml | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml index 73db09935..85d2566cc 100644 --- a/rules/windows/builtin/win_remote_service.yml +++ b/rules/windows/builtin/win_remote_service.yml @@ -1,8 +1,9 @@ +action: global title: Remote Service Creation id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 status: experimental description: Detects remote execution via service creation on the destination host -author: Jai Minton +author: Jai Minton, oscd.community date: 2020/10/05 references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view @@ -18,10 +19,6 @@ detection: selection1: EventID: 4624 Logon_Type: 3 - selection2: - EventID: - - 4697 - - 7045 filter1: Source_Network_Address: - '::1' @@ -31,3 +28,17 @@ detection: falsepositives: - Unknown level: medium +--- + logsource: + product: windows + service: security + detection: + selection2: + EventID: 4697 +--- +logsource: + product: windows + service: system +detection: + selection2: + EventID: 7045 \ No newline at end of file From 391af43708eb5e8ec3f9289050d0c7eb84dd0367 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Wed, 7 Oct 2020 10:32:51 +0300 Subject: [PATCH 0075/1335] Update description & references --- .../win_susp_rundll32_setupapi_installhinfsection.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml index 1cdf86dc9..8dff05140 100644 --- a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -2,6 +2,7 @@ title: Suspicious Rundll32 Setupapi.dll Activity id: 285b85b1-a555-4095-8652-a8a4106af63f description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) + InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/07 @@ -9,6 +10,7 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 tags: - attack.defense_evasion - attack.t1218.011 @@ -28,5 +30,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Scripts and administrative tools that use INF files for driver installation with setupapi.dll + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll level: medium From 4045c68ae4269bc24ea60b19ec2385b765815c27 Mon Sep 17 00:00:00 2001 From: esebese Date: Wed, 7 Oct 2020 11:17:21 +0300 Subject: [PATCH 0076/1335] [OSCD] sysmon_tttracer_mod_load.yml added --- .../image_load/sysmon_tttracer_mod_load.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/image_load/sysmon_tttracer_mod_load.yml diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml new file mode 100644 index 000000000..69308aacf --- /dev/null +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -0,0 +1,38 @@ +action: global +title: Time Travel Debugging Utility Usage +id: e76c8240-d68f-4773-8880-5c6f63595aaf +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ + - https://twitter.com/mattifestation/status/1196390321783025666 + - https://twitter.com/oulusoyum/status/1191329746069655553 +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.credential_access + - attack.t1218 + - attack.t1003.001 +detection: + condition: 1 of them +falsepositives: + - Legitimate usage by software developers/testers +level: high +--- +logsource: + product: windows + category: image_load +detection: + selection1: + ImageLoaded|endswith: + - '\ttdrecord.dll' + - '\ttdwriter.dll' + - '\ttdloader.dll' +--- +logsource: + product: windows + category: process_creation +detection: + selection2: + ParentImage|endswith: + - '\tttracer.exe' \ No newline at end of file From ab8e9ed8e7e8e41b7a3fed7cae05ea2e6a3c925f Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Wed, 7 Oct 2020 12:07:20 +0300 Subject: [PATCH 0077/1335] Create win_susp_winrm_AWL_bypass --- .../win_susp_winrm_AWL_bypass.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml new file mode 100644 index 000000000..18abf1bab --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -0,0 +1,31 @@ +title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +status: experimental +references: + - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +author: Julia Fomina, oscd.community +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - 'format:pretty' + - 'format:"pretty"' + - 'format:"text"' + - 'format:text' + filter: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + selection_2: + CommandLine|contains: 'winrm' + condition: selection_2 and selection_1 and not filter +level: medium +falsepositives: + - Unlikely From b6451fcc38e3eda166727a0e3b283e51813a1a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 7 Oct 2020 12:17:29 +0300 Subject: [PATCH 0078/1335] [OSCD] Accessing WinAPI in PowerShell. Credentials dumping Rule added --- ...api_in_powershell_credentials_dumping.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml new file mode 100644 index 000000000..4fc6a7135 --- /dev/null +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml @@ -0,0 +1,24 @@ +title: Accessing WinAPI in PowerShell. Credentials Dumping +id: 3f07b9d1-2082-4c56-9277-613a621983cc +description: Detects Accessing to lsass.exe by Powershell +status: experimental +author: Natalia Shornikova +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tag: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: + - 8 + - 10 + SourceImage: '*\powershell.exe' + TargetImage: '*\lsass.exe' + condition: selection +falsepositives: Unknown +level: high \ No newline at end of file From 729e1f6f7f4e4abf37cf36987939d5062d8ca1fb Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Wed, 7 Oct 2020 12:20:37 +0300 Subject: [PATCH 0079/1335] =?UTF-8?q?=D0=A1reate=20win=5Fsusp=5Fwinrm=5Fex?= =?UTF-8?q?ecution?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../win_susp_winrm_execution.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_winrm_execution.yml diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml new file mode 100644 index 000000000..7ec2eb9ca --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -0,0 +1,26 @@ +title: Remore Code Execute via Winrm.vbs +id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 +description: Detects an attempt to execude code or create service on remote host via winrm.vbs. +status: experimental +references: + - https://twitter.com/bohops/status/994405551751815170 + - https://redcanary.com/blog/lateral-movement-winrm-wmi/ +author: Julia Fomina, oscd.community +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - 'winrm' + - 'invoke Create wmicimv2/Win32_' + - '-r:http' + condition: selection +level: medium +falsepositives: + - Legitimate use for administartive purposes. Unlikely \ No newline at end of file From 911bc514afe72cc960ce1e92c0af41fff61ed8ad Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 7 Oct 2020 12:26:30 +0300 Subject: [PATCH 0080/1335] Rename sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml to sysmon_accessing_winapi_in_powershell_credentials_dumping.yml --- ...smon_accessing_winapi_in_powershell_credentials_dumping.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/sysmon/{sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml => sysmon_accessing_winapi_in_powershell_credentials_dumping.yml} (98%) diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml similarity index 98% rename from rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml rename to rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 4fc6a7135..539827197 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yaml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -21,4 +21,4 @@ detection: TargetImage: '*\lsass.exe' condition: selection falsepositives: Unknown -level: high \ No newline at end of file +level: high From da578a8bb0719263b412bda5ea15cbd88ef4bf4c Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Wed, 7 Oct 2020 12:30:57 +0300 Subject: [PATCH 0081/1335] Update win_susp_winrm_execution.yml --- rules/windows/process_creation/win_susp_winrm_execution.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml index 7ec2eb9ca..218390dee 100644 --- a/rules/windows/process_creation/win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -23,4 +23,5 @@ detection: condition: selection level: medium falsepositives: - - Legitimate use for administartive purposes. Unlikely \ No newline at end of file + - Legitimate use for administartive purposes. Unlikely + From 7d8445fe1202d20a73679f7c8c8bfaa766f1fd90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 7 Oct 2020 13:42:05 +0300 Subject: [PATCH 0082/1335] [OSCD] Too Long Powershell CommandLine Rule added --- .../sysmon_long_powershell_commandline.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_long_powershell_commandline.yml diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml new file mode 100644 index 000000000..4b8671401 --- /dev/null +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -0,0 +1,28 @@ +title: Too Long PowerShell Commandlines +id: 3f07b9d1-2082-4c56-9277-613a621983cc +description: Detects Too long PowerShell command lines +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Powershell_selection: + - CommandLine: + - '*powershell*' + - '*pwsh*' + - Description: 'Windows Powershell' + - Product: 'PowerShell Core 6' + Length_selection|re: + CommandLine: '(.){1000,}' + condition: all of them +falsepositives: Unknown +level: medium \ No newline at end of file From e01e26be1cea819fab42d351e823733d38651351 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 7 Oct 2020 13:55:17 +0300 Subject: [PATCH 0083/1335] Update sysmon_long_powershell_commandline.yml --- .../process_creation/sysmon_long_powershell_commandline.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index 4b8671401..be01255c0 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -10,8 +10,8 @@ status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 logsource: - product: windows - service: sysmon + product: windows + category: process_creation detection: selection: EventID: 1 @@ -25,4 +25,4 @@ detection: CommandLine: '(.){1000,}' condition: all of them falsepositives: Unknown -level: medium \ No newline at end of file +level: medium From df21dab585fbb12c3820f5b0aab4023d5cef2f7a Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 7 Oct 2020 14:00:41 +0300 Subject: [PATCH 0084/1335] Update sysmon_long_powershell_commandline.yml --- .../process_creation/sysmon_long_powershell_commandline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index be01255c0..ce3034848 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -10,8 +10,8 @@ status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 logsource: - product: windows category: process_creation + product: windows detection: selection: EventID: 1 From 59610517a02214115e3c8e82a74308bef71f0d26 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 7 Oct 2020 14:10:26 +0300 Subject: [PATCH 0085/1335] Update sysmon_long_powershell_commandline.yml --- .../process_creation/sysmon_long_powershell_commandline.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index ce3034848..bd4a58ee9 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -13,8 +13,6 @@ logsource: category: process_creation product: windows detection: - selection: - EventID: 1 Powershell_selection: - CommandLine: - '*powershell*' From dc856f24e0d69f40ffc53360ae93d05746a0ccf1 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Wed, 7 Oct 2020 07:18:12 -0400 Subject: [PATCH 0086/1335] Move rule to sysmon folder and update selection names --- .../sysmon_non_priv_reg_or_ps.yml} | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) rename rules/windows/{builtin/win_non_priv_reg_or_ps.yml => sysmon/sysmon_non_priv_reg_or_ps.yml} (85%) diff --git a/rules/windows/builtin/win_non_priv_reg_or_ps.yml b/rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml similarity index 85% rename from rules/windows/builtin/win_non_priv_reg_or_ps.yml rename to rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml index 48abc2c73..afeaf2e7d 100644 --- a/rules/windows/builtin/win_non_priv_reg_or_ps.yml +++ b/rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml @@ -13,30 +13,30 @@ logsource: product: windows service: security detection: - selection: + process_creation: EventID: 1 IntegrityLevel: Medium - commandline_1: + reg: CommandLine|contains|all: - reg - add - commandline_2: + powershell: CommandLine|contains|all: - powershell CommandLine|contains: - set-itemproperty - " sp " - new-itemproperty - commandline_3: + registry_folder: CommandLine|contains|all: - ControlSet - Services - commandline_4: + registry_key: CommandLine|contains: - ImagePath - FailureCommand - ServiceDLL - condition: selection and (commandline_1 or commandline_2) and commandline_3 and commandline_4 + condition: process_creation and (reg or powershell) and registry_folder and registry_key fields: - EventID - IntegrityLevel From 7c9c21cda0c2e9ffdfa2cff4335cff8af5c18a16 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Wed, 7 Oct 2020 14:43:25 +0300 Subject: [PATCH 0087/1335] Update sysmon_psexec_pipes_artifacts.yml --- .../windows/sysmon/sysmon_psexec_pipes_artifacts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml index a81fea6ca..8ac9f2e3a 100644 --- a/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/sysmon/sysmon_psexec_pipes_artifacts.yml @@ -2,7 +2,7 @@ title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 status: experimental description: Detecting use PsExec via Pipe Creation/Access to pipes -author: Nikita Nazarov +author: Nikita Nazarov, oscd.community date: 2020/05/10 references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view @@ -18,11 +18,11 @@ detection: EventID: - 17 - 18 - PipeName: - - 'psexec*' - - 'paexec*' - - 'remcom*' - - 'csexec*' + PipeName|startswith: + - 'psexec' + - 'paexec' + - 'remcom' + - 'csexec' condition: selection falsepositives: - Legitimate Administrator activity From bfa3635cd23318d809fb83f340acfcc6ca162e2e Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Wed, 7 Oct 2020 14:47:29 +0300 Subject: [PATCH 0088/1335] Update powershell_accessing_win_api.yml --- rules/windows/powershell/powershell_accessing_win_api.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index 8ffa3338c..862bbd69b 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell id: 03d83090-8cba-44a0-b02f-0b756a050306 status: experimental description: Detecting use WinAPI Functions in PowerShell -author: Nikita Nazarov +author: Nikita Nazarov, oscd.community date: 2020/10/06 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse @@ -17,7 +17,7 @@ detection: selection: EventID: - 4104 - Message|contains:: + Message|contains: - 'WaitForSingleObject' - 'QueueUserApc' - 'RtlCreateUserThread' From d3f0ddd2b19cd23cbf522d3a17e6f1874e172014 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Wed, 7 Oct 2020 14:50:00 +0300 Subject: [PATCH 0089/1335] Update powershell_code_injection.yml --- rules/windows/powershell/powershell_code_injection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml index aa90fe428..47d220c50 100644 --- a/rules/windows/powershell/powershell_code_injection.yml +++ b/rules/windows/powershell/powershell_code_injection.yml @@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell. Code Injection. id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 status: experimental description: Detecting Code injection with PowerShell in another process -author: Nikita Nazarov +author: Nikita Nazarov, oscd.community date: 2020/10/06 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse @@ -17,7 +17,7 @@ detection: selection: EventID: - 8 - SourceImage: '*\powershell.exe' + SourceImage|endswith: '\powershell.exe' condition: selection falsepositives: - Unknown From 9df66082390ecef0c35ee3c9048b9321211b0eb1 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Wed, 7 Oct 2020 14:54:13 +0300 Subject: [PATCH 0090/1335] Remove asterisk from condition Change ParentCommandLine: - 'setupapi.dll*InstallHinfSection' to ParentCommandLine|contains|all: - 'setupapi.dll' - 'InstallHinfSection' because some LM/SIEM systems don't process '*' as Splunk or Elasticsearch --- .../win_susp_rundll32_setupapi_installhinfsection.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml index 8dff05140..f1f6dafe9 100644 --- a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -21,8 +21,9 @@ detection: selection: Image|endswith: '\runonce.exe' ParentImage|endswith: '\rundll32.exe' - ParentCommandLine: - - 'setupapi.dll*InstallHinfSection' + ParentCommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' condition: selection fields: - ComputerName From 18da272de498ac280d7f4ca782a2bdba9719f270 Mon Sep 17 00:00:00 2001 From: esebese Date: Wed, 7 Oct 2020 15:04:12 +0300 Subject: [PATCH 0091/1335] [OSCD] win_visual_basic_compiler.yml added --- .../win_visual_basic_compiler.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_visual_basic_compiler.yml diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml new file mode 100644 index 000000000..1dffa5c87 --- /dev/null +++ b/rules/windows/process_creation/win_visual_basic_compiler.yml @@ -0,0 +1,22 @@ +title: Visual Basic Command Line Compiler Usage +id: 7b10f171-7f04-47c7-9fa2-5be43c76e535 +status: experimental +description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '*\vbc.exe' + Image|endswith: '*\cvtres.exe' + condition: selection +falsepositives: + - Utilization of this tool should not be seen in enterprise environment +level: high From f0f419df78c81c84ff7a9afbaea3da25228f8113 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Wed, 7 Oct 2020 15:19:45 +0300 Subject: [PATCH 0092/1335] Create win_susp_pester.yml --- .../process_creation/win_susp_pester.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_pester.yml diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml new file mode 100644 index 000000000..2b9c1fd0d --- /dev/null +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -0,0 +1,32 @@ +title: Execute Code with Pester.bat +id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +status: experimental +references: + - https://twitter.com/Oddvarmoe/status/993383596244258816 +author: Julia Fomina, oscd.community +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection_powershell: + Image|endswith: '\poweshell.exe' + CommandLine|contains|all: + - 'Pester' + - 'Get-Help*;' + selection_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains: 'Pester.bat*;' + selection_cmd_help: + CommandLine|contains: + - '/help' + - '/?' + - '-?' + condition: selection_powershell or (selection_cmd and selection_cnd_help) +level: medium +falsepositives: + - Legitimate use of Pester for writing tests for Powershell scripts and modules From 4bddfaac86a9987b43ee5a6123e0e15040b37bb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 7 Oct 2020 16:18:38 +0300 Subject: [PATCH 0093/1335] [OSCD] Powershell Script Installed as a Service Rule added --- ...powershell_script_installed_as_service.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/builtin/win_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml new file mode 100644 index 000000000..e300b5b9d --- /dev/null +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -0,0 +1,36 @@ +title: PowerShell Scripts Installed as Services +id: 3f07b9d1-2082-4c56-9277-613a621983cc +description: Detects powershell script installed as a Service +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tag: + - attack.execution + - attack.t1569.002 +logsource: + product: windows +detection: + selection: + EventID: 1 + ParentImage|endswith: '\services.exe' + CommandLine|contains: + - 'powershell' + - 'pwsh' + selection2: + EventID: + - 7045 + - 4697 + ServiceFileName|contains: + - 'powershell' + - 'pwsh' + selection3: + EventID: 13 + TargetObject: '*\Services\*\ImagePath' + Details|contains: + - 'powershell' + - 'pwsh' + condition: selection or selection2 or selection3 +falsepositives: Unknown +level: high \ No newline at end of file From f66eedbb7421de92b2a42f5d4379198176589634 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 16:52:19 +0300 Subject: [PATCH 0094/1335] Create sysmon_abusing_debug_privilege.yml --- .../sysmon/sysmon_abusing_debug_privilege.yml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_abusing_debug_privilege.yml diff --git a/rules/windows/sysmon/sysmon_abusing_debug_privilege.yml b/rules/windows/sysmon/sysmon_abusing_debug_privilege.yml new file mode 100644 index 000000000..9a21b0977 --- /dev/null +++ b/rules/windows/sysmon/sysmon_abusing_debug_privilege.yml @@ -0,0 +1,44 @@ +title: Abused Debug Privilege by Arbitrary Parent Processes +id: d522eca2-2973-4391-a3e0-ef0374321dae +status: experimental +description: Detection of unusual child processes by different system processes +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg +date: 2020/10/07 +tags: + - attack.privilege_escalation +author: 'oscd.community, Semanur Guneysu @semanurtg' +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + ParentImage: + - '*\winlogon.exe' + - '*\services.ex' + - '*\lsass.exe' + - '*\csrss.exe' + - '*\smss.exe' + - '*\wininit.exe' + - '*\spoolsv.exe' + - '*\searchindexer.exe' + filter1: + Image: + - '*\powershell.exe' + - '*\cmd.exe' + filter2: + User: 'NT AUTHORITY\\SYSTEM' + filter3: + CommandLine: + - ' *route* ' + - ' *ADD* ' + condition: selection and filter1 and filter2 and filter3 +fields: + - ParentImage + - Image + - User + - CommandLine +falsepositives: + - unknown +level: high From 6e8d9b9be2b522d3ae803bcdb4b435095fd0413d Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 17:11:38 +0300 Subject: [PATCH 0095/1335] Migrated to the process_creation category. --- .../sysmon_abusing_debug_privilege.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{sysmon => process_creation}/sysmon_abusing_debug_privilege.yml (100%) diff --git a/rules/windows/sysmon/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml similarity index 100% rename from rules/windows/sysmon/sysmon_abusing_debug_privilege.yml rename to rules/windows/process_creation/sysmon_abusing_debug_privilege.yml From 8d09b5569977b26e419912bb101adf186f2008dd Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 17:25:32 +0300 Subject: [PATCH 0096/1335] Added category field --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 9a21b0977..e017dcd8e 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -11,6 +11,7 @@ author: 'oscd.community, Semanur Guneysu @semanurtg' logsource: product: windows service: sysmon + category: process_creation detection: selection: EventID: 1 From 173df7ff3bc497567fe8f3d60edf5e91388304e6 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 17:31:28 +0300 Subject: [PATCH 0097/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index e017dcd8e..892226f30 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -10,7 +10,6 @@ tags: author: 'oscd.community, Semanur Guneysu @semanurtg' logsource: product: windows - service: sysmon category: process_creation detection: selection: From df51044c909d84a569964ca08b00e9ede3393b66 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Wed, 7 Oct 2020 17:35:14 +0300 Subject: [PATCH 0098/1335] Rule collection implemented --- .../win_susp_winrm_AWL_bypass.yml | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml index 18abf1bab..5ed592814 100644 --- a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -1,3 +1,4 @@ +action: global title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl id: 074e0ded-6ced-4ebd-8b4d-53f55908119d description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) @@ -9,23 +10,38 @@ date: 2020/10/06 tags: - attack.defense_evasion - attack.t1216 +level: medium +falsepositives: + - Unlikely +--- logsource: category: process_creation product: windows detection: - selection_1: + contains_format_pretty_arg: CommandLine|contains: - 'format:pretty' - 'format:"pretty"' - 'format:"text"' - 'format:text' - filter: + image_from_system_folder: Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - selection_2: + contains_winrm: CommandLine|contains: 'winrm' - condition: selection_2 and selection_1 and not filter -level: medium -falsepositives: - - Unlikely + condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) +--- +logsource: + product: windows + category: file_event +detection: + system_files: + TargetFilename|endswith: + - 'WsmPty.xsl' + - 'WsmTxt.xsl' + in_system_folder: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: system_files and not in_system_folder From 2d30379ab228c8a51e8915106ccd27d290a0cd99 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Wed, 7 Oct 2020 10:47:40 -0400 Subject: [PATCH 0099/1335] Move to process_creation category --- .../win_non_priv_reg_or_ps.yml} | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) rename rules/windows/{sysmon/sysmon_non_priv_reg_or_ps.yml => process_creation/win_non_priv_reg_or_ps.yml} (83%) diff --git a/rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml similarity index 83% rename from rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml rename to rules/windows/process_creation/win_non_priv_reg_or_ps.yml index afeaf2e7d..9416dcd66 100644 --- a/rules/windows/sysmon/sysmon_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -1,4 +1,4 @@ -title: Usage of reg or Powershell by Non-privileged Users +title: Non-privileged Usage of reg or Powershell id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry status: experimental @@ -10,11 +10,10 @@ tags: - attack.defense_evasion - attack.t1112 logsource: + category: process_creation product: windows - service: security detection: - process_creation: - EventID: 1 + integrity_level: IntegrityLevel: Medium reg: CommandLine|contains|all: @@ -36,7 +35,7 @@ detection: - ImagePath - FailureCommand - ServiceDLL - condition: process_creation and (reg or powershell) and registry_folder and registry_key + condition: integrity_level and (reg or powershell) and registry_folder and registry_key fields: - EventID - IntegrityLevel From 7b64ab552f94de507753860b6ff0268d4a656321 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Wed, 7 Oct 2020 10:51:55 -0400 Subject: [PATCH 0100/1335] Capitalize Title --- rules/windows/process_creation/win_non_priv_reg_or_ps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml index 9416dcd66..49c647148 100644 --- a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -1,4 +1,4 @@ -title: Non-privileged Usage of reg or Powershell +title: Non-privileged Usage of Reg or Powershell id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry status: experimental From 8696b3ba180e067a8133f40ccbb1f32250562fb5 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 19:32:05 +0300 Subject: [PATCH 0101/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 892226f30..baba128c6 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -13,7 +13,6 @@ logsource: category: process_creation detection: selection: - EventID: 1 ParentImage: - '*\winlogon.exe' - '*\services.ex' From ece635b987c57c28a6f5d61eea27b384fbf84912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 7 Oct 2020 19:52:08 +0300 Subject: [PATCH 0102/1335] [OSCD] Powershell without powershell.exe Rule Added --- ...smon_powershell_without_powershell_exe.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml diff --git a/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml b/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml new file mode 100644 index 000000000..7bf41e22e --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml @@ -0,0 +1,34 @@ +title: PowerShell without PowerShell.exe +id: 3f07b9d1-2082-4c56-9277-613a621983cc +description: Detects loading Powershell packet by non-Powershell process +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tag: + - attack.defense_evasion +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + ImageLoaded|endswith: + - '\System.Management.Automation.dll' + - '\System.Management.Automation.ni.dll' + filter: + SourceImage|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\sqlps.exe' + - '\sdiagnhost.exe' + - '\wsmprovhost.exe' + - '\winrshost.exe' + - '\mscorsvw.exe' + - '\syncappvpublishingserver.exe' + - '\runscripthelper.exe' + - '\ServerManager.exe' + condition: selection and not filter +falsepositives: Legitimate Software +level: medium From 1c413bcf6d25cf68d55cc08c926e0eec1b5ebf13 Mon Sep 17 00:00:00 2001 From: Furkan CALISKAN Date: Wed, 7 Oct 2020 20:45:34 +0300 Subject: [PATCH 0103/1335] Fixed status --- rules/windows/process_creation/win_susp_findstr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml index 6bfa56331..00b5e1813 100644 --- a/rules/windows/process_creation/win_susp_findstr.yml +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -2,7 +2,7 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' -status: test +status: experimental date: 2020/10/05 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml From b568e14b035f4f9e5351b997fc7a83450f3f778e Mon Sep 17 00:00:00 2001 From: uchakin <50711155+400notOK@users.noreply.github.com> Date: Wed, 7 Oct 2020 22:06:16 +0300 Subject: [PATCH 0104/1335] Add 3 rules --- .../image_load/sysmon_uac_bypass_via_dism.yml | 28 +++++++++++++++++ ...ndocumented_autoelevated_com_interface.yml | 29 ++++++++++++++++++ .../sysmon_bypass_via_wsreset.yml | 30 +++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 rules/windows/image_load/sysmon_uac_bypass_via_dism.yml create mode 100644 rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml create mode 100644 rules/windows/registry_event/sysmon_bypass_via_wsreset.yml diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml new file mode 100644 index 000000000..267be4008 --- /dev/null +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -0,0 +1,28 @@ +title: UAC bypass with fake dll +id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 +status: experimental +description: Attempts to load dismcore.dll after dropping it. +references: + - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - attack.t1574.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/06 +logsource: + category: image_load + product: windows +detection: + selection: + Image: + - '\dism.exe' + ImageLoaded: + - '\dismcore.dll' + condition: selection +falsepositives: + - Pentests + - Actions of a legitimate telnet client +level: high \ No newline at end of file diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml new file mode 100644 index 000000000..72af4ad88 --- /dev/null +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -0,0 +1,29 @@ +title: load undocumented autoelevated com interface +id: fb3722e4-1a06-46b6-b772-253e2e7db933 +status: experimental +description: COM interface (EditionUpgradeManager) that is not used by standard executables. +references: + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/07 +logsource: + category: process_access + product: windows +detection: + selection: + CallTrace: '*editionupgrademanagerobj.dll*' + condition: selection +fields: + - ComputerName + - User + - SourceImage + - TargetImage + - CallTrace +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml new file mode 100644 index 000000000..1038b255f --- /dev/null +++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml @@ -0,0 +1,30 @@ +title: UAC bypass via wsreset +id: 6ea3bf32-9680-422d-9f50-e90716b12a66 +status: experimental +description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +references: + - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset + +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/07 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: + - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + condition: selection +fields: + - ComputerName + - Image + - EventType + - TargetObject +falsepositives: + - unknown +level: high \ No newline at end of file From 7b29e3a35f910a01648e6d54c89461d28ea042bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:20:17 +0300 Subject: [PATCH 0105/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 528c78828..f4e5f724b 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -3,18 +3,20 @@ id: 78a80655-a51e-4669-bc6b-e9d206a462ee description: Detects installed new certificate references: - https://attack.mitre.org/techniques/T1553/004/ -author: Ömer Günal +author: Ömer Günal, oscd.community date: 2020/10/05 tags: - attack.defense_evasion + - attack.t1553.004 level: low logsource: product: linux detection: - keyword: - - 'mv * /usr/local/share/ca-certificates' - keyword2: - - '*update-ca-certificates*' - condition: keyword and keyword2 + keywords: + - keys|contains|all: + - 'mv ' + - '/usr/local/share/ca-certificates' + - 'update-ca-certificates' + condition: keywords falsepositives: - Legitimate administration activities From bdabb144837af2e6f9687370f8e8b6fa739bccae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:22:31 +0300 Subject: [PATCH 0106/1335] Update at_command.yml --- rules/linux/at_command.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml index e2043af6b..2693a0272 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/at_command.yml @@ -2,7 +2,7 @@ title: Scheduled Task/Job At id: d2d642d7-b393-43fe-bae4-e81ed5915c4b status: stable description: Detects the use of at/atd -author: Ömer Günal +author: Ömer Günal, oscd.community date: 2020/10/06 references: - https://attack.mitre.org/techniques/T1053/001/ @@ -10,10 +10,10 @@ logsource: product: linux detection: keywords: - - at|contains: - - '* at *' - - atd|contains: - - '* atd *' + - keys|contains: + - ' at ' + - keys2|contains: + - ' atd ' - enumeration|contains: - 'which atd' - 'which at' @@ -25,3 +25,4 @@ falsepositives: level: low tags: - attack.persistence + - attack.t1053.001 From d328f9250360ed8e2100553b5ec1bfb72ebd9c02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:23:48 +0300 Subject: [PATCH 0107/1335] Update at_command.yml --- rules/linux/at_command.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml index 2693a0272..3f0316c56 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/at_command.yml @@ -9,17 +9,15 @@ references: logsource: product: linux detection: - keywords: - - keys|contains: + selection: + CommandLine|contains: - ' at ' - - keys2|contains: - ' atd ' - - enumeration|contains: - 'which atd' - 'which at' - 'systemctl status atd' - 'service atd status ' - condition: keywords + condition: selection falsepositives: - Legitimate administration activities level: low From d44ef84b553ba4240cc51eb8990c95a7c00a0e43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:26:02 +0300 Subject: [PATCH 0108/1335] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index d9cb82b79..850c97dae 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -2,7 +2,7 @@ title: Process Discovery id: 4e2f5868-08d4-413d-899f-dc2f1508627b status: stable description: Detects process discovery commands -author: Ömer Günal +author: Ömer Günal, oscd.community date: 2020/10/06 references: - https://attack.mitre.org/techniques/T1057/ @@ -11,7 +11,7 @@ logsource: detection: keywords: - commands|contains: - - 'ps *' + - 'ps ' - 'top' condition: keywords falsepositives: @@ -19,3 +19,4 @@ falsepositives: level: low tags: - attack.discovery + - attack.t1057 From 18821d2255a1aa1b9afae3216795c54444c165cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:27:06 +0300 Subject: [PATCH 0109/1335] Create lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/lnx_clear_logs.yml diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml new file mode 100644 index 000000000..d914293bb --- /dev/null +++ b/rules/linux/lnx_clear_logs.yml @@ -0,0 +1,24 @@ +title: Clear Linux Logs +id: 80915f59-9b56-4616-9de0-fd0dea6c12fe +status: stable +description: Detects clear logs +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://attack.mitre.org/techniques/T1070/002/ +logsource: + product: linux +detection: + keywords: + - Commands|contains: + - 'rm * /var/log*' + - 'shred -u /var/log*' + - 'echo * > /var/log*' + - 'rmdir * /var/log*' + condition: keywords +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1070.002 From a73dbd0a5daed1fbdaa26b6dc6baff0a99ccf413 Mon Sep 17 00:00:00 2001 From: uchakin <50711155+400notOK@users.noreply.github.com> Date: Wed, 7 Oct 2020 22:27:48 +0300 Subject: [PATCH 0110/1335] Fix titles --- rules/windows/image_load/sysmon_uac_bypass_via_dism.yml | 2 +- .../sysmon_load_undocumented_autoelevated_com_interface.yml | 2 +- rules/windows/registry_event/sysmon_bypass_via_wsreset.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml index 267be4008..08c909af2 100644 --- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -1,4 +1,4 @@ -title: UAC bypass with fake dll +title: UAC Bypass With Fake DLL id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 status: experimental description: Attempts to load dismcore.dll after dropping it. diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 72af4ad88..6ecb4f6f1 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -1,4 +1,4 @@ -title: load undocumented autoelevated com interface +title: Load Undocumented Autoelevated COM Interface id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: experimental description: COM interface (EditionUpgradeManager) that is not used by standard executables. diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml index 1038b255f..8ac1fdd55 100644 --- a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml +++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml @@ -1,4 +1,4 @@ -title: UAC bypass via wsreset +title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 status: experimental description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. From f00e79d12312f40fed3d65d91dc9552b0db65652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:28:37 +0300 Subject: [PATCH 0111/1335] Create lnx_file_deletion.yml --- rules/linux/lnx_file_deletion.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/lnx_file_deletion.yml diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml new file mode 100644 index 000000000..9ab0804dd --- /dev/null +++ b/rules/linux/lnx_file_deletion.yml @@ -0,0 +1,26 @@ +title: File Deletion +id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 +status: stable +description: Detects file deletion commands +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://attack.mitre.org/techniques/T1070/004/ +logsource: + product: linux +detection: + keywords: + - Commands|contains: + - 'rm ' + - 'shred -u' + - 'rmdir' + - 'unlink' + - 'busybox rm -f *' + - 'find * -delete' + condition: keywords +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.defense_evasion + - attack.t1070.004 From aea3c13d01d37ece4e599ae61f30f2fa2b06c642 Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Wed, 7 Oct 2020 15:33:26 -0400 Subject: [PATCH 0112/1335] Initial commit Other parameters besides \query may also be useful for credential dumping. This should be researched. --- .../windows/process_creation/win_nltest_query | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_nltest_query diff --git a/rules/windows/process_creation/win_nltest_query b/rules/windows/process_creation/win_nltest_query new file mode 100644 index 000000000..5d61c1811 --- /dev/null +++ b/rules/windows/process_creation/win_nltest_query @@ -0,0 +1,25 @@ +title: Nltest Credential Hash Theft +description: Detects nltest query commands which may leak credential hashes +references: + - https://twitter.com/sysopfb/status/986799053668139009 +date: 2018/04/18 +modified: 2020/10/06 +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Craig Young +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - nltest + selection_2: + CommandLine|contains: + - \query + condition: selection_1 and selection_2 +falsepositives: + - Legitimate administration +level: medium From 127bc075b022cc063f7ebe2c155906bf7ab177ae Mon Sep 17 00:00:00 2001 From: esebese Date: Wed, 7 Oct 2020 22:49:12 +0300 Subject: [PATCH 0113/1335] [OSCD] win_class_exec_xwizard.yml added --- .../win_class_exec_xwizard.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_class_exec_xwizard.yml diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml new file mode 100644 index 000000000..6ff7c50cf --- /dev/null +++ b/rules/windows/process_creation/win_class_exec_xwizard.yml @@ -0,0 +1,22 @@ +title: Custom Class Execution via Xwizard +id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff +status: experimental +description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\xwizard.exe' + CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From a0dfde8478fabf7164518b477ffe01e99ce3154c Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Wed, 7 Oct 2020 16:01:53 -0400 Subject: [PATCH 0114/1335] Added UUID --- rules/windows/process_creation/win_nltest_query | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_nltest_query b/rules/windows/process_creation/win_nltest_query index 5d61c1811..16b1e81f9 100644 --- a/rules/windows/process_creation/win_nltest_query +++ b/rules/windows/process_creation/win_nltest_query @@ -1,4 +1,5 @@ title: Nltest Credential Hash Theft +id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 description: Detects nltest query commands which may leak credential hashes references: - https://twitter.com/sysopfb/status/986799053668139009 From deb8db8599bf702e7ae4efa13b75e39a0ff9398c Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Wed, 7 Oct 2020 16:05:58 -0400 Subject: [PATCH 0115/1335] Adding extension Woops --- .../process_creation/{win_nltest_query => win_nltest_query.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_nltest_query => win_nltest_query.yml} (100%) diff --git a/rules/windows/process_creation/win_nltest_query b/rules/windows/process_creation/win_nltest_query.yml similarity index 100% rename from rules/windows/process_creation/win_nltest_query rename to rules/windows/process_creation/win_nltest_query.yml From 357d4bd895fbfc9dc66e9c05e9a8aea6a9049d93 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 7 Oct 2020 23:34:03 +0300 Subject: [PATCH 0116/1335] Update sysmon_abusing_debug_privilege.yml --- .../process_creation/sysmon_abusing_debug_privilege.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index baba128c6..d2b895b73 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -22,13 +22,13 @@ detection: - '*\wininit.exe' - '*\spoolsv.exe' - '*\searchindexer.exe' - filter1: + filter1: Image: - '*\powershell.exe' - '*\cmd.exe' - filter2: + filter2: User: 'NT AUTHORITY\\SYSTEM' - filter3: + filter3: CommandLine: - ' *route* ' - ' *ADD* ' From 2cea3800de5abd1f5c3d79555423d33622fd8bb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Thu, 8 Oct 2020 00:14:40 +0300 Subject: [PATCH 0117/1335] Create lnx_password_policy_discovery.yml --- rules/linux/lnx_password_policy_discovery.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/linux/lnx_password_policy_discovery.yml diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml new file mode 100644 index 000000000..559269901 --- /dev/null +++ b/rules/linux/lnx_password_policy_discovery.yml @@ -0,0 +1,25 @@ +title: Password Policy Discovery +id: ca94a6db-8106-4737-9ed2-3e3bb826af0a +status: stable +description: Detects password policy discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1201/ +logsource: + product: linux +detection: + selection: + CommandLine|contains: + - '/etc/pam.d/common-password' + - '/etc/security/pwquality.conf' + - '/etc/pam.d/system-auth' + - '/etc/security/pwquality.conf' + - '/etc/login.defs' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1201 From e6588c08f43adb14ece0bc414d7d670476f22995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Thu, 8 Oct 2020 00:15:46 +0300 Subject: [PATCH 0118/1335] Create lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/lnx_system_info_discovery.yml diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml new file mode 100644 index 000000000..69be33b13 --- /dev/null +++ b/rules/linux/lnx_system_info_discovery.yml @@ -0,0 +1,26 @@ +title: System Information Discovery +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1082/ +logsource: + product: linux +detection: + selection: + CommandLine|contains: + - 'uname' + - '/proc/version' + - '/etc/*-release' + - 'hostname' + - '/etc/issue' + - 'uptime' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1082 From eac5ac9fc158eb20d8163358606e22a393ac24f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Thu, 8 Oct 2020 00:18:38 +0300 Subject: [PATCH 0119/1335] removed duplicate filter --- rules/linux/lnx_password_policy_discovery.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml index 559269901..47987dd39 100644 --- a/rules/linux/lnx_password_policy_discovery.yml +++ b/rules/linux/lnx_password_policy_discovery.yml @@ -14,7 +14,6 @@ detection: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - - '/etc/security/pwquality.conf' - '/etc/login.defs' condition: selection falsepositives: From 15bd7dcd3ba5c4e227afca89936247b24aed84a8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 7 Oct 2020 18:26:04 -0300 Subject: [PATCH 0120/1335] Revert "Changed the rule to download only and not the copy" This reverts commit 1324bc1ad14e1caa1a9ca0d6873de20b44a6baee. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index 9dbdb1e21..d530fec79 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Download operations using Replace.exe. +description: Detect Copy and Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains|all: + CommandLine|contains: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary to download files from a share + - Legitimate use of the binary level: low From 109b1ea9cf1cc12361628c82b4f0afaf994b6a70 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 7 Oct 2020 18:26:11 -0300 Subject: [PATCH 0121/1335] Revert "Create win_susp_replace_lolbin.yml" This reverts commit e6a65496768a460d32de0b7d9742ce969fb4ea5d. --- .../win_susp_replace_lolbin.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml deleted file mode 100644 index d530fec79..000000000 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Ingress Tool Transfer Using Replace.exe -id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Replace -author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/07 -tags: - - attack.command_and_control - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\replace.exe' - CommandLine|contains: - - "\\\\\\\\" - - "/A" - condition: selection -falsepositives: - - Legitimate use of the binary -level: low From 8d94e993ab88deb4609865284b1e539eff85bbb1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 7 Oct 2020 18:27:25 -0300 Subject: [PATCH 0122/1335] Update win_susp_rundll32_activity.yml --- .../win_susp_rundll32_activity.yml | 36 +++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5e810d444..e5434e1e2 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -11,27 +11,33 @@ tags: - attack.execution # an old one - attack.t1218.011 - attack.t1085 # an old one -author: juju4 +author: juju4, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*\rundll32.exe* url.dll,*OpenURL *' - - '*\rundll32.exe* url.dll,*OpenURLA *' - - '*\rundll32.exe* url.dll,*FileProtocolHandler *' - - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' - - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' - - '*\rundll32.exe javascript:*' - - '* url.dll,*OpenURL *' - - '* url.dll,*OpenURLA *' - - '* url.dll,*FileProtocolHandler *' - - '* zipfldr.dll,*RouteTheCall *' - - '* Shell32.dll,*Control_RunDLL *' - - '* javascript:*' - - '*.RegisterXLL*' + CommandLine|contains: + - 'url.dll,*OpenURL' + - 'url.dll,*OpenURLA' + - 'url.dll,*FileProtocolHandler' + - 'zipfldr.dll,*RouteTheCall' + - 'shell32.dll,*Control_RunDLL' + - 'shell32.dll,*ShellExec_RunDLL' + - 'javascript:' + - '.RegisterXLL' + - 'mshtml.dll,*PrintHTML' + - 'advpack.dll,*LaunchINFSection' + - 'advpack.dll,*RegisterOCX' + - 'ieadvpack.dll,*LaunchINFSection' + - 'ieadvpack.dll,*RegisterOCX' + - 'ieframe.dll,*OpenURL' + - 'shdocvw.dll,*OpenURL' + - 'syssetup.dll,*SetupInfObjectInstallAction' + - 'setupapi.dll,*InstallHinfSection' + - 'pcwutl.dll,*LaunchApplication' + - 'dfshim.dll,*ShOpenVerbApplication' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From cde0020d309c332db1799a848eb5fb9f3676cbb7 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:09:15 -0500 Subject: [PATCH 0123/1335] T1016 detection rules --- rules/linux/lnx_firewall_enumeration.yml | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/linux/lnx_firewall_enumeration.yml diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_firewall_enumeration.yml new file mode 100644 index 000000000..7bb4edf32 --- /dev/null +++ b/rules/linux/lnx_firewall_enumeration.yml @@ -0,0 +1,30 @@ +title: System Network Discovery - Firewall Enumeration +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://attack.mitre.org/techniques/T1016 +logsource: + product: unix +detection: + keywords: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + # macOS only + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: keywords +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 \ No newline at end of file From 4486c3ffc9093efbea63500a52eee3d3dfe15055 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:11:05 -0500 Subject: [PATCH 0124/1335] adding new line at end of file --- rules/linux/lnx_firewall_enumeration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_firewall_enumeration.yml index 7bb4edf32..5b503e858 100644 --- a/rules/linux/lnx_firewall_enumeration.yml +++ b/rules/linux/lnx_firewall_enumeration.yml @@ -27,4 +27,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1016 \ No newline at end of file + - attack.t1016 From 83ed39f95c4f03c263fcd5be90b13209e6567a46 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:25:54 -0500 Subject: [PATCH 0125/1335] adding UID, renaming --- ...all_enumeration.yml => lnx_system_net_disc_firewall_enum.yml} | 1 + 1 file changed, 1 insertion(+) rename rules/linux/{lnx_firewall_enumeration.yml => lnx_system_net_disc_firewall_enum.yml} (92%) diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml similarity index 92% rename from rules/linux/lnx_firewall_enumeration.yml rename to rules/linux/lnx_system_net_disc_firewall_enum.yml index 5b503e858..268215542 100644 --- a/rules/linux/lnx_firewall_enumeration.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,5 +1,6 @@ title: System Network Discovery - Firewall Enumeration status: experimental +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c description: Detects enumeration of firewall configuration author: remotephone, oscd.community date: 2020/10/06 From ff2ba5f876a135e38db4e4300f060afc249d95c1 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:43:38 -0500 Subject: [PATCH 0126/1335] double checking new line characters --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 268215542..83057d004 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,4 +1,4 @@ -title: System Network Discovery - Firewall Enumeration +title: System Network Discovery Firewall Enumeration status: experimental id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c description: Detects enumeration of firewall configuration From 9802704a2b9f2b6e3ee539b9462e8ee4a354e818 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:54:31 -0500 Subject: [PATCH 0127/1335] not sure why i'm failing the tests on a line I didn't change. copying format from another file --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 83057d004..da346706e 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,6 +1,6 @@ title: System Network Discovery Firewall Enumeration -status: experimental id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental description: Detects enumeration of firewall configuration author: remotephone, oscd.community date: 2020/10/06 From e967cce211090e48d8eab02d65a9a3d723a4eea2 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 23:02:03 -0500 Subject: [PATCH 0128/1335] change new lines to LF instead of CLRF --- .../lnx_system_net_disc_firewall_enum.yml | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index da346706e..f148f5db7 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,31 +1,31 @@ -title: System Network Discovery Firewall Enumeration -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c -status: experimental -description: Detects enumeration of firewall configuration -author: remotephone, oscd.community -date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md - - https://attack.mitre.org/techniques/T1016 -logsource: - product: unix -detection: - keywords: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' - # macOS only - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: keywords -falsepositives: - - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" -level: low -tags: - - attack.discovery - - attack.t1016 +title: System Network Discovery - Firewall Enumeration +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://attack.mitre.org/techniques/T1016 +logsource: + product: unix +detection: + keywords: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + # macOS only + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: keywords +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 From aba6cd26cac000da3384d5806a4ff84419bfd2a4 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Thu, 8 Oct 2020 10:01:41 +0300 Subject: [PATCH 0129/1335] Delete regex --- .../windows/process_creation/win_susp_pester.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index 2b9c1fd0d..fdd62c2b1 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -5,7 +5,7 @@ status: experimental references: - https://twitter.com/Oddvarmoe/status/993383596244258816 author: Julia Fomina, oscd.community -date: 2020/10/07 +date: 2020/10/08 tags: - attack.defense_evasion - attack.t1216 @@ -13,20 +13,22 @@ logsource: category: process_creation product: windows detection: - selection_powershell: + powershell_module: Image|endswith: '\poweshell.exe' CommandLine|contains|all: - 'Pester' - - 'Get-Help*;' - selection_cmd: + - 'Get-Help' + cmd_execution: Image|endswith: '\cmd.exe' - CommandLine|contains: 'Pester.bat*;' - selection_cmd_help: + CommandLine|contains|all: + - 'Pester.bat' + - ';' + get_help: CommandLine|contains: - '/help' - '/?' - '-?' - condition: selection_powershell or (selection_cmd and selection_cnd_help) + condition: powershell_module or (cmd_execution and get_help) level: medium falsepositives: - Legitimate use of Pester for writing tests for Powershell scripts and modules From 785f7e32e3a403c9d8bb50b0585b4edf18ba9431 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Thu, 8 Oct 2020 10:13:20 +0300 Subject: [PATCH 0130/1335] typo, - script extention --- rules/windows/process_creation/win_susp_pester.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index fdd62c2b1..5e943c3f4 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -14,14 +14,14 @@ logsource: product: windows detection: powershell_module: - Image|endswith: '\poweshell.exe' + Image|endswith: '\powershell.exe' CommandLine|contains|all: - 'Pester' - 'Get-Help' cmd_execution: Image|endswith: '\cmd.exe' CommandLine|contains|all: - - 'Pester.bat' + - 'pester' - ';' get_help: CommandLine|contains: From a38c0218765a89f5d18eadd49639c72a5d25d944 Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 13:24:59 +0300 Subject: [PATCH 0131/1335] Created rule win_susp_presentationhost_execution.yml --- .../win_susp_presentationhost_execution.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_presentationhost_execution.yml diff --git a/rules/windows/process_creation/win_susp_presentationhost_execution.yml b/rules/windows/process_creation/win_susp_presentationhost_execution.yml new file mode 100644 index 000000000..f8cd768b0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_presentationhost_execution.yml @@ -0,0 +1,25 @@ +title: Application Whitelisting Bypass via PresentationHost.exe +id: d149a338-ae47-408e-a8ff-9064220c0b34 +description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml + - https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4 + - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ +author: Kirill Kiryanov, oscd.community +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\presentationhost.exe' + CommandLine|contains: '.xbap' + condition: selection +level: medium +falsepositives: + - Unknown From 1581be1ec2f5f35a14372f3213dd2c726e12375c Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 14:00:43 +0300 Subject: [PATCH 0132/1335] Created rule win_susp_sqldumper_activity.yml --- .../win_susp_sqldumper_activity.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml new file mode 100644 index 000000000..50d90f94b --- /dev/null +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -0,0 +1,30 @@ +title: Dumping process via sqldumper.exe +id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 +description: Detects process dump via legitimate sqldumper.exe binary +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml + - https://twitter.com/countuponsec/status/910977826853068800 + - https://twitter.com/countuponsec/status/910969424215232518 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ +author: Kirill Kiryanov, oscd.community +date: 2020/10/08 +tags: + - attack.credential_access + - attack.t1003 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\sqldumper.exe' + CommandLine|contains: + - '0x0110' + - '0x01100:40' + condition: selection +falsepositives: + - Legitimate MSSQL Server actions +analysis: + recommendation: Check if the user is compromised and watch for further suspicious activity +level: medium From c5605ae8b60cd7f27db9703756237e5893f6cc79 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 8 Oct 2020 13:15:02 +0200 Subject: [PATCH 0133/1335] Scheduled Cron Task/Job sigma rule --- rules/linux/unix_schedule_task_job_cron.yml | 27 +++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/unix_schedule_task_job_cron.yml diff --git a/rules/linux/unix_schedule_task_job_cron.yml b/rules/linux/unix_schedule_task_job_cron.yml new file mode 100644 index 000000000..8bd297f77 --- /dev/null +++ b/rules/linux/unix_schedule_task_job_cron.yml @@ -0,0 +1,27 @@ +title: Scheduled Cron Task/Job +id: 6b14bac8-3e3a-4324-8109-42f0546a347f +status: experimental +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Crontabs in OS X, has the minor difference that the per-user files are in /usr/lib/cron/tabs/ +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://attack.mitre.org/techniques/T1053/003/ +logsource: + product: unix +detection: + keywords: + - 'echo "*" > * && crontab *' + # Cover Linux /etc/cron.{hourly,daily,weekly,monthly}/ + # and MacOS /usr/lib/cron/tabs/ + - 'echo "*" > */cron*/*' + condition: keywords +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1059.003 From a09488a90f3bd18131c03c92290cb53ddbd3d40a Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 14:20:32 +0300 Subject: [PATCH 0134/1335] revert changes for making new pull request --- .../win_susp_sqldumper_activity.yml | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml deleted file mode 100644 index 50d90f94b..000000000 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Dumping process via sqldumper.exe -id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 -description: Detects process dump via legitimate sqldumper.exe binary -status: experimental -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml - - https://twitter.com/countuponsec/status/910977826853068800 - - https://twitter.com/countuponsec/status/910969424215232518 - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ -author: Kirill Kiryanov, oscd.community -date: 2020/10/08 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.001 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\sqldumper.exe' - CommandLine|contains: - - '0x0110' - - '0x01100:40' - condition: selection -falsepositives: - - Legitimate MSSQL Server actions -analysis: - recommendation: Check if the user is compromised and watch for further suspicious activity -level: medium From 04f415c80bde3c2bae3a1ec4db35d204c276e343 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 8 Oct 2020 13:23:11 +0200 Subject: [PATCH 0135/1335] Added the sigma rules per OS --- rules/linux/lnx_local_account.yml | 22 ++++++++++++++++++++++ rules/linux/macos_local_account.yml | 23 +++++++++++++++++++++++ rules/linux/unix_local_account.yml | 26 ++++++++++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 rules/linux/lnx_local_account.yml create mode 100644 rules/linux/macos_local_account.yml create mode 100644 rules/linux/unix_local_account.yml diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml new file mode 100644 index 000000000..393cd39ec --- /dev/null +++ b/rules/linux/lnx_local_account.yml @@ -0,0 +1,22 @@ +title: Local System Accounts Discovery +id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c +status: experimental +description: Detects enumeration of local systeam accounts +author: Alejandro Ortuno, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1087/001/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +logsource: + product: linux +detection: + selection: + CommandLine|contains: + - 'lastlog' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml new file mode 100644 index 000000000..8589dd69a --- /dev/null +++ b/rules/linux/macos_local_account.yml @@ -0,0 +1,23 @@ +title: Local System Accounts Discovery +id: ddf36b67-e872-4507-ab2e-46bda21b842c +status: experimental +description: Detects enumeration of local systeam accounts on MacOS +author: Alejandro Ortuno, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1087/001/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +logsource: + product: macos +detection: + selection: + CommandLine|contains: + - 'dscl . list /Users' + - 'dscacheutil -q user' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/rules/linux/unix_local_account.yml b/rules/linux/unix_local_account.yml new file mode 100644 index 000000000..ffef97a97 --- /dev/null +++ b/rules/linux/unix_local_account.yml @@ -0,0 +1,26 @@ +title: Local System Accounts Discovery +id: 396fe688-65d9-4828-a078-ed17551f9a8a +status: experimental +description: Detects enumeration of local systeam accounts +author: Alejandro Ortuno, oscd.community +date: 2020/10/08 +references: + - https://attack.mitre.org/techniques/T1087/001/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +logsource: + product: unix +detection: + selection: + CommandLine|contains: + - 'cat /etc/passwd' + - 'cat /etc/sudoers' + - 'id ' + - "'x:0:'" + - 'lsof -u' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 From 55ea53884199c8cb3b37175afa490ca910df8da3 Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 14:29:21 +0300 Subject: [PATCH 0136/1335] Created rule win_susp_sqldumper_activity.yml --- .../win_susp_sqldumper_activity.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml new file mode 100644 index 000000000..29ddc6b38 --- /dev/null +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -0,0 +1,29 @@ +title: Dumping process via sqldumper.exe +id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 +description: Detects process dump via legitimate sqldumper.exe binary +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml + - https://twitter.com/countuponsec/status/910977826853068800 + - https://twitter.com/countuponsec/status/910969424215232518 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ +author: Kirill Kiryanov, oscd.community +date: 2020/10/08 +tags: + - attack.credential_access + - attack.t1003 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\sqldumper.exe' + CommandLine|contains: + - '0x0110' + - '0x01100:40' + condition: selection +falsepositives: + - Legitimate MSSQL Server actions +level: medium + From 7e28bf4df844c8c1e3da418671bd0dadc4e02225 Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 14:38:47 +0300 Subject: [PATCH 0137/1335] Fixed title format --- rules/windows/process_creation/win_susp_sqldumper_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml index 29ddc6b38..49c33e0c4 100644 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -1,4 +1,4 @@ -title: Dumping process via sqldumper.exe +title: Dumping Process via Sqldumper.exe id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 description: Detects process dump via legitimate sqldumper.exe binary status: experimental From 539400c3844ec147a84409bedffd332e5c02da09 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 14:47:22 +0200 Subject: [PATCH 0138/1335] Creation of win_regini --- rules/windows/process_creation/win_regini.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_regini.yml diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml new file mode 100644 index 000000000..2f7d92227 --- /dev/null +++ b/rules/windows/process_creation/win_regini.yml @@ -0,0 +1,26 @@ +title: Modifies the Registry From a File +id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 +status: experimental +description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/08 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + condition: selection +fieds: + - ParentImage + - CommandLine +falsepositives: + - Legitimate import of keys +level: medium \ No newline at end of file From 0e07ea3e709c366419a5dceea80495f09504c5bc Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 15:04:09 +0200 Subject: [PATCH 0139/1335] Corrected author --- rules/windows/process_creation/win_regini.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index 2f7d92227..eebf01df8 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -9,7 +9,7 @@ references: tags: - attack.t1112 - attack.defense_evasion -author: Oddvar Moe, Sander Wiebing, oscd.community +author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 logsource: category: process_creation From e6ad52c102fcb93131c0b87cc37e2b8b7e445da0 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 8 Oct 2020 15:11:57 +0200 Subject: [PATCH 0140/1335] Corrected falsepositives --- rules/windows/process_creation/win_regini.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index eebf01df8..da290bc85 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -22,5 +22,5 @@ fieds: - ParentImage - CommandLine falsepositives: - - Legitimate import of keys + - Legitimate modification of keys level: medium \ No newline at end of file From 2db2ab30c4275ff6c63c121062c77023b6f775c6 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Thu, 8 Oct 2020 17:08:43 +0300 Subject: [PATCH 0141/1335] Detects Obfuscated Powershell via use Rundll32 in Scripts --- ...ll_invoke_obfuscation_via_use_rundll32.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..f3da4a1da --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,28 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +references: https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high From ba96efc25e2b8e8b1c90696c2fdddb5728e7a47b Mon Sep 17 00:00:00 2001 From: esebese Date: Thu, 8 Oct 2020 17:28:20 +0300 Subject: [PATCH 0142/1335] [OSCD]win_pe_exec_vsjitdebugger.yml added --- .../win_pe_exec_vsjitdebugger.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml diff --git a/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml b/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml new file mode 100644 index 000000000..a5721277f --- /dev/null +++ b/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml @@ -0,0 +1,21 @@ +title: PE File Execution via Vsjitdebugger +id: 4b51f73f-1583-4202-a8e0-2d4bbf4beeee +status: experimental +description: Detects the execution of Vsjitdebugger tool as parent process which is utilized like proxy for other PE files executions. +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vsjitdebugger.exe' + condition: selection +falsepositives: + - Legitimate usage of software developer/tester +level: medium \ No newline at end of file From 3ba4eeac7bf683d4cb50057cbe0cb9069de87f18 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:36:20 +0300 Subject: [PATCH 0143/1335] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index f3da4a1da..182bffe35 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: https://github.com/Neo23x0/sigma/issues/1009 +references: -https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From b4377ed632b93a42a5ce08d5027ed283f87d3316 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:45:07 +0300 Subject: [PATCH 0144/1335] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index 182bffe35..8d2a2bc0d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: -https://github.com/Neo23x0/sigma/issues/1009 +references: - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From 80a3a6c0482a0ce6859f252965893ad3fb171f4e Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:52:01 +0300 Subject: [PATCH 0145/1335] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index 8d2a2bc0d..af6f94dbe 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,8 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: - https://github.com/Neo23x0/sigma/issues/1009 +references: + - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From 47c22d044396f425e117d9dbc74b18705f3b1dbe Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Thu, 8 Oct 2020 18:06:41 +0300 Subject: [PATCH 0146/1335] Detects Obfuscated Powershell via use Rundll32 in Scripts --- ...in_invoke_obfuscation_via_use_rundll32.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..27b61279b --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: 36c5146c-d127-4f85-8e21-01bf62355d5a +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + condition: selection +falsepositives: + - Unknown +level: high From 27410d3c8ed619715fef6ce54960f92d638d1936 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Thu, 8 Oct 2020 18:19:59 +0300 Subject: [PATCH 0147/1335] Detects Obfuscated Powershell via use MSHTA in Scripts --- ...shell_invoke_obfuscation_via_use_mhsta.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml new file mode 100644 index 000000000..47f297f60 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: e55a5195-4724-480e-a77e-3ebe64bd3759 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high From 60997b0243a78880343fe218866b0593a83048c9 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Thu, 8 Oct 2020 18:26:08 +0300 Subject: [PATCH 0148/1335] Detects Obfuscated Powershell via use MSHTA in Scripts --- .../win_invoke_obfuscation_via_use_mhsta.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml new file mode 100644 index 000000000..dc991411e --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: ac20ae82-8758-4f38-958e-b44a3140ca88 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + condition: selection +falsepositives: + - Unknown +level: high From 6cd9be66eda99a63d6976e132c325533aa66f662 Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Thu, 8 Oct 2020 12:57:09 -0400 Subject: [PATCH 0149/1335] Adding `all` modifier --- rules/windows/process_creation/win_nltest_query.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 16b1e81f9..60476cda7 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -14,13 +14,11 @@ logsource: category: process_creation product: windows detection: - selection_1: - CommandLine|contains: + selection: + CommandLine|contains|all: - nltest - selection_2: - CommandLine|contains: - \query - condition: selection_1 and selection_2 + condition: selection falsepositives: - Legitimate administration level: medium From 1695bc56dcf5740b56b8f6f6794c88ea8f97562f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 8 Oct 2020 15:31:17 -0300 Subject: [PATCH 0150/1335] Remove commas --- .../win_susp_rundll32_activity.yml | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index e5434e1e2..d3afc3ee7 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -19,25 +19,25 @@ logsource: detection: selection: CommandLine|contains: - - 'url.dll,*OpenURL' - - 'url.dll,*OpenURLA' - - 'url.dll,*FileProtocolHandler' - - 'zipfldr.dll,*RouteTheCall' - - 'shell32.dll,*Control_RunDLL' - - 'shell32.dll,*ShellExec_RunDLL' + - 'url.dll*OpenURL' + - 'url.dll*OpenURLA' + - 'url.dll*FileProtocolHandler' + - 'zipfldr.dll*RouteTheCall' + - 'shell32.dll*Control_RunDLL' + - 'shell32.dll*ShellExec_RunDLL' - 'javascript:' - '.RegisterXLL' - - 'mshtml.dll,*PrintHTML' - - 'advpack.dll,*LaunchINFSection' - - 'advpack.dll,*RegisterOCX' - - 'ieadvpack.dll,*LaunchINFSection' - - 'ieadvpack.dll,*RegisterOCX' - - 'ieframe.dll,*OpenURL' - - 'shdocvw.dll,*OpenURL' - - 'syssetup.dll,*SetupInfObjectInstallAction' - - 'setupapi.dll,*InstallHinfSection' - - 'pcwutl.dll,*LaunchApplication' - - 'dfshim.dll,*ShOpenVerbApplication' + - 'mshtml.dll*PrintHTML' + - 'advpack.dll*LaunchINFSection' + - 'advpack.dll*RegisterOCX' + - 'ieadvpack.dll*LaunchINFSection' + - 'ieadvpack.dll*RegisterOCX' + - 'ieframe.dll*OpenURL' + - 'shdocvw.dll*OpenURL' + - 'syssetup.dll*SetupInfObjectInstallAction' + - 'setupapi.dll*InstallHinfSection' + - 'pcwutl.dll*LaunchApplication' + - 'dfshim.dll*ShOpenVerbApplication' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 5e1075b656eff0c72ecbdc5914aa9ab5a07028d0 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Thu, 8 Oct 2020 15:19:42 -0400 Subject: [PATCH 0151/1335] Update Powershell section --- rules/windows/process_creation/win_non_priv_reg_or_ps.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml index 49c647148..df59804b6 100644 --- a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -20,8 +20,7 @@ detection: - reg - add powershell: - CommandLine|contains|all: - - powershell + CommandLine|contains: powershell CommandLine|contains: - set-itemproperty - " sp " From d00e1073ee71ace06ef1ea291cee41167f4b2423 Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 22:49:52 +0300 Subject: [PATCH 0152/1335] Revert "Created rule win_susp_presentationhost_execution.yml" This reverts commit a38c0218765a89f5d18eadd49639c72a5d25d944. --- .../win_susp_presentationhost_execution.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_presentationhost_execution.yml diff --git a/rules/windows/process_creation/win_susp_presentationhost_execution.yml b/rules/windows/process_creation/win_susp_presentationhost_execution.yml deleted file mode 100644 index f8cd768b0..000000000 --- a/rules/windows/process_creation/win_susp_presentationhost_execution.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Application Whitelisting Bypass via PresentationHost.exe -id: d149a338-ae47-408e-a8ff-9064220c0b34 -description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file -status: experimental -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml - - https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4 - - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ -author: Kirill Kiryanov, oscd.community -date: 2020/10/08 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\presentationhost.exe' - CommandLine|contains: '.xbap' - condition: selection -level: medium -falsepositives: - - Unknown From 04d56bade4649d1494d06d69b646759a19d2a1be Mon Sep 17 00:00:00 2001 From: Kirill Kiryanov Date: Thu, 8 Oct 2020 23:26:51 +0300 Subject: [PATCH 0153/1335] Removed redundant tag --- rules/windows/process_creation/win_susp_sqldumper_activity.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml index 49c33e0c4..93087628f 100644 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -11,7 +11,6 @@ author: Kirill Kiryanov, oscd.community date: 2020/10/08 tags: - attack.credential_access - - attack.t1003 - attack.t1003.001 logsource: category: process_creation From 1088a2865b3eac6c59edbe3297be292e7da85061 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 11:40:57 +1100 Subject: [PATCH 0154/1335] Update win_susp_mounted_share_deletion.yml --- .../process_creation/win_susp_mounted_share_deletion.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index 5e360079b..dd29e24e9 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -14,9 +14,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' + ParentImage|endswith: '\net.exe' + Image|endswith: '\net1.exe' CommandLine|contains: - '/delete' condition: selection From 08561700731e3f179c27dcb1b27738d724973d7f Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 11:42:06 +1100 Subject: [PATCH 0155/1335] Update win_susp_mounted_share_deletion.yml --- .../process_creation/win_susp_mounted_share_deletion.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index dd29e24e9..aa89d6de3 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -16,7 +16,8 @@ detection: selection: ParentImage|endswith: '\net.exe' Image|endswith: '\net1.exe' - CommandLine|contains: + CommandLine|contains|all: + - 'share' - '/delete' condition: selection falsepositives: From a68d50a5d9d4e2fa276e9895854b0df664ee6e2e Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 12:29:53 +1100 Subject: [PATCH 0156/1335] Create win_root_certificate_installed.yml --- .../win_root_certificate_installed.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/builtin/win_root_certificate_installed.yml diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml new file mode 100644 index 000000000..3666de741 --- /dev/null +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -0,0 +1,38 @@ +action: global +title: Root Certificate Installed +id: 42821614-9264-4761-acfc-5772c3286f76 +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/10 +tags: + - attack.defense_evasion + - attack.t1553.004 +level: medium +falsepositives: + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP +detection: + condition: 1 of them +--- +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der + CommandLine|contains: '-addstore * root' + selection2: + Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all + CommandLine|contains: '/add * root' +--- +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Import-Certificate * Cert:\LocalMachine\Root' + - 'Move-Item * Cert:\LocalMachine\Root' From ff8547efc5b817e39c3c64cf78a1b6f5cfd0f08b Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 12:48:39 +1100 Subject: [PATCH 0157/1335] Update win_root_certificate_installed.yml --- .../win_root_certificate_installed.yml | 39 +++++++++++++------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index 3666de741..94a711265 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -16,17 +16,6 @@ falsepositives: detection: condition: 1 of them --- -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der - CommandLine|contains: '-addstore * root' - selection2: - Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all - CommandLine|contains: '/add * root' ---- logsource: product: windows service: powershell @@ -35,4 +24,30 @@ detection: EventID: 4104 ScriptBlockText|contains: - 'Import-Certificate * Cert:\LocalMachine\Root' - - 'Move-Item * Cert:\LocalMachine\Root' + - 'Move-Item * Cert:\LocalMachine\Root' +--- +logsource: + category: process_creation + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der + CommandLine|contains: '-addstore * root' + selection2: + EventID: 1 + Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all + CommandLine|contains: '/add * root' +--- +action: repeat +logsource: + product: windows + service: security +detection: + selection1: + EventID: 4688 + selection2: + EventID: 4688 +--- +action: reset From 8d7152d48973d46737db7aab22bb59dc78e09442 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 12:55:37 +1100 Subject: [PATCH 0158/1335] Update win_root_certificate_installed.yml --- rules/windows/builtin/win_root_certificate_installed.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index 94a711265..3d44236f2 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -42,6 +42,7 @@ detection: --- action: repeat logsource: + category: process_creation product: windows service: security detection: From 5d475ce16d67add8282f5556f29e69b45f702f33 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Fri, 9 Oct 2020 13:00:17 +1100 Subject: [PATCH 0159/1335] Update win_root_certificate_installed.yml --- .../builtin/win_root_certificate_installed.yml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index 3d44236f2..a9f3c25e1 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -24,31 +24,15 @@ detection: EventID: 4104 ScriptBlockText|contains: - 'Import-Certificate * Cert:\LocalMachine\Root' - - 'Move-Item * Cert:\LocalMachine\Root' + - 'Move-Item * Cert:\LocalMachine\Root' --- logsource: category: process_creation product: windows - service: sysmon detection: selection1: - EventID: 1 Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der CommandLine|contains: '-addstore * root' selection2: - EventID: 1 Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all CommandLine|contains: '/add * root' ---- -action: repeat -logsource: - category: process_creation - product: windows - service: security -detection: - selection1: - EventID: 4688 - selection2: - EventID: 4688 ---- -action: reset From 1738316741cc26c7bba4ddaa1b0af9fbecfbc7aa Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 9 Oct 2020 09:23:35 +0300 Subject: [PATCH 0160/1335] Update on help keys in cmd --- rules/windows/process_creation/win_susp_pester.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index 5e943c3f4..7d10550f8 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -25,9 +25,8 @@ detection: - ';' get_help: CommandLine|contains: - - '/help' - - '/?' - - '-?' + - 'help' + - '?' condition: powershell_module or (cmd_execution and get_help) level: medium falsepositives: From 789a0c174f37778cffe21fd3a242c0e8e1b9afbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Fri, 9 Oct 2020 09:25:38 +0300 Subject: [PATCH 0161/1335] Fixed OSCD wording --- rules/windows/process_creation/win_susp_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index cfda75064..0e31dbbf4 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -1,7 +1,7 @@ title: Proxy Execution Via Explorer.exe id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e description: Attackers can use explorer.exe for evading defense mechanisms -author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' status: experimental date: 2020/10/05 references: From abcc4a59c2c647a665d616c573333822f29c1263 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Fri, 9 Oct 2020 09:26:01 +0300 Subject: [PATCH 0162/1335] Fixed OSCD wording --- rules/windows/process_creation/win_susp_findstr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml index 00b5e1813..1a5a58037 100644 --- a/rules/windows/process_creation/win_susp_findstr.yml +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -1,7 +1,7 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism -author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' status: experimental date: 2020/10/05 references: From d6aa0c31b9bac3a94a74f0a315c6494be8d36a17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Fri, 9 Oct 2020 09:34:05 +0300 Subject: [PATCH 0163/1335] Update sysmon_tttracer_mod_load.yml --- rules/windows/image_load/sysmon_tttracer_mod_load.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml index 69308aacf..64f945e89 100644 --- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 tags: - attack.defense_evasion @@ -35,4 +35,4 @@ logsource: detection: selection2: ParentImage|endswith: - - '\tttracer.exe' \ No newline at end of file + - '\tttracer.exe' From 4f49171b55dff45eb4d8aa005c5e3a7bdaab89ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Fri, 9 Oct 2020 09:35:33 +0300 Subject: [PATCH 0164/1335] Update win_visual_basic_compiler.yml author and selection fields edited --- .../windows/process_creation/win_visual_basic_compiler.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml index 1dffa5c87..3682987bf 100644 --- a/rules/windows/process_creation/win_visual_basic_compiler.yml +++ b/rules/windows/process_creation/win_visual_basic_compiler.yml @@ -4,7 +4,7 @@ status: experimental description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. references: - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/07 tags: - attack.defense_evasion @@ -14,8 +14,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '*\vbc.exe' - Image|endswith: '*\cvtres.exe' + ParentImage|endswith: '\vbc.exe' + Image|endswith: '\cvtres.exe' condition: selection falsepositives: - Utilization of this tool should not be seen in enterprise environment From 13ac0b0e72f052956b5894cfcbd10a5a91ba98d5 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Fri, 9 Oct 2020 17:05:51 +1030 Subject: [PATCH 0165/1335] Update win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml index 85d2566cc..2647dde4b 100644 --- a/rules/windows/builtin/win_remote_service.yml +++ b/rules/windows/builtin/win_remote_service.yml @@ -12,9 +12,6 @@ tags: - attack.persistence - attack.execution - attack.t1543.003 -logsource: - product: windows - service: security, system detection: selection1: EventID: 4624 From c3851710d1513883bc61f40e15a91640478c17db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Fri, 9 Oct 2020 09:38:14 +0300 Subject: [PATCH 0166/1335] Update win_class_exec_xwizard.yml --- rules/windows/process_creation/win_class_exec_xwizard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml index 6ff7c50cf..bb53e9173 100644 --- a/rules/windows/process_creation/win_class_exec_xwizard.yml +++ b/rules/windows/process_creation/win_class_exec_xwizard.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/07 tags: - attack.defense_evasion @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From 40a8a9ea043c4f810b4785875a05e052dadfc6bf Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 9 Oct 2020 10:19:39 +0300 Subject: [PATCH 0167/1335] Added rule win_susp_diskshadow --- .../process_creation/win_susp_diskshadow.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_diskshadow.yml diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml new file mode 100644 index 000000000..f52ad859c --- /dev/null +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -0,0 +1,29 @@ +title: Diskshadow.exe execution +id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 +status: experimental +description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary code +references: + - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +tags: + - attack.Credential Access + - attack.Execution + - attack.T1003 + +author: Ivan Dyachkov, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image: 'c:\windows\system32\diskshadow.exe' + CommandLine|contains: + - '/s' + - 'exec' + condition: selection +fields: + - CommandLine +falsepositives: + - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. +level: high \ No newline at end of file From c422ae4c1e929e8da79969c7198c4dd13d742ceb Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 9 Oct 2020 10:25:45 +0300 Subject: [PATCH 0168/1335] fixed tags --- rules/windows/process_creation/win_susp_diskshadow.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index f52ad859c..ed9229bb5 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -5,9 +5,9 @@ description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - - attack.Credential Access - - attack.Execution - - attack.T1003 + - attack.credential access + - attack.execution + - attack.t1003 author: Ivan Dyachkov, oscd.community date: 2020/10/07 From 347978fc8aa041ce6206ec608a0b3949d9f31b7b Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 9 Oct 2020 10:31:07 +0300 Subject: [PATCH 0169/1335] fix tags 2 --- rules/windows/process_creation/win_susp_diskshadow.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index ed9229bb5..ea752645d 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -5,10 +5,9 @@ description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - - attack.credential access + - attack.credential_access - attack.execution - attack.t1003 - author: Ivan Dyachkov, oscd.community date: 2020/10/07 logsource: From 44fa88c2a7dd211f6ac69509dd0cc1939d1579e1 Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Fri, 9 Oct 2020 10:33:21 +0300 Subject: [PATCH 0170/1335] Create win_susp_rpcping --- .../process_creation/win_susp_rpcping.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_rpcping.yml diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml new file mode 100644 index 000000000..63593d7eb --- /dev/null +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -0,0 +1,31 @@ +title: Capture Credentials with Rpcping.exe +id: 93671f99-04eb-4ab4-a161-70d446a84003 +description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. +status: experimental +references: + - https://twitter.com/vysecurity/status/974806438316072960 + - https://twitter.com/vysecurity/status/873181705024266241 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +author: Julia Fomina, oscd.community +date: 2020/10/09 +tags: + - attack.credential_access + - attack.t1003 + category: process_creation + product: windows +detection: + use_rpcping: + Image|endswith: '\rpcping.exe' + remote_server: + CommandLine|contains: + - '-s' + - '/s' + ntlm_auth: + CommandLine|contains: + - '-u NTLM' + - '/u NTLM' + - 't ncacn_np' + condition: use_rpcping and remote_server and ntlm_auth +level: medium +falsepositives: + - Unlikely \ No newline at end of file From dbb80b1482d7d1b2ca03a800f0a7e6e41e6adb32 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 9 Oct 2020 10:34:15 +0300 Subject: [PATCH 0171/1335] fix tag 3 --- rules/windows/process_creation/win_susp_diskshadow.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index ea752645d..33e37f09e 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -6,7 +6,6 @@ references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - attack.credential_access - - attack.execution - attack.t1003 author: Ivan Dyachkov, oscd.community date: 2020/10/07 From a88f7df704734954d8c229e0c77552d1ff4ea2d7 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 9 Oct 2020 10:37:51 +0300 Subject: [PATCH 0172/1335] fix tag 4 --- rules/windows/process_creation/win_susp_diskshadow.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 33e37f09e..ba47a9853 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -1,4 +1,4 @@ -title: Diskshadow.exe execution +title: Diskshadow.exe Execution id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 status: experimental description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary code @@ -6,6 +6,7 @@ references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - attack.credential_access + - attack.execution - attack.t1003 author: Ivan Dyachkov, oscd.community date: 2020/10/07 From 8eb8b996e4ff2e40a790dc089330192848515f9d Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Fri, 9 Oct 2020 10:43:16 +0300 Subject: [PATCH 0173/1335] sintax fix --- rules/windows/process_creation/win_susp_rpcping.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml index 63593d7eb..6400ecba9 100644 --- a/rules/windows/process_creation/win_susp_rpcping.yml +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -11,6 +11,7 @@ date: 2020/10/09 tags: - attack.credential_access - attack.t1003 +logsource: category: process_creation product: windows detection: From a6112dc2680c6e62ca0377c543299d0f0f39130d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Fri, 9 Oct 2020 11:59:08 +0300 Subject: [PATCH 0174/1335] Fixed OSCD wording --- rules/windows/process_creation/win_susp_print.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml index e1dd41b54..bc3ddc59e 100644 --- a/rules/windows/process_creation/win_susp_print.yml +++ b/rules/windows/process_creation/win_susp_print.yml @@ -1,7 +1,7 @@ title: Abusing Print Executable id: bafac3d6-7de9-4dd9-8874-4a1194b493ed description: Attackers can use print.exe for remote file copy -author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community' +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' status: experimental date: 2020/10/05 references: From e2e40d9adbdc8429a1fc3b46c4093be152dacafc Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Fri, 9 Oct 2020 12:44:52 +0300 Subject: [PATCH 0175/1335] Create sysmon_rasautou_dll_execution --- .../sysmon/sysmon_rasautou_dll_execution.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_rasautou_dll_execution.yml diff --git a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml new file mode 100644 index 000000000..63451f264 --- /dev/null +++ b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml @@ -0,0 +1,31 @@ +title: DLL Execution via Rasautou.exe +id: cd3d1298-eb3b-476c-ac67-12847de55813 +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +status: experimental +references: + - https://github.com/fireeye/DueDLLigence + - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +author: Julia Fomina, oscd.community +date: 2020/10/09 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + service: sysmon +detection: + start_process: + EventID: 1 + use_rasautou: + Image|endswith: '\rasautou.exe' + remaned_rasautou: + OriginalFileName: 'rasdlui.exe' + special_keys: + CommandLine|contains|all: + - '-d' + - '-p' + condition: start_process and (use_rasautou or remaned_rasautou) and special_keys +level: medium +falsepositives: + - Unlikely. Options '-d' and '-p' removed in Windows 10. + \ No newline at end of file From db21038852963b050c0b8402c92e0646470c63af Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Fri, 9 Oct 2020 13:02:14 +0300 Subject: [PATCH 0176/1335] fixed to process_created --- rules/windows/sysmon/sysmon_rasautou_dll_execution.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml index 63451f264..89fdc1073 100644 --- a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml +++ b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml @@ -13,9 +13,8 @@ tags: logsource: product: windows service: sysmon + category: process_creation detection: - start_process: - EventID: 1 use_rasautou: Image|endswith: '\rasautou.exe' remaned_rasautou: @@ -24,8 +23,7 @@ detection: CommandLine|contains|all: - '-d' - '-p' - condition: start_process and (use_rasautou or remaned_rasautou) and special_keys + condition: (use_rasautou or remaned_rasautou) and special_keys level: medium falsepositives: - Unlikely. Options '-d' and '-p' removed in Windows 10. - \ No newline at end of file From cd1bcb9cf43e6306a8e3499dccd721b8b5cfa06a Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 9 Oct 2020 13:25:45 +0300 Subject: [PATCH 0177/1335] :( --- rules/windows/sysmon/sysmon_rasautou_dll_execution.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml index 89fdc1073..1cf811960 100644 --- a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml +++ b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml @@ -12,7 +12,6 @@ tags: - attack.t1218 logsource: product: windows - service: sysmon category: process_creation detection: use_rasautou: From 06c7d29f868ac28c97d9110db29587248bf2429d Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 15:38:01 +0400 Subject: [PATCH 0178/1335] [OSCD] Two LOLBins: ftp.exe and Runscripthelper.exe Tasks 45 and 81 from https://github.com/Neo23x0/sigma/issues/1014 --- .../windows/process_creation/win_susp_ftp.yml | 32 +++++++++++++++++++ .../win_susp_runscripthelper.yml | 27 ++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_ftp.yml create mode 100644 rules/windows/process_creation/win_susp_runscripthelper.yml diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml new file mode 100644 index 000000000..2437e37d4 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -0,0 +1,32 @@ +title: Suspicious use of ftp.exe +id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e +status: experimental +description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + ftp_path: + Image|endswith: 'ftp.exe' + ftp_metadata: + OriginalFileName|contains: 'ftp.exe' + cmd_with_script_modifier: + CommandLine|contains: '-s:' + parent_path: + ParentImage|endswith: 'ftp.exe' + condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path +fields: + - CommandLine + - ParentImage +tags: + - attack.execution + - attack.T1059 + - attack.defense_evasion + - attack.T1202 +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml new file mode 100644 index 000000000..d7e47215a --- /dev/null +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -0,0 +1,27 @@ +title: Suspicious use of Runscripthelper.exe +id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e +status: experimental +description: Detects execution of powershell scripts via Runscripthelper.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'Runscripthelper.exe' + cmd: + CommandLine|contains: 'surfacecheck' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.execution + - attack.T1059 + - attack.defense_evasion + - attack.T1202 +falsepositives: + - Unknown +level: medium \ No newline at end of file From f6ce48a1bec2b424adee62881ac365e011256f7f Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 15:39:59 +0400 Subject: [PATCH 0179/1335] newline addded --- rules/windows/process_creation/win_susp_ftp.yml | 2 +- rules/windows/process_creation/win_susp_runscripthelper.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml index 2437e37d4..032cc69df 100644 --- a/rules/windows/process_creation/win_susp_ftp.yml +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -29,4 +29,4 @@ tags: - attack.T1202 falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index d7e47215a..68342e319 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -24,4 +24,4 @@ tags: - attack.T1202 falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From 500fcfbcbee3dfff53ddf4f147bd517dcb1c8866 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 15:42:05 +0400 Subject: [PATCH 0180/1335] Generated guid --- rules/windows/process_creation/win_susp_runscripthelper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index 68342e319..385091150 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -1,5 +1,5 @@ title: Suspicious use of Runscripthelper.exe -id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e +id: eca49c87-8a75-4f13-9c73-a5a29e845f03 status: experimental description: Detects execution of powershell scripts via Runscripthelper.exe references: From 77d6984a65f417f236ed3fa9d1ef7171a155f0a5 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:20:10 +0400 Subject: [PATCH 0181/1335] Fixed attack tags --- rules/windows/process_creation/win_susp_ftp.yml | 4 ++-- rules/windows/process_creation/win_susp_runscripthelper.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml index 032cc69df..02e2d2e6b 100644 --- a/rules/windows/process_creation/win_susp_ftp.yml +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -24,9 +24,9 @@ fields: - ParentImage tags: - attack.execution - - attack.T1059 + - attack.t1059 - attack.defense_evasion - - attack.T1202 + - attack.t1202 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index 385091150..ef15dbfd9 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -19,9 +19,9 @@ fields: - CommandLine tags: - attack.execution - - attack.T1059 + - attack.t1059 - attack.defense_evasion - - attack.T1202 + - attack.t1202 falsepositives: - Unknown level: medium From 9937c0081aa3b20bf896446b80ffaeddb4345a42 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:34:29 +0400 Subject: [PATCH 0182/1335] Fix issue in title --- rules/windows/process_creation/win_susp_ftp.yml | 2 +- rules/windows/process_creation/win_susp_runscripthelper.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml index 02e2d2e6b..6def9678f 100644 --- a/rules/windows/process_creation/win_susp_ftp.yml +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -1,4 +1,4 @@ -title: Suspicious use of ftp.exe +title: Suspicious use of ftp id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: experimental description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index ef15dbfd9..bc8ca718a 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -1,4 +1,4 @@ -title: Suspicious use of Runscripthelper.exe +title: Suspicious use of Runscripthelper id: eca49c87-8a75-4f13-9c73-a5a29e845f03 status: experimental description: Detects execution of powershell scripts via Runscripthelper.exe From 59c7e8b0e34656722ab6d26c5ffed5b79baeab84 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:46:18 +0400 Subject: [PATCH 0183/1335] Fixed title --- rules/windows/process_creation/win_susp_ftp.yml | 2 +- rules/windows/process_creation/win_susp_runscripthelper.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml index 6def9678f..7572cf22b 100644 --- a/rules/windows/process_creation/win_susp_ftp.yml +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -1,4 +1,4 @@ -title: Suspicious use of ftp +title: Suspicious ftp.exe id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: experimental description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index bc8ca718a..b5ac43167 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -1,4 +1,4 @@ -title: Suspicious use of Runscripthelper +title: Suspicious Runscripthelper.exe id: eca49c87-8a75-4f13-9c73-a5a29e845f03 status: experimental description: Detects execution of powershell scripts via Runscripthelper.exe From 31095033ab7ceb0b45d417ddfc422524e8c2791e Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:25:59 +0300 Subject: [PATCH 0184/1335] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index af6f94dbe..bce2ea533 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,11 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' selection_3: EventID: 4103 selection_4: - - Payload|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown From d07e0524d5aa0c3b849ffc34b8ca61d60e02960f Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:27:56 +0300 Subject: [PATCH 0185/1335] Update win_invoke_obfuscation_via_use_rundll32.yml --- .../win_invoke_obfuscation_via_use_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 27b61279b..67aceabbf 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + - CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection falsepositives: - Unknown From 02e826def342cfe185442fddaebe02526f45db71 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:29:20 +0300 Subject: [PATCH 0186/1335] Update powershell_invoke_obfuscation_via_use_mhsta.yml --- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 47f297f60..eb5f0e924 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,11 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' selection_3: EventID: 4103 selection_4: - - Payload|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown From 4205bb22277bfe95320a1a2d3ae21174bd4c968d Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:30:18 +0300 Subject: [PATCH 0187/1335] Update win_invoke_obfuscation_via_use_mhsta.yml --- .../process_creation/win_invoke_obfuscation_via_use_mhsta.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index dc991411e..cec51806e 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"' + - CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection falsepositives: - Unknown From 93e65a90429f3241faa477c59e3aad160c25d3d5 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 9 Oct 2020 16:52:35 +0300 Subject: [PATCH 0188/1335] Detects Obfuscated Powershell via use Rundll32 in Scripts --- ..._obfuscation_via_use_rundll32_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml new file mode 100644 index 000000000..19c236c76 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation Via Use Rundll32 +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 From 527d00c0b98ee4554faca038b6a4b3ea22c12194 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 9 Oct 2020 16:57:09 +0300 Subject: [PATCH 0189/1335] Detects Obfuscated Powershell via use MSHTA in Scripts --- ...oke_obfuscation_via_use_mhsta_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml new file mode 100644 index 000000000..3df3229c0 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mhsta_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation Via Use MSHTA +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 From 4763bf8d102b4686bb9079697be08cb96db33c12 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 9 Oct 2020 18:28:07 +0400 Subject: [PATCH 0190/1335] Three more lolbins added --- ...p_file_download_via_gfxdownloadwrapper.yml | 24 +++++++++++++++++ .../win_verclsid_runs_com.yml | 27 +++++++++++++++++++ .../process_creation/win_winword_dll_load.yml | 25 +++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml create mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml create mode 100644 rules/windows/process_creation/win_winword_dll_load.yml diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml new file mode 100644 index 000000000..89b4418df --- /dev/null +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -0,0 +1,24 @@ +title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +id: eee00933-a761-4cd0-be70-c42fe91731e7 +status: experimental +description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'GfxDownloadWrapper.exe' + cmd: + CommandLine|contains: 'gameplayapi.intel.com' + cmd_null: + CommandLine: '' + condition: image_path and not cmd and not cmd_null +fields: + - CommandLine +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml new file mode 100644 index 000000000..50a10d0d8 --- /dev/null +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -0,0 +1,27 @@ +title: Verclsid.exe Runs COM Object +id: d06be4b9-8045-428b-a567-740a26d9db25 +status: experimental +description: Detects when verclsid.exe is used to run COM object via GUID +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml + - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'verclsid.exe' + cmd_s: + CommandLine|contains: '/S' + + cmd_c: + CommandLine|contains: '/C' + condition: image_path and cmd_c and cmd_s +fields: + - CommandLine +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml new file mode 100644 index 000000000..e9b9226bd --- /dev/null +++ b/rules/windows/process_creation/win_winword_dll_load.yml @@ -0,0 +1,25 @@ +title: Winword.exe Loads Suspicious DLL +id: 2621b3a6-3840-4810-ac14-a02426086171 +status: experimental +description: Detects Winword.exe loading of custmom dll via /l cmd switch +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'winword.exe' + cmd: + CommandLine|contains: '/l' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium From 414c98e7bab4f884a5414969044d13e6d6014a41 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 9 Oct 2020 19:37:07 +0300 Subject: [PATCH 0191/1335] Detects Obfuscated Powershell via use Clip.exe in Scripts --- ...rshell_invoke_obfuscation_via_use_clip.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml new file mode 100644 index 000000000..6e67ecd32 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Use Clip +id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high From 79eb7b8bd7f2134de1526b46b6b46e50c33d52e3 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 9 Oct 2020 19:42:27 +0300 Subject: [PATCH 0192/1335] Detects Obfuscated Powershell via use Clip.exe in Scripts --- .../win_invoke_obfuscation_via_use_clip.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml new file mode 100644 index 000000000..c59540cf6 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use Clip +id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection +falsepositives: + - Unknown +level: high From 021a2192eb229e9e6ac0801255f37016595beca3 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 9 Oct 2020 19:46:11 +0300 Subject: [PATCH 0193/1335] Detects Obfuscated Powershell via use Clip.exe in Scripts --- ...voke_obfuscation_via_use_clip_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml new file mode 100644 index 000000000..28e5e44fc --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation Via Use Clip +id: 63e3365d-4824-42d8-8b82-e56810fefa0c +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 From 75386e647829ac66a819e92bb818bb16737313e7 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Sat, 10 Oct 2020 13:19:02 +0300 Subject: [PATCH 0194/1335] Update sysmon_abusing_debug_privilege.yml Field motifiers added.Filter 3 fixed due to logical error --- .../sysmon_abusing_debug_privilege.yml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index d2b895b73..0548c3c22 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -13,26 +13,26 @@ logsource: category: process_creation detection: selection: - ParentImage: - - '*\winlogon.exe' - - '*\services.ex' - - '*\lsass.exe' - - '*\csrss.exe' - - '*\smss.exe' - - '*\wininit.exe' - - '*\spoolsv.exe' - - '*\searchindexer.exe' + ParentImage|endswith: + - '\winlogon.exe' + - '\services.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\smss.exe' + - '\wininit.exe' + - '\spoolsv.exe' + - '\searchindexer.exe' filter1: - Image: - - '*\powershell.exe' - - '*\cmd.exe' + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' filter2: User: 'NT AUTHORITY\\SYSTEM' filter3: - CommandLine: - - ' *route* ' - - ' *ADD* ' - condition: selection and filter1 and filter2 and filter3 + CommandLine|contains: + - 'route' + - 'ADD' + condition: selection and filter1 and filter2 and not filter3 fields: - ParentImage - Image From 748dccc289b8cc61e6d059862abf84fc3e06ac97 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sat, 10 Oct 2020 13:11:17 +0200 Subject: [PATCH 0195/1335] additional changes to split processname and commandline --- rules/linux/lnx_local_account.yml | 25 ++++++++++++++++++---- rules/linux/macos_local_account.yml | 33 ++++++++++++++++++++++++----- rules/linux/unix_local_account.yml | 26 ----------------------- 3 files changed, 49 insertions(+), 35 deletions(-) delete mode 100644 rules/linux/unix_local_account.yml diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index 393cd39ec..82e8b9eac 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -5,15 +5,32 @@ description: Detects enumeration of local systeam accounts author: Alejandro Ortuno, oscd.community date: 2020/10/08 references: - - https://attack.mitre.org/techniques/T1087/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md logsource: + category: process_creation product: linux detection: - selection: + selection_1: + ProcessName|contains: + - '*/lastlog' + selection_2: CommandLine|contains: - - 'lastlog' - condition: selection + - "'x:0:'" + selection_3: + ProcessName|contains: + - '*/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_4: + ProcessName|contains: + - '*/id' + selection_5: + ProcessName|contains: + - '*/lsof' + CommandLine|contains: + - '-u' + condition: 1 of them falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index 8589dd69a..3f4e84b0d 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -5,16 +5,39 @@ description: Detects enumeration of local systeam accounts on MacOS author: Alejandro Ortuno, oscd.community date: 2020/10/08 references: - - https://attack.mitre.org/techniques/T1087/001/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md logsource: + category: process_creation product: macos detection: - selection: + selection_1: + ProcessName|contains: + - '*/dscl' CommandLine|contains: - - 'dscl . list /Users' - - 'dscacheutil -q user' - condition: selection + - '. list /users' + selection_2: + ProcessName|contains: + - '*/dscacheutil' + CommandLine|contains: + - '-q user' + selection_3: + CommandLine|contains: + - "'x:0:'" + selection_4: + ProcessName|contains: + - '*/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_5: + ProcessName|contains: + - '*/id' + selection_6: + ProcessName|contains: + - '*/lsof' + CommandLine|contains: + - '-u' + condition: 1 of them falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/unix_local_account.yml b/rules/linux/unix_local_account.yml deleted file mode 100644 index ffef97a97..000000000 --- a/rules/linux/unix_local_account.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Local System Accounts Discovery -id: 396fe688-65d9-4828-a078-ed17551f9a8a -status: experimental -description: Detects enumeration of local systeam accounts -author: Alejandro Ortuno, oscd.community -date: 2020/10/08 -references: - - https://attack.mitre.org/techniques/T1087/001/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md -logsource: - product: unix -detection: - selection: - CommandLine|contains: - - 'cat /etc/passwd' - - 'cat /etc/sudoers' - - 'id ' - - "'x:0:'" - - 'lsof -u' - condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1087.001 From 09e6b0503365e73c40459fb9c3c8ea43d13f4f56 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 10 Oct 2020 10:08:02 -0300 Subject: [PATCH 0196/1335] Update win_susp_rundll32_activity.yml --- .../win_susp_rundll32_activity.yml | 70 ++++++++++++++----- 1 file changed, 52 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index d3afc3ee7..f04faf4d7 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -18,26 +18,60 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - 'url.dll*OpenURL' - - 'url.dll*OpenURLA' - - 'url.dll*FileProtocolHandler' - - 'zipfldr.dll*RouteTheCall' - - 'shell32.dll*Control_RunDLL' - - 'shell32.dll*ShellExec_RunDLL' + - CommandLine|contains: - 'javascript:' - '.RegisterXLL' - - 'mshtml.dll*PrintHTML' - - 'advpack.dll*LaunchINFSection' - - 'advpack.dll*RegisterOCX' - - 'ieadvpack.dll*LaunchINFSection' - - 'ieadvpack.dll*RegisterOCX' - - 'ieframe.dll*OpenURL' - - 'shdocvw.dll*OpenURL' - - 'syssetup.dll*SetupInfObjectInstallAction' - - 'setupapi.dll*InstallHinfSection' - - 'pcwutl.dll*LaunchApplication' - - 'dfshim.dll*ShOpenVerbApplication' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURLA' + - CommandLine|contains|all: + - 'url.dll' + - 'FileProtocolHandler' + - CommandLine|contains|all: + - 'zipfldr.dll' + - 'RouteTheCall' + - CommandLine|contains|all: + - 'shell32.dll' + - 'Control_RunDLL' + - CommandLine|contains|all: + - 'shell32.dll' + - 'ShellExec_RunDLL' + - CommandLine|contains|all: + - 'mshtml.dll' + - 'PrintHTML' + - CommandLine|contains|all: + - 'advpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'advpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieframe.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'shdocvw.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'syssetup.dll' + - SetupInfObjectInstallAction' + - CommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' + - CommandLine|contains|all: + - 'pcwutl.dll' + - 'LaunchApplication' + - CommandLine|contains|all: + - 'dfshim.dll' + - 'ShOpenVerbApplication' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 8693bd024f7092eed2326a3017c62c9a104d584f Mon Sep 17 00:00:00 2001 From: aw350m3 Date: Sat, 10 Oct 2020 17:07:22 +0000 Subject: [PATCH 0197/1335] Added a rule to detect the use of SettingSyncHost.exe to run hijacked binary --- .../win_using_settingsynchost_as_lolbin.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml new file mode 100644 index 000000000..5e46d9100 --- /dev/null +++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -0,0 +1,33 @@ +title: Using SettingSyncHost.exe as LOLBIN +description: Detects using SettingSyncHost.exe to run hijacked binary +id: b2ddd389-f676-4ac4-845a-e00781a48e5f +status: experimental +references: + - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +tags: + - attack.defense_evasion + - attack.execution + - attack.t1574 +author: Anton Kutepov, oscd.community +date: 2020/02/05 +modified: 2020/10/10 +level: high +logsource: + category: process_creation + product: windows +detection: + system_utility: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + parent_is_settingsynchost: + ParentCommandLine|contains|all: + - 'cmd.exe /c' + - 'RoamDiag.cmd' + - '-outputpath' + condition: not system_utility and parent_is_settingsynchost +fields: + - TargetFilename + - Image +falsepositives: + - unknown \ No newline at end of file From b4ae5cb747540c896850aad65fb151eb818c819b Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Sat, 10 Oct 2020 20:27:00 +0300 Subject: [PATCH 0198/1335] Fix ATTACK technique. Also made a couple of minor cosmetic changes. --- .../win_using_settingsynchost_as_lolbin.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml index 5e46d9100..aa3b63073 100644 --- a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml +++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -1,13 +1,13 @@ -title: Using SettingSyncHost.exe as LOLBIN +title: Using SettingSyncHost.exe as LOLBin description: Detects using SettingSyncHost.exe to run hijacked binary id: b2ddd389-f676-4ac4-845a-e00781a48e5f status: experimental references: - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin tags: - - attack.defense_evasion - attack.execution - - attack.t1574 + - attack.defense_evasion + - attack.t1574.008 author: Anton Kutepov, oscd.community date: 2020/02/05 modified: 2020/10/10 @@ -30,4 +30,4 @@ fields: - TargetFilename - Image falsepositives: - - unknown \ No newline at end of file + - unknown From 5aaba1f23a76db24f2ccb7b75b972eeac37b523a Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Sat, 10 Oct 2020 21:29:27 +0300 Subject: [PATCH 0199/1335] sqlps.exe detection added --- .../win_susp_use_of_sqlps_bin.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml new file mode 100644 index 000000000..9747276aa --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -0,0 +1,26 @@ +title: Detection of PowerShell Execution via SQL +id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 +status: experimental +description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. +references: + - https://twitter.com/pabraeken/status/993298228840992768 + - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +tags: + - attack.execution + - attack.t1059.011 +author: Agro (@agro_sev) +date: 2020/10/10 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\sqlps.exe' + selection2: + ParentImage|endswith: '\sqlps.exe' + selection3: + OriginalFileName: '\sqlps.exe' + condition: selection1 or selection2 or selection3 +falsepositives: + - Direct PS command execution through SQLPS.exe is uncommon. +level: medium From 6dcd4a6c6d068ad3ba42fea2b2a0474c4323c351 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sat, 10 Oct 2020 23:05:31 +0200 Subject: [PATCH 0200/1335] [OSCD] Create powershell_icmp_exfiltration.yml #1013 --- .../powershell_icmp_exfiltration.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml new file mode 100644 index 000000000..c4dd8e9a4 --- /dev/null +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -0,0 +1,27 @@ +title: PowerShell ICMP Exfiltration +id: 4c4af3cd-2115-479c-8193-6b8bfce9001c +status: experimental +description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp + - https://attack.mitre.org/techniques/T1048/003/ + - +author: 'Bartlomiej Czyz @bczyz1, oscd.community' +date: 2020/10/10 +tags: + - attack.exfiltration + - attack.t1048.003 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'New-Object' + - 'System.Net.NetworkInformation.Ping' + - '.Send(' + condition: selection +falsepositives: + - Legitimate usage of System.Net.NetworkInformation.Ping class +level: medium \ No newline at end of file From a5dea8c596c984464fa66073cbc67d81b5a370c5 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sat, 10 Oct 2020 23:08:39 +0200 Subject: [PATCH 0201/1335] [OSCD] Fix powershell_icmp_exfiltration.yml references, add newline at the end of the file #1013 --- rules/windows/powershell/powershell_icmp_exfiltration.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index c4dd8e9a4..562d22df4 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -5,7 +5,6 @@ description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp - https://attack.mitre.org/techniques/T1048/003/ - - author: 'Bartlomiej Czyz @bczyz1, oscd.community' date: 2020/10/10 tags: @@ -24,4 +23,4 @@ detection: condition: selection falsepositives: - Legitimate usage of System.Net.NetworkInformation.Ping class -level: medium \ No newline at end of file +level: medium From 10f5c38b20df700cbe73f5703534cf0031914b60 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Sun, 11 Oct 2020 12:40:24 +1030 Subject: [PATCH 0202/1335] Added conditional description + moved to unsupported-rules --- rules-unsupported/win_remote_service.yml | 50 ++++++++++++++++++++ rules/windows/builtin/win_remote_service.yml | 41 ---------------- 2 files changed, 50 insertions(+), 41 deletions(-) create mode 100644 rules-unsupported/win_remote_service.yml delete mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml new file mode 100644 index 000000000..75654260c --- /dev/null +++ b/rules-unsupported/win_remote_service.yml @@ -0,0 +1,50 @@ +action: global +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton, oscd.community +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30s + condition: (selection1 and not filter1) or selection2 + # where: + # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1 + # Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host. + # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. + # This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction. + # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. + # By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another. + # Rule logic is currently not supported by SIGMA. + +falsepositives: + - Unknown +level: medium +--- + logsource: + product: windows + service: security + detection: + selection2: + EventID: 4697 +--- +logsource: + product: windows + service: system +detection: + selection2: + EventID: 7045 \ No newline at end of file diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml deleted file mode 100644 index 2647dde4b..000000000 --- a/rules/windows/builtin/win_remote_service.yml +++ /dev/null @@ -1,41 +0,0 @@ -action: global -title: Remote Service Creation -id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental -description: Detects remote execution via service creation on the destination host -author: Jai Minton, oscd.community -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1543.003 -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 -falsepositives: - - Unknown -level: medium ---- - logsource: - product: windows - service: security - detection: - selection2: - EventID: 4697 ---- -logsource: - product: windows - service: system -detection: - selection2: - EventID: 7045 \ No newline at end of file From 21284c2c92e3dd5d636075ea4b62d58b91da8647 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Sun, 11 Oct 2020 12:48:48 +1030 Subject: [PATCH 0203/1335] Added selection criteria + moved to Unsupported rule --- rules-unsupported/win_remote_schtask.yml | 44 ++++++++++++++++++++ rules/windows/builtin/win_remote_schtask.yml | 36 ---------------- 2 files changed, 44 insertions(+), 36 deletions(-) create mode 100644 rules-unsupported/win_remote_schtask.yml delete mode 100644 rules/windows/builtin/win_remote_schtask.yml diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml new file mode 100644 index 000000000..5730b930e --- /dev/null +++ b/rules-unsupported/win_remote_schtask.yml @@ -0,0 +1,44 @@ +title: Remote Schtasks Creation +id: cf349c4b-99af-40fa-a051-823aa2307a84 +status: experimental +description: Detects remote execution via scheduled task creation or update on the destination host +author: Jai Minton, oscd.community +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4698 + - 4702 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + filter2: + Source_Network_Address: '-' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 and not filter2 + # where: + # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1 + # Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host. + # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. + # This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction. + # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. + # By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another. + # Rule logic is currently not supported by SIGMA. +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml deleted file mode 100644 index aa7b54cc1..000000000 --- a/rules/windows/builtin/win_remote_schtask.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Remote Schtasks Creation -id: cf349c4b-99af-40fa-a051-823aa2307a84 -status: experimental -description: Detects remote execution via scheduled task creation or update on the destination host -author: Jai Minton, oscd.community -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1053.005 -logsource: - product: windows - service: security - definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - selection2: - EventID: - - 4698 - - 4702 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - filter2: - Source_Network_Address: '-' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 and not filter2 -falsepositives: - - Unknown -level: medium From 418a9d5a024c2bd48843250301a451f4841fbc6a Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 11 Oct 2020 09:37:08 +0200 Subject: [PATCH 0204/1335] Use endswith with processname --- rules/linux/lnx_local_account.yml | 8 ++++---- rules/linux/macos_local_account.yml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index 82e8b9eac..3026984cd 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -11,22 +11,22 @@ logsource: product: linux detection: selection_1: - ProcessName|contains: + ProcessName|endswith: - '*/lastlog' selection_2: CommandLine|contains: - "'x:0:'" selection_3: - ProcessName|contains: + ProcessName|endswith: - '*/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - ProcessName|contains: + ProcessName|endswith: - '*/id' selection_5: - ProcessName|contains: + ProcessName|endswith: - '*/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index 3f4e84b0d..db2b6b588 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -11,12 +11,12 @@ logsource: product: macos detection: selection_1: - ProcessName|contains: + ProcessName|endswith: - '*/dscl' CommandLine|contains: - '. list /users' selection_2: - ProcessName|contains: + ProcessName|endswith: - '*/dscacheutil' CommandLine|contains: - '-q user' @@ -24,16 +24,16 @@ detection: CommandLine|contains: - "'x:0:'" selection_4: - ProcessName|contains: + ProcessName|endswith: - '*/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - ProcessName|contains: + ProcessName|endswith: - '*/id' selection_6: - ProcessName|contains: + ProcessName|endswith: - '*/lsof' CommandLine|contains: - '-u' From 2370730952c51177390b2315bc7cdc408c74e028 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 14:31:06 +0200 Subject: [PATCH 0205/1335] create sysmon_modify_screensaver_binary_path.yml --- .../sysmon_modify_screensaver_binary_path.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml new file mode 100644 index 000000000..f335f7597 --- /dev/null +++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -0,0 +1,29 @@ +title: Path To Screensaver Binary Modified +id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 +status: experimental +description: > + Detects value modification of registry key containing path to binary used as screensaver. + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. +references: + - https://attack.mitre.org/techniques/T1546/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.002 +author: Bartlomiej Czyz @bczyz1, oscd.community +date: 2020/10/11 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE + filter: + ParentImage: 'C:\Windows\System32\services.exe' + condition: selection and not filter +level: medium +falsepositives: + - 'Legitimate modification of screensaver.' From 8f2ddc632e6f35a41b2a54c44311be922c6e3fd1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:02:02 +0300 Subject: [PATCH 0206/1335] Create powershell_cmdline_reversed_strings --- .../powershell_cmdline_reversed_strings | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/windows/powershell/powershell_cmdline_reversed_strings diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings b/rules/windows/powershell/powershell_cmdline_reversed_strings new file mode 100644 index 000000000..a4d75952d --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings @@ -0,0 +1,48 @@ +title: PowerShell command line with reversed strings +id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a3 +description: Detects the PowerShell command line obfuscation (command lines with reversed strings) +status: experimental +references: + - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 +tags: + - attack.defense_evasion + - attack.t1027 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), OSCD +date: 2020/11/10 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|Contains: + - 'hctac' + - 'kearb' + - 'dnammoc' + - 'ekovn' + - 'eliFd' + - 'rahc' + - 'etirw' + - 'golon' + - 'tninon' + - 'eddih' + - 'tpircS' + - 'ssecorp' + - 'llehsrewop' + - 'esnopser' + - 'daolnwod' + - 'tneilCbeW' + - 'tneilc' + - 'ptth' + - 'elifotevas' + - '46esab' + - 'htaPpmeTteG' + - 'tcejbO' + - 'maerts' + - 'hcaerof' + - 'ekovni' + - 'retupmoc' + condition: selection +falsepositives: + - Unlikely +level: high From dd9c29377b44439ec8bbb4ab8fff1537ebbf6a18 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:11:58 +0300 Subject: [PATCH 0207/1335] Update powershell_cmdline_reversed_strings --- rules/windows/powershell/powershell_cmdline_reversed_strings | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings b/rules/windows/powershell/powershell_cmdline_reversed_strings index a4d75952d..26f473229 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings @@ -1,6 +1,6 @@ -title: PowerShell command line with reversed strings +title: PowerShell command line obfuscation id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a3 -description: Detects the PowerShell command line obfuscation (command lines with reversed strings) +description: Detects the PowerShell command lines with reversed strings status: experimental references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ From 672bf99c6b6eed5d2da81d61a73dc7cdffadb968 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 19:45:58 +0530 Subject: [PATCH 0208/1335] Silenttrinity stager communication to c2 --- .../Silenttrinity stager communication to c2 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/sysmon/Silenttrinity stager communication to c2 diff --git a/rules/windows/sysmon/Silenttrinity stager communication to c2 b/rules/windows/sysmon/Silenttrinity stager communication to c2 new file mode 100644 index 000000000..656c8de0a --- /dev/null +++ b/rules/windows/sysmon/Silenttrinity stager communication to c2 @@ -0,0 +1,21 @@ +title: Silenttrinity stager communication to c2 +description: Detects a possible remote connections to Silenttrinity c2 +references: + - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +tags: + - T1127.001 + - Tactic: Defense Evasion +status: experimental +author: Kiran kumar s +date: 11/10/2020 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + ParentImage: '*\msbuild.exe' + condition: selection +falsepositives: + - unknown +level: high From 8a87fc35b2ff9c44ba23a27467bee2c6f673db84 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 19:48:07 +0530 Subject: [PATCH 0209/1335] Update win_susp_security_eventlog_cleared.yml --- rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index a24e9d470..cc61bdf10 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -12,7 +12,6 @@ detection: EventID: - 517 - 1102 - - 104 condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) From 51f00c153cbcd648c96b3712d21940ff2dd83873 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:18:15 +0300 Subject: [PATCH 0210/1335] Update powershell_cmdline_reversed_strings --- rules/windows/powershell/powershell_cmdline_reversed_strings | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings b/rules/windows/powershell/powershell_cmdline_reversed_strings index 26f473229..861a2c954 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings @@ -1,5 +1,5 @@ -title: PowerShell command line obfuscation -id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a3 +title: Suspicious PowerShell Cmdline with obfuscation +id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 description: Detects the PowerShell command lines with reversed strings status: experimental references: From 00f5d1ec9261ac19ebd9f7ccc75434e395f7970e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:24:46 +0300 Subject: [PATCH 0211/1335] Update powershell_cmdline_reversed_strings --- rules/windows/powershell/powershell_cmdline_reversed_strings | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings b/rules/windows/powershell/powershell_cmdline_reversed_strings index 861a2c954..8958e86ff 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Cmdline with obfuscation +title: Suspicious PowerShell Cmdline id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 description: Detects the PowerShell command lines with reversed strings status: experimental @@ -8,7 +8,7 @@ references: tags: - attack.defense_evasion - attack.t1027 -author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), OSCD +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community date: 2020/11/10 logsource: category: process_creation From 7aaf4654cd44119d10427007416cf86d4a859599 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:28:56 +0300 Subject: [PATCH 0212/1335] Rename powershell_cmdline_reversed_strings to powershell_cmdline_reversed_strings.yml --- ...e_reversed_strings => powershell_cmdline_reversed_strings.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{powershell_cmdline_reversed_strings => powershell_cmdline_reversed_strings.yml} (100%) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml similarity index 100% rename from rules/windows/powershell/powershell_cmdline_reversed_strings rename to rules/windows/powershell/powershell_cmdline_reversed_strings.yml From c868ef655c3d0a52331ec08706c34888c09c7356 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 17:37:07 +0300 Subject: [PATCH 0213/1335] Update powershell_cmdline_reversed_strings.yml --- .../windows/powershell/powershell_cmdline_reversed_strings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml index 8958e86ff..9246735e0 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - CommandLine|Contains: + CommandLine|contains: - 'hctac' - 'kearb' - 'dnammoc' From e5fd37aea6383f4e0a7a715da632c8c301b35c96 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 20:25:49 +0530 Subject: [PATCH 0214/1335] Update Silenttrinity stager communication to c2 --- rules/windows/sysmon/Silenttrinity stager communication to c2 | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/Silenttrinity stager communication to c2 b/rules/windows/sysmon/Silenttrinity stager communication to c2 index 656c8de0a..2864dd091 100644 --- a/rules/windows/sysmon/Silenttrinity stager communication to c2 +++ b/rules/windows/sysmon/Silenttrinity stager communication to c2 @@ -1,4 +1,5 @@ title: Silenttrinity stager communication to c2 +id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ From f8c229bbf889d660d4399ef4b3183bf62107642c Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 20:29:30 +0530 Subject: [PATCH 0215/1335] Update Silenttrinity stager communication to c2 --- rules/windows/sysmon/Silenttrinity stager communication to c2 | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/Silenttrinity stager communication to c2 b/rules/windows/sysmon/Silenttrinity stager communication to c2 index 2864dd091..caf830be2 100644 --- a/rules/windows/sysmon/Silenttrinity stager communication to c2 +++ b/rules/windows/sysmon/Silenttrinity stager communication to c2 @@ -5,7 +5,6 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - T1127.001 - - Tactic: Defense Evasion status: experimental author: Kiran kumar s date: 11/10/2020 From 8ae42bca7ceb3f06bc73b117f1ea48e11f06d803 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 17:02:39 +0200 Subject: [PATCH 0216/1335] fix description & ParentImage -> Image modification to comply with reg events constraints --- .../sysmon_modify_screensaver_binary_path.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml index f335f7597..7ea7aada0 100644 --- a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml +++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -1,10 +1,7 @@ title: Path To Screensaver Binary Modified id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 status: experimental -description: > - Detects value modification of registry key containing path to binary used as screensaver. - Adversaries may establish persistence by executing malicious content triggered by user inactivity. - Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. +description: Detects value modification of registry key containing path to binary used as screensaver. references: - https://attack.mitre.org/techniques/T1546/002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md @@ -22,7 +19,9 @@ detection: selection: TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE filter: - ParentImage: 'C:\Windows\System32\services.exe' + Image|endswith: + - '\rundll32.exe' + - '\explorer.exe' condition: selection and not filter level: medium falsepositives: From f82d163dedac249357369e58edda7f45452c4d9a Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 20:33:08 +0530 Subject: [PATCH 0217/1335] Update Silenttrinity stager communication to c2 --- rules/windows/sysmon/Silenttrinity stager communication to c2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/Silenttrinity stager communication to c2 b/rules/windows/sysmon/Silenttrinity stager communication to c2 index caf830be2..776b5e60b 100644 --- a/rules/windows/sysmon/Silenttrinity stager communication to c2 +++ b/rules/windows/sysmon/Silenttrinity stager communication to c2 @@ -1,4 +1,4 @@ -title: Silenttrinity stager communication to c2 +title: Silenttrinity Stager Communication To C2 id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 description: Detects a possible remote connections to Silenttrinity c2 references: From 28ccbe90349059e3357da5fceb702610de8e7f61 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 21:00:00 +0530 Subject: [PATCH 0218/1335] Rename Silenttrinity stager communication to c2 to Silenttrinity Stager Communication To C2 --- ...mmunication to c2 => Silenttrinity Stager Communication To C2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{Silenttrinity stager communication to c2 => Silenttrinity Stager Communication To C2} (100%) diff --git a/rules/windows/sysmon/Silenttrinity stager communication to c2 b/rules/windows/sysmon/Silenttrinity Stager Communication To C2 similarity index 100% rename from rules/windows/sysmon/Silenttrinity stager communication to c2 rename to rules/windows/sysmon/Silenttrinity Stager Communication To C2 From 7a4c2c5db5a8a43e8dcfa68c195a3751ca4e7ee3 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 21:16:45 +0530 Subject: [PATCH 0219/1335] Rename Silenttrinity Stager Communication To C2 to Silenttrinity _Stager _Communication _To _C2.yml --- ...ion To C2 => Silenttrinity _Stager _Communication _To _C2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{Silenttrinity Stager Communication To C2 => Silenttrinity _Stager _Communication _To _C2.yml} (100%) diff --git a/rules/windows/sysmon/Silenttrinity Stager Communication To C2 b/rules/windows/sysmon/Silenttrinity _Stager _Communication _To _C2.yml similarity index 100% rename from rules/windows/sysmon/Silenttrinity Stager Communication To C2 rename to rules/windows/sysmon/Silenttrinity _Stager _Communication _To _C2.yml From 3358dd47eae9c9a939f7f613053a42822c08d852 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 11 Oct 2020 17:56:29 +0200 Subject: [PATCH 0220/1335] macos local account creation --- rules/linux/macos_create_account.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/linux/macos_create_account.yml diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml new file mode 100644 index 000000000..c866aba10 --- /dev/null +++ b/rules/linux/macos_create_account.yml @@ -0,0 +1,25 @@ +title: Creation Of A Local User Account +id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 +status: experimental +description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName|endswith: + - '*/dscl' + CommandLine|contains: + - '. -create *' + condition: selection +falsepositives: + - Legitimate administration activities +level: Admin +tags: + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence From a5bf538ad1350c45bdc2bd6b85443cb0cf8bad2e Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 21:34:55 +0530 Subject: [PATCH 0221/1335] Rename Silenttrinity _Stager _Communication _To _C2.yml to Silenttrinity Stager Communication C2.yml --- ...on _To _C2.yml => Silenttrinity Stager Communication C2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{Silenttrinity _Stager _Communication _To _C2.yml => Silenttrinity Stager Communication C2.yml} (100%) diff --git a/rules/windows/sysmon/Silenttrinity _Stager _Communication _To _C2.yml b/rules/windows/sysmon/Silenttrinity Stager Communication C2.yml similarity index 100% rename from rules/windows/sysmon/Silenttrinity _Stager _Communication _To _C2.yml rename to rules/windows/sysmon/Silenttrinity Stager Communication C2.yml From 9825b42de0c50de7a8f453f67b4ba8a53da33d1d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 21:38:19 +0530 Subject: [PATCH 0222/1335] Rename Silenttrinity Stager Communication C2.yml to Silenttrinity _Stager _Communication _C2.yml --- ...cation C2.yml => Silenttrinity _Stager _Communication _C2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{Silenttrinity Stager Communication C2.yml => Silenttrinity _Stager _Communication _C2.yml} (100%) diff --git a/rules/windows/sysmon/Silenttrinity Stager Communication C2.yml b/rules/windows/sysmon/Silenttrinity _Stager _Communication _C2.yml similarity index 100% rename from rules/windows/sysmon/Silenttrinity Stager Communication C2.yml rename to rules/windows/sysmon/Silenttrinity _Stager _Communication _C2.yml From d17faf823449b7ee5988f1b5ba52f7225e26f9d9 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 11 Oct 2020 18:15:53 +0200 Subject: [PATCH 0223/1335] Local groups discovery sigma rules --- rules/linux/lnx_local_groups.yml | 27 ++++++++++++++++++++++++ rules/linux/macos_local_groups.yml | 34 ++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 rules/linux/lnx_local_groups.yml create mode 100644 rules/linux/macos_local_groups.yml diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml new file mode 100644 index 000000000..04cd384c9 --- /dev/null +++ b/rules/linux/lnx_local_groups.yml @@ -0,0 +1,27 @@ +title: Local Groups Discovery +id: 676381a6-15ca-4d73-a9c8-6a22e970b90d +status: experimental +description: Detects enumeration of local system groups +author: Alejandro Ortuno, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +logsource: + category: process_creation + product: linux +detection: + selection_1: + ProcessName|endswith: + - '*/groups' + selection_2: + ProcessName|endswith: + - '*/cat' + CommandLine|contains: + - '/etc/group' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1069.001 diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml new file mode 100644 index 000000000..a456e13ae --- /dev/null +++ b/rules/linux/macos_local_groups.yml @@ -0,0 +1,34 @@ +title: Local Groups Discovery +id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 +status: experimental +description: Detects enumeration of local system groups +author: Alejandro Ortuno, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + ProcessName|endswith: + - '*/dscacheutil' + CommandLine|contains: + - '-q group' + selection_2: + ProcessName|endswith: + - '*/cat' + CommandLine|contains: + - '/etc/group' + selection_3: + ProcessName|endswith: + - '*/dscl' + CommandLine|contains: + - '. -list /groups' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1069.001 From 545a8c06ed2f787c5ba43e021059be7e0206c9da Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 21:53:45 +0530 Subject: [PATCH 0224/1335] Rename Silenttrinity _Stager _Communication _C2.yml to silenttrinity _stager _communication _c2.yml --- ...ation _C2.yml => silenttrinity _stager _communication _c2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{Silenttrinity _Stager _Communication _C2.yml => silenttrinity _stager _communication _c2.yml} (100%) diff --git a/rules/windows/sysmon/Silenttrinity _Stager _Communication _C2.yml b/rules/windows/sysmon/silenttrinity _stager _communication _c2.yml similarity index 100% rename from rules/windows/sysmon/Silenttrinity _Stager _Communication _C2.yml rename to rules/windows/sysmon/silenttrinity _stager _communication _c2.yml From 476ed7ec2dab872438475f1313fd876ade31a9a5 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 22:03:24 +0530 Subject: [PATCH 0225/1335] Rename silenttrinity _stager _communication _c2.yml to sysmon_silenttrinity _stager _communication _c2.yml --- ...c2.yml => sysmon_silenttrinity _stager _communication _c2.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{silenttrinity _stager _communication _c2.yml => sysmon_silenttrinity _stager _communication _c2.yml} (100%) diff --git a/rules/windows/sysmon/silenttrinity _stager _communication _c2.yml b/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml similarity index 100% rename from rules/windows/sysmon/silenttrinity _stager _communication _c2.yml rename to rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml From 64b07ff51a9f0d629c098aec83f74ebc70660df4 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 19:42:39 +0300 Subject: [PATCH 0226/1335] Update powershell_cmdline_reversed_strings.yml --- .../powershell/powershell_cmdline_reversed_strings.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml index 9246735e0..aa0fe047b 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml @@ -8,8 +8,10 @@ references: tags: - attack.defense_evasion - attack.t1027 + - attack.execution + - attack.t1059.001 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community -date: 2020/11/10 +date: 2020/10/11 logsource: category: process_creation product: windows From 435f052f75132b0f03962fb71b757959fb966f58 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Sun, 11 Oct 2020 19:45:46 +0300 Subject: [PATCH 0227/1335] some typos fixing --- .../windows/process_creation/win_susp_use_of_sqlps_bin.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 9747276aa..ba62e92df 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -1,13 +1,15 @@ title: Detection of PowerShell Execution via SQL id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: experimental -description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. +description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. Microsoft PS logging like + ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. references: - https://twitter.com/pabraeken/status/993298228840992768 - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ tags: - attack.execution - - attack.t1059.011 + - attack.t1059.001 author: Agro (@agro_sev) date: 2020/10/10 logsource: From 6b10b998c91f8c80837c3c863e91c74ec941ed11 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 22:38:30 +0530 Subject: [PATCH 0228/1335] Update sysmon_silenttrinity _stager _communication _c2.yml --- .../sysmon/sysmon_silenttrinity _stager _communication _c2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml b/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml index 776b5e60b..479db8e25 100644 --- a/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml +++ b/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml @@ -6,7 +6,7 @@ references: tags: - T1127.001 status: experimental -author: Kiran kumar s +author: Kiran kumar.s date: 11/10/2020 logsource: product: windows From 94efeda45df4d8c14fadac80d8a379fc13e5c7ed Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 19:11:54 +0200 Subject: [PATCH 0229/1335] modify powershell_malicious_commandlets.yml to leverage ScriptBlock logging feature --- .../powershell_malicious_commandlets.yml | 198 +++++++++--------- 1 file changed, 101 insertions(+), 97 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index d75d512ae..50c5baf50 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -10,110 +10,114 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 +modified: 2020/10/11 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*Invoke-DllInjection*" - - "*Invoke-Shellcode*" - - "*Invoke-WmiCommand*" - - "*Get-GPPPassword*" - - "*Get-Keystrokes*" - - "*Get-TimedScreenshot*" - - "*Get-VaultCredential*" - - "*Invoke-CredentialInjection*" - - "*Invoke-Mimikatz*" - - "*Invoke-NinjaCopy*" - - "*Invoke-TokenManipulation*" - - "*Out-Minidump*" - - "*VolumeShadowCopyTools*" - - "*Invoke-ReflectivePEInjection*" - - "*Invoke-UserHunter*" - - "*Find-GPOLocation*" - - "*Invoke-ACLScanner*" - - "*Invoke-DowngradeAccount*" - - "*Get-ServiceUnquoted*" - - "*Get-ServiceFilePermission*" - - "*Get-ServicePermission*" - - "*Invoke-ServiceAbuse*" - - "*Install-ServiceBinary*" - - "*Get-RegAutoLogon*" - - "*Get-VulnAutoRun*" - - "*Get-VulnSchTask*" - - "*Get-UnattendedInstallFile*" - - "*Get-ApplicationHost*" - - "*Get-RegAlwaysInstallElevated*" - - "*Get-Unconstrained*" - - "*Add-RegBackdoor*" - - "*Add-ScrnSaveBackdoor*" - - "*Gupt-Backdoor*" - - "*Invoke-ADSBackdoor*" - - "*Enabled-DuplicateToken*" - - "*Invoke-PsUaCme*" - - "*Remove-Update*" - - "*Check-VM*" - - "*Get-LSASecret*" - - "*Get-PassHashes*" - - "*Show-TargetScreen*" - - "*Port-Scan*" - - "*Invoke-PoshRatHttp*" - - "*Invoke-PowerShellTCP*" - - "*Invoke-PowerShellWMI*" - - "*Add-Exfiltration*" - - "*Add-Persistence*" - - "*Do-Exfiltration*" - - "*Start-CaptureServer*" - - "*Get-ChromeDump*" - - "*Get-ClipboardContents*" - - "*Get-FoxDump*" - - "*Get-IndexedItem*" - - "*Get-Screenshot*" - - "*Invoke-Inveigh*" - - "*Invoke-NetRipper*" - - "*Invoke-EgressCheck*" - - "*Invoke-PostExfil*" - - "*Invoke-PSInject*" - - "*Invoke-RunAs*" - - "*MailRaider*" - - "*New-HoneyHash*" - - "*Set-MacAttribute*" - - "*Invoke-DCSync*" - - "*Invoke-PowerDump*" - - "*Exploit-Jboss*" - - "*Invoke-ThunderStruck*" - - "*Invoke-VoiceTroll*" - - "*Set-Wallpaper*" - - "*Invoke-InveighRelay*" - - "*Invoke-PsExec*" - - "*Invoke-SSHCommand*" - - "*Get-SecurityPackages*" - - "*Install-SSP*" - - "*Invoke-BackdoorLNK*" - - "*PowerBreach*" - - "*Get-SiteListPassword*" - - "*Get-System*" - - "*Invoke-BypassUAC*" - - "*Invoke-Tater*" - - "*Invoke-WScriptBypassUAC*" - - "*PowerUp*" - - "*PowerView*" - - "*Get-RickAstley*" - - "*Find-Fruit*" - - "*HTTP-Login*" - - "*Find-TrustedDocuments*" - - "*Invoke-Paranoia*" - - "*Invoke-WinEnum*" - - "*Invoke-ARPScan*" - - "*Invoke-PortScan*" - - "*Invoke-ReverseDNSLookup*" - - "*Invoke-SMBScanner*" - - "*Invoke-Mimikittenz*" - - "*Invoke-AllChecks*" + EventID: 4104 + ScriptBlockText|contains: + - "Invoke-DllInjection" + - "Invoke-Shellcode" + - "Invoke-WmiCommand" + - "Get-GPPPassword" + - "Get-Keystrokes" + - "Get-TimedScreenshot" + - "Get-VaultCredential" + - "Invoke-CredentialInjection" + - "Invoke-Mimikatz" + - "Invoke-NinjaCopy" + - "Invoke-TokenManipulation" + - "Out-Minidump" + - "VolumeShadowCopyTools" + - "Invoke-ReflectivePEInjection" + - "Invoke-UserHunter" + - "Find-GPOLocation" + - "Invoke-ACLScanner" + - "Invoke-DowngradeAccount" + - "Get-ServiceUnquoted" + - "Get-ServiceFilePermission" + - "Get-ServicePermission" + - "Invoke-ServiceAbuse" + - "Install-ServiceBinary" + - "Get-RegAutoLogon" + - "Get-VulnAutoRun" + - "Get-VulnSchTask" + - "Get-UnattendedInstallFile" + - "Get-ApplicationHost" + - "Get-RegAlwaysInstallElevated" + - "Get-Unconstrained" + - "Add-RegBackdoor" + - "Add-ScrnSaveBackdoor" + - "Gupt-Backdoor" + - "Invoke-ADSBackdoor" + - "Enabled-DuplicateToken" + - "Invoke-PsUaCme" + - "Remove-Update" + - "Check-VM" + - "Get-LSASecret" + - "Get-PassHashes" + - "Show-TargetScreen" + - "Port-Scan" + - "Invoke-PoshRatHttp" + - "Invoke-PowerShellTCP" + - "Invoke-PowerShellWMI" + - "Add-Exfiltration" + - "Add-Persistence" + - "Do-Exfiltration" + - "Start-CaptureServer" + - "Get-ChromeDump" + - "Get-ClipboardContents" + - "Get-FoxDump" + - "Get-IndexedItem" + - "Get-Screenshot" + - "Invoke-Inveigh" + - "Invoke-NetRipper" + - "Invoke-EgressCheck" + - "Invoke-PostExfil" + - "Invoke-PSInject" + - "Invoke-RunAs" + - "MailRaider" + - "New-HoneyHash" + - "Set-MacAttribute" + - "Invoke-DCSync" + - "Invoke-PowerDump" + - "Exploit-Jboss" + - "Invoke-ThunderStruck" + - "Invoke-VoiceTroll" + - "Set-Wallpaper" + - "Invoke-InveighRelay" + - "Invoke-PsExec" + - "Invoke-SSHCommand" + - "Get-SecurityPackages" + - "Install-SSP" + - "Invoke-BackdoorLNK" + - "PowerBreach" + - "Get-SiteListPassword" + - "Get-System" + - "Invoke-BypassUAC" + - "Invoke-Tater" + - "Invoke-WScriptBypassUAC" + - "PowerUp" + - "PowerView" + - "Get-RickAstley" + - "Find-Fruit" + - "HTTP-Login" + - "Find-TrustedDocuments" + - "Invoke-Paranoia" + - "Invoke-WinEnum" + - "Invoke-ARPScan" + - "Invoke-PortScan" + - "Invoke-ReverseDNSLookup" + - "Invoke-SMBScanner" + - "Invoke-Mimikittenz" + - "Invoke-AllChecks" false_positives: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + EventID: 4104 + ScriptBlockText|contains: + - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives falsepositives: - Penetration testing From 6b0b7794805324441ec3db05219e486782708006 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 23:00:52 +0530 Subject: [PATCH 0230/1335] Delete sysmon_silenttrinity _stager _communication _c2.yml --- ...lenttrinity _stager _communication _c2.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml diff --git a/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml b/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml deleted file mode 100644 index 479db8e25..000000000 --- a/rules/windows/sysmon/sysmon_silenttrinity _stager _communication _c2.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Silenttrinity Stager Communication To C2 -id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 -description: Detects a possible remote connections to Silenttrinity c2 -references: - - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ -tags: - - T1127.001 -status: experimental -author: Kiran kumar.s -date: 11/10/2020 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 3 - ParentImage: '*\msbuild.exe' - condition: selection -falsepositives: - - unknown -level: high From bddbe68235540650ca13c5f6930691981f65d312 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 23:02:03 +0530 Subject: [PATCH 0231/1335] Create silenttrinity_stager_communicating_to_c2.yml --- ...lenttrinity_stager_communicating_to_c2.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml diff --git a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml new file mode 100644 index 000000000..da6f16c2b --- /dev/null +++ b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml @@ -0,0 +1,21 @@ +title: Silenttrinity Stager Communication To C2 +description: Detects a possible remote connections to Silenttrinity c2 +references: + - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +tags: + - T1127.001 + - Tactic: Defense Evasion +status: experimental +author: Kiran kumar s +date: 11/10/2020 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + ParentImage: '*\msbuild.exe' + condition: selection +falsepositives: + - unknown +level: high From fbf5d2fdc4476c11586ff3269094c70d87f0501b Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 23:07:41 +0530 Subject: [PATCH 0232/1335] Update silenttrinity_stager_communicating_to_c2.yml --- .../windows/sysmon/silenttrinity_stager_communicating_to_c2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml index da6f16c2b..a2d56bc83 100644 --- a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml +++ b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml @@ -1,4 +1,5 @@ title: Silenttrinity Stager Communication To C2 +id: c4f2d4b1-ca0f-42e4-9b7b-a69790524fab description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ From c76eede1b8d0b4d4e3886f8137847de59a1c0bb1 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 11 Oct 2020 23:11:09 +0530 Subject: [PATCH 0233/1335] Update silenttrinity_stager_communicating_to_c2.yml --- .../windows/sysmon/silenttrinity_stager_communicating_to_c2.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml index a2d56bc83..8c7a073d3 100644 --- a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml +++ b/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml @@ -5,7 +5,6 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - T1127.001 - - Tactic: Defense Evasion status: experimental author: Kiran kumar s date: 11/10/2020 From 6094fd4e9c6c453748d21aaa5ddd296a7239d3ab Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 20:56:45 +0300 Subject: [PATCH 0234/1335] [OSCD] Create powershell_cmdline_specific_comb_methods.yml --- ...wershell_cmdline_specific_comb_methods.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml new file mode 100644 index 000000000..f7aff02b1 --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -0,0 +1,52 @@ +title: Suspicious PowerShell Cmdline +id: b6b49cd1-34d6-4ead-b1bf-176e8edba9a5 +description: Detects specific combinations of methods in the PowerShell command lines +status: experimental +references: + - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +date: 2020/10/11 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\powershell.exe' + selection2: + CommandLine|contains|all: + - 'char' + - 'joint' + selection3: + CommandLine|contains: + - 'ToInt' + - 'ToDecimal' + - 'ToByte' + - 'ToByte' + - 'ToSingle' + - 'ToSByte' + selection4: + CommandLine|contains: + - 'ToChar' + - 'ToString' + - 'String' + selection5: + CommandLine|contains|all: + - 'split' + - 'join' + selection6: + CommandLine|contains|all: + - 'ForEach' + - 'Xor' + selection7: + CommandLine|contains: + - 'cOnvErTTO-SECUreStRIng' + condition: selection1 and (selection2 or (selection3 and selection4) or selection5 or selection6 or selection7) +falsepositives: + - Unlikely +level: high From edb5b7718e73c8d7a3937a4d9602346d1f57585a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Sun, 11 Oct 2020 21:08:17 +0300 Subject: [PATCH 0235/1335] Deleted a part of an already-defined rule Lolbin rule for explorer.exe proxy execution; Test scenario; cd c:\windows\system32 explorer.exe calc.exe (pops calc.exe) as in https://twitter.com/bohops/status/986984122563391488/photo/1 --- rules/windows/process_creation/win_susp_explorer.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index 0e31dbbf4..6d6d85388 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -5,7 +5,6 @@ author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' status: experimental date: 2020/10/05 references: - - https://twitter.com/bohops/status/1276356245541335048 - https://twitter.com/CyberRaiju/status/1273597319322058752 tags: - attack.defense_evasion @@ -14,19 +13,14 @@ logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: - - \explorer.exe - CommandLine|contains: - - /root - selection2: + selection: Image|endswith: - \explorer.exe ParentImage|endswith: - \cmd.exe CommandLine|contains: - explorer.exe - condition: selection1 or selection2 + condition: selection falsepositives: - Legitimate explorer.exe run from cmd.exe -level: medium +level: low From 2385d062215fdc43d82ed441f79ddb9005d5095d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:09:21 +0300 Subject: [PATCH 0236/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index f7aff02b1..452f0b780 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Cmdline +title: Suspicious PowerShell Cmdline execution id: b6b49cd1-34d6-4ead-b1bf-176e8edba9a5 description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 82c7edfd689f7dbe0aacfd3ba9714d57e5f0545a Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:14:45 +0300 Subject: [PATCH 0237/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 452f0b780..e61aa3695 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,9 +1,8 @@ title: Suspicious PowerShell Cmdline execution -id: b6b49cd1-34d6-4ead-b1bf-176e8edba9a5 +id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental references: - - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 tags: - attack.defense_evasion From d16770aee41c33f9e94c181734a38c3e5191c01c Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:19:23 +0300 Subject: [PATCH 0238/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index e61aa3695..4a9553fd2 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Cmdline execution +title: Suspicious PowerShell Cmdline id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 03ebc36a110f19e4b0db347c70737f0749cd7499 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:23:12 +0300 Subject: [PATCH 0239/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 4a9553fd2..cda321a50 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Cmdline +title: PowerShell Cmdline obfuscation id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 6cc1a5e76703d01a7238cf2dd8e399734d7ab506 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:27:24 +0300 Subject: [PATCH 0240/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index cda321a50..1cd019e29 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: PowerShell Cmdline obfuscation +title: Obfuscation of PowerShell Cmdline id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 6e4f8bdd536575e7e53f23204d8f6b1a7eedec45 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:35:15 +0300 Subject: [PATCH 0241/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 1cd019e29..cf2bb8d33 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Obfuscation of PowerShell Cmdline +title: PowerShell Cmdline with obfuscation id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From ce2767b10e44ad48ba5db3baf9b8a09a5595fd25 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 21:47:07 +0300 Subject: [PATCH 0242/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index cf2bb8d33..3dd436faf 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: PowerShell Cmdline with obfuscation +title: Obfuscated Cmdline of PowerShell id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From ef17d168bdd902276d50e30da58c0d3d4a135cf7 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 22:34:47 +0300 Subject: [PATCH 0243/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 3dd436faf..f15cacf21 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Obfuscated Cmdline of PowerShell +title: PowerShell command line obfuscation id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From fb5748254e8f9b539bd8fd93251b492ae764c25c Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 22:45:32 +0300 Subject: [PATCH 0244/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index f15cacf21..e1a52363b 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: PowerShell command line obfuscation +title: Suspicious PowerShell CmdLine with encoding id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 7dec19afca55f7b057845ffdd513dc7c5f4eadab Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Sun, 11 Oct 2020 22:01:05 +0200 Subject: [PATCH 0245/1335] add macos_create_hidden_account.yml; part of the oscd initiative task number 63 of the issue #1012 --- rules/linux/macos_create_hidden_account.yml | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/macos_create_hidden_account.yml diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml new file mode 100644 index 000000000..68e7999e5 --- /dev/null +++ b/rules/linux/macos_create_hidden_account.yml @@ -0,0 +1,26 @@ +title: Hidden User Creation +id: b22a5b36-2431-493a-8be1-0bae56c28ef3 +status: experimental +description: Detects creation of a hidden user account on macOS +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/10 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + ProcessName|endswith: '/dscl' + CommandLine|contains: + - create + - UniqueID + selection_2: + CommandLine|re: '([1-9]|[1-8][0-9]|9[0-9]|[1-4][0-9]{2}|500)' + condition: selection_1 and selection_2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.defense_evasion + - attack.t1564.002 From e52baddda275dd271f03f9dd4807e48ec1429793 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Sun, 11 Oct 2020 22:11:03 +0200 Subject: [PATCH 0246/1335] improve descriptin --- rules/linux/macos_create_hidden_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 68e7999e5..469c19697 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -1,7 +1,7 @@ title: Hidden User Creation id: b22a5b36-2431-493a-8be1-0bae56c28ef3 status: experimental -description: Detects creation of a hidden user account on macOS +description: Detects creation of a hidden user account on macOS (UserID < 500) author: Daniil Yugoslavskiy, oscd.community date: 2020/10/10 references: From b80f0f647832f5858ecd9589e9936580fdb8a17d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:18:23 +0300 Subject: [PATCH 0247/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index e1a52363b..239a07286 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell CmdLine with encoding +title: PowerShell CmdLine encoding id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From da14df6c9f13be5c43b17c7464da7010d77e3014 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:29:37 +0300 Subject: [PATCH 0248/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 239a07286..a0e808d2d 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: PowerShell CmdLine encoding +title: Command line with encoding id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 5c4adbb24eebb894829ea68121bde91365778e0b Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:33:57 +0300 Subject: [PATCH 0249/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index a0e808d2d..2d9b111e0 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Command line with encoding +title: Encoded PowerShell command line id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 2d88000fdff175baeefb1f817a6a7f31a6994d9f Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:38:07 +0300 Subject: [PATCH 0250/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 2d9b111e0..d7b81ce4b 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Encoded PowerShell command line +title: Unusual PowerShell Cmdline id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 1320e0b733f66844d2cd3d62daad5ac0ce25db4c Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:40:12 +0300 Subject: [PATCH 0251/1335] Update powershell_cmdline_reversed_strings.yml --- rules/windows/powershell/powershell_cmdline_reversed_strings.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml index aa0fe047b..a652304e2 100644 --- a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml @@ -17,6 +17,7 @@ logsource: product: windows detection: selection: + Image|endswith: '\powershell.exe' CommandLine|contains: - 'hctac' - 'kearb' From a39d4537921477d866167240f687c3f2c60ceae8 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:42:51 +0300 Subject: [PATCH 0252/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index d7b81ce4b..c9db77bc1 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Unusual PowerShell Cmdline +title: PowerShell Cmdline with encoding id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 47d6122298c9678cab1ba369d30fcbfe74dde822 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:46:51 +0300 Subject: [PATCH 0253/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index c9db77bc1..7b9c28425 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: PowerShell Cmdline with encoding +title: Encoded PowerShell Cmdline id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From e2543158ce2435ccb7c56297905f736520c8826f Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:53:00 +0300 Subject: [PATCH 0254/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 7b9c28425..cd7dd63b1 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Encoded PowerShell Cmdline +title: Encoded PowerShell cmdline id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From d4e17868360b74d542c742e120703f6e9e26331f Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 11 Oct 2020 23:57:27 +0300 Subject: [PATCH 0255/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index cd7dd63b1..2d9b111e0 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Encoded PowerShell cmdline +title: Encoded PowerShell command line id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 26ef1da0719fa0ad62fd016e9a9a28b32741cd44 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 00:00:17 +0300 Subject: [PATCH 0256/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 2d9b111e0..5558852f3 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,4 +1,4 @@ -title: Encoded PowerShell command line +title: Encoded PowerShell Command Line id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f description: Detects specific combinations of methods in the PowerShell command lines status: experimental From 6f7475020ab8f563bb1edbfd7390299e11e352ea Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 00:23:27 +0300 Subject: [PATCH 0257/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell_cmdline_specific_comb_methods.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 5558852f3..ba081b2f5 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -1,6 +1,6 @@ title: Encoded PowerShell Command Line id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f -description: Detects specific combinations of methods in the PowerShell command lines +description: Detects specific combinations of encoding methods in the PowerShell command lines status: experimental references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 @@ -18,10 +18,6 @@ detection: selection1: Image|endswith: '\powershell.exe' selection2: - CommandLine|contains|all: - - 'char' - - 'joint' - selection3: CommandLine|contains: - 'ToInt' - 'ToDecimal' @@ -29,23 +25,23 @@ detection: - 'ToByte' - 'ToSingle' - 'ToSByte' - selection4: + selection3: CommandLine|contains: - 'ToChar' - 'ToString' - 'String' - selection5: + selection4: CommandLine|contains|all: - 'split' - 'join' - selection6: + selection5: CommandLine|contains|all: - 'ForEach' - 'Xor' - selection7: + selection6: CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' - condition: selection1 and (selection2 or (selection3 and selection4) or selection5 or selection6 or selection7) + condition: selection1 and ((selection2 and selection3) or selection4 or selection5 or selection5) falsepositives: - Unlikely level: high From 8d926dc30306470b15f06cd07af931fac8002575 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 00:27:45 +0300 Subject: [PATCH 0258/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell_cmdline_specific_comb_methods.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index ba081b2f5..79ae6fbe9 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -31,17 +31,13 @@ detection: - 'ToString' - 'String' selection4: - CommandLine|contains|all: - - 'split' - - 'join' - selection5: CommandLine|contains|all: - 'ForEach' - 'Xor' - selection6: + selection5: CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' - condition: selection1 and ((selection2 and selection3) or selection4 or selection5 or selection5) + condition: selection1 and ((selection2 and selection3) or selection4 or selection5) falsepositives: - Unlikely level: high From 2edd79a37f388e97b93b2bb522ef8bb80cfbe68d Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 12 Oct 2020 08:30:28 +1100 Subject: [PATCH 0259/1335] Update win_root_certificate_installed.yml --- .../win_root_certificate_installed.yml | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml index a9f3c25e1..d0f67207f 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -20,11 +20,16 @@ logsource: product: windows service: powershell detection: - selection: + selection1: EventID: 4104 - ScriptBlockText|contains: - - 'Import-Certificate * Cert:\LocalMachine\Root' - - 'Move-Item * Cert:\LocalMachine\Root' + ScriptBlockText|contains|all: + - 'Move-Item' + - 'Cert:\LocalMachine\Root' + selection2: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Import-Certificate' + - 'Cert:\LocalMachine\Root' --- logsource: category: process_creation @@ -32,7 +37,11 @@ logsource: detection: selection1: Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der - CommandLine|contains: '-addstore * root' + CommandLine|contains|all: + - '-addstore' + - 'root' selection2: Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all - CommandLine|contains: '/add * root' + CommandLine|contains|all: + - '/add' + - 'root' From b6876e51235f913521235ade5e9a036bb98d7074 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 23:35:17 +0200 Subject: [PATCH 0260/1335] remove redundant reference --- rules/windows/powershell/powershell_icmp_exfiltration.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml index 562d22df4..373f679aa 100644 --- a/rules/windows/powershell/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -4,7 +4,6 @@ status: experimental description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp - - https://attack.mitre.org/techniques/T1048/003/ author: 'Bartlomiej Czyz @bczyz1, oscd.community' date: 2020/10/10 tags: From 48f6fad6c333f3275b538d7e818d762a28a85aaf Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 00:35:59 +0300 Subject: [PATCH 0261/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 79ae6fbe9..9ba0949af 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -31,13 +31,9 @@ detection: - 'ToString' - 'String' selection4: - CommandLine|contains|all: - - 'ForEach' - - 'Xor' - selection5: CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' - condition: selection1 and ((selection2 and selection3) or selection4 or selection5) + condition: selection1 and ((selection2 and selection3) or selection4) falsepositives: - Unlikely level: high From ae41190291a81e2b8d1f1e1dff28e8354bb63178 Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 23:39:08 +0200 Subject: [PATCH 0262/1335] remove redundant reference --- .../registry_event/sysmon_modify_screensaver_binary_path.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml index 7ea7aada0..8dd2cc28f 100644 --- a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml +++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -3,7 +3,6 @@ id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 status: experimental description: Detects value modification of registry key containing path to binary used as screensaver. references: - - https://attack.mitre.org/techniques/T1546/002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf tags: From a0ac753e3231bfaad60569bbece731033468723d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 00:39:36 +0300 Subject: [PATCH 0263/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 9ba0949af..91da851d8 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -30,10 +30,7 @@ detection: - 'ToChar' - 'ToString' - 'String' - selection4: - CommandLine|contains: - - 'cOnvErTTO-SECUreStRIng' - condition: selection1 and ((selection2 and selection3) or selection4) + condition: selection1 and (selection2 and selection3) falsepositives: - Unlikely level: high From e90f91b89ee905897d764de581a1e7ae000390ce Mon Sep 17 00:00:00 2001 From: Bartlomiej Czyz Date: Sun, 11 Oct 2020 23:42:33 +0200 Subject: [PATCH 0264/1335] append authors of the update --- rules/windows/powershell/powershell_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 50c5baf50..ad4609d8d 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -8,7 +8,7 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 modified: 2020/10/11 logsource: From 48edc674bdfdc3c3e1d29f4a1de30dd9f7175ede Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Sun, 11 Oct 2020 22:43:28 -0500 Subject: [PATCH 0265/1335] updating keywords to CommandLine|contains and splitting rule into two --- .../lnx_system_net_disc_firewall_enum.yml | 24 ++++++++---------- .../macos_system_net_disc_firewall_enum.yml | 25 +++++++++++++++++++ 2 files changed, 36 insertions(+), 13 deletions(-) create mode 100644 rules/linux/macos_system_net_disc_firewall_enum.yml diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index f148f5db7..228fbb866 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -6,22 +6,20 @@ author: remotephone, oscd.community date: 2020/10/06 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md - - https://attack.mitre.org/techniques/T1016 logsource: + category: process_creation product: unix detection: - keywords: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' - # macOS only - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: keywords + selection: + CommandLine|contains: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + condition: selection falsepositives: - Legitimate administration activities - Redirecting output of echo command to a path that contains the word "cron" diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml new file mode 100644 index 000000000..d72735e8a --- /dev/null +++ b/rules/linux/macos_system_net_disc_firewall_enum.yml @@ -0,0 +1,25 @@ +title: System Network Discovery - Firewall Enumeration +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos +detection: + selection: + CommandLine|contains: + - 'netstat' + - 'ifconfig' + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: selection +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 From 781c7ce6dc042f90468887edf73e71ee49309734 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Sun, 11 Oct 2020 23:52:47 -0500 Subject: [PATCH 0266/1335] Cleaning up falsepositives section of both rules --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 1 - rules/linux/macos_system_net_disc_firewall_enum.yml | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 228fbb866..a41bbabd6 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -22,7 +22,6 @@ detection: condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" level: low tags: - attack.discovery diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml index d72735e8a..cf7bd1db9 100644 --- a/rules/linux/macos_system_net_disc_firewall_enum.yml +++ b/rules/linux/macos_system_net_disc_firewall_enum.yml @@ -10,7 +10,7 @@ logsource: product: macos detection: selection: - CommandLine|contains: + ParentCommandLine|contains: - 'netstat' - 'ifconfig' - 'defaults read /Library/Preferences/com.apple.alf' @@ -18,7 +18,6 @@ detection: condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" level: low tags: - attack.discovery From 476a3c04d900a526a7c4bd0c945b11c925e2a2ba Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Mon, 12 Oct 2020 00:01:10 -0500 Subject: [PATCH 0267/1335] Adding t1070_002 --- rules/linux/macos_clear_system_logs.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/macos_clear_system_logs.yml diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml new file mode 100644 index 000000000..840decff7 --- /dev/null +++ b/rules/linux/macos_clear_system_logs.yml @@ -0,0 +1,24 @@ +title: Indicator Removal on Host - Clear Mac System Logs +id: acf61bd8-d814-4272-81f0-a7a269aa69aa +status: experimental +description: Detects deletion of local audit logs +author: remotephone, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +logsource: + product: macos +detection: + selection: + CommandLine|contains: + - 'rm -rf /var/log' + - 'rm -rf /private/var/log' + - 'rm -rf /Users/*/Library/Logs/' + condition: selection +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.defense_evasion + - attack.t1070.002 From 8ff91088ee0443e5728aef01821203974fdea705 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Mon, 12 Oct 2020 08:31:10 +0300 Subject: [PATCH 0268/1335] tag's issue solved --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index ba62e92df..e2cd77e45 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -4,12 +4,13 @@ status: experimental description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. Microsoft PS logging like ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. references: - - https://twitter.com/pabraeken/status/993298228840992768 - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ tags: - attack.execution - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 author: Agro (@agro_sev) date: 2020/10/10 logsource: From 13e829219c6df1f240bafe8c609a9486b33c0b59 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Mon, 12 Oct 2020 08:35:11 +0300 Subject: [PATCH 0269/1335] reference's list changed --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index e2cd77e45..ab1473eab 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -6,6 +6,7 @@ description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ + - https://twitter.com/bryon_/status/975835709587075072 tags: - attack.execution - attack.t1059.001 From d29a28a4a811a6411cb5eb15e17a2c3c118adcd5 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 12:40:50 +0530 Subject: [PATCH 0270/1335] updated adfind command line --- rules/windows/process_creation/win_susp_adfind.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index a7269532b..7a8a89e04 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -5,8 +5,10 @@ description: Detects the execution of a AdFind for Active Directory enumeration references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md -author: FPT.EagleEye Team + - https://thedfirreport.com/2020/05/08/adfind-recon/ +author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 +modified: 2020/10/11 tags: - attack.discovery - attack.t1016 @@ -19,7 +21,9 @@ logsource: service: process_creation detection: selection: - ProcessCommandline|contains: 'objectcategory' + ProcessCommandline|contains: + - 'objectcategory' + - 'sc' Image: - '*\adfind.exe' condition: selection From cf5ad9197cde77bf1b3b374244fba816d34ad640 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 12:42:05 +0530 Subject: [PATCH 0271/1335] updated adfind command line --- rules/windows/process_creation/win_susp_adfind.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index 7a8a89e04..343e421da 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -23,7 +23,7 @@ detection: selection: ProcessCommandline|contains: - 'objectcategory' - - 'sc' + - '-sc' Image: - '*\adfind.exe' condition: selection From 99d87d60ecfb60505107832f3b0c5d68acf0700b Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 12:52:54 +0530 Subject: [PATCH 0272/1335] updated adfind command line --- rules/windows/process_creation/win_susp_adfind.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index 343e421da..c15f81ea6 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -24,6 +24,12 @@ detection: ProcessCommandline|contains: - 'objectcategory' - '-sc' + - 'trustdmp' + - 'domainlist' + - 'dcmodes' + - 'adinfo' + - 'dclist' + - 'computers_pwdnotreqd' Image: - '*\adfind.exe' condition: selection From 3ab244c70ffc1d5f54e3e4eb29335ae5ca3ff488 Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 12 Oct 2020 09:55:34 +0200 Subject: [PATCH 0273/1335] regini.exe ADS rule --- rules/windows/process_creation/win_regini.yml | 6 +++-- .../process_creation/win_regini_ads.yml | 27 +++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/win_regini_ads.yml diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml index da290bc85..51ab7d7f9 100644 --- a/rules/windows/process_creation/win_regini.yml +++ b/rules/windows/process_creation/win_regini.yml @@ -17,10 +17,12 @@ logsource: detection: selection: Image|endswith: '\regini.exe' - condition: selection + filter: + CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + condition: selection and not filter fieds: - ParentImage - CommandLine falsepositives: - Legitimate modification of keys -level: medium \ No newline at end of file +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml new file mode 100644 index 000000000..967c1588a --- /dev/null +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -0,0 +1,27 @@ +title: Modifies the Registry From a ADS +id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 +status: experimental +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Eli Salem, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + CommandLine|re: ':[^ \\]' + condition: selection +fieds: + - ParentImage + - CommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file From 0fab2c0930d39f7575987547b900d310dee0b249 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 13:28:52 +0530 Subject: [PATCH 0274/1335] finger executable suspicious execution --- .../process_creation/win_susp_finger.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_finger.yml diff --git a/rules/windows/process_creation/win_susp_finger.yml b/rules/windows/process_creation/win_susp_finger.yml new file mode 100644 index 000000000..a6451adfc --- /dev/null +++ b/rules/windows/process_creation/win_susp_finger.yml @@ -0,0 +1,23 @@ +title: Suspicious Use Finger.exe +id: 248f5697-2f46-4005-9bb6-b4fc643332a9 +status: experimental +description: finger.exe for data exfiltration or download file +references: + - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt +author: omkar72, oscd.community +date: 2020/10/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.command_and_control + - attack.t1071 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\finger.exe' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From 8c1bd4e466bb4d4cdceebd3d0d24c55b0bcc5799 Mon Sep 17 00:00:00 2001 From: Sander Date: Mon, 12 Oct 2020 10:01:44 +0200 Subject: [PATCH 0275/1335] Remove redundant space --- rules/windows/process_creation/win_regini_ads.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml index 967c1588a..f6a238593 100644 --- a/rules/windows/process_creation/win_regini_ads.yml +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -1,7 +1,7 @@ title: Modifies the Registry From a ADS id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 status: experimental -description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f From b8dc8d3f7eb802ab43efbb1411ad45d78131343e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Oct 2020 10:46:34 +0200 Subject: [PATCH 0276/1335] reduced to avoid FPs --- rules/windows/process_creation/win_susp_adfind.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index c15f81ea6..1d0301f1f 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -23,11 +23,8 @@ detection: selection: ProcessCommandline|contains: - 'objectcategory' - - '-sc' - 'trustdmp' - - 'domainlist' - 'dcmodes' - - 'adinfo' - 'dclist' - 'computers_pwdnotreqd' Image: From 175834fe9011f0e95e60d439f0e687a3161818e4 Mon Sep 17 00:00:00 2001 From: Alexander Sungurov Date: Mon, 12 Oct 2020 13:52:49 +0300 Subject: [PATCH 0277/1335] Pcwrun.exe detection added --- ...n_indirect_cmd_compatibility_assistant.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml diff --git a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml new file mode 100644 index 000000000..c560fbb4e --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution By Program Compatibility Wizard +id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc +description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe +status: experimental +author: A. Sungurov , oscd.community +references: + - https://twitter.com/pabraeken/status/991335019833708544 + - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ +date: 2020/10/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\pcwrun.exe' + condition: selection +fields: + - ComputerName + - User + - ParentCommandLine + - CommandLine +falsepositives: + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts +level: low From 436dd4d90ca71a2a36d9b5c894278be69eccae1e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 14:04:24 +0300 Subject: [PATCH 0278/1335] Update powershell_cmdline_specific_comb_methods.yml --- ...wershell_cmdline_specific_comb_methods.yml | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 91da851d8..95f46a0d7 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -16,21 +16,36 @@ logsource: product: windows detection: selection1: - Image|endswith: '\powershell.exe' + Image|endswith: + - '\powershell.exe' selection2: + CommandLine|contains|all: + - 'char' + - 'joint' + selection3: CommandLine|contains: - 'ToInt' - 'ToDecimal' - 'ToByte' - - 'ToByte' - 'ToSingle' - 'ToSByte' - selection3: + selection4: CommandLine|contains: - 'ToChar' - 'ToString' - 'String' - condition: selection1 and (selection2 and selection3) + selection5: + CommandLine|contains|all: + - 'split' + - 'join' + selection6: + CommandLine|contains|all: + - 'ForEach' + - 'Xor' + selection7: + CommandLine|contains: + - 'cOnvErTTO-SECUreStRIng' + condition: selection1 and (selection2 or (selection3 and selection4) or selection5 or selection6 or selection7) falsepositives: - Unlikely level: high From 2e6f184370b1c08c826da66036f79014d5db122f Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 14:11:10 +0300 Subject: [PATCH 0279/1335] Update powershell_cmdline_specific_comb_methods.yml --- ...wershell_cmdline_specific_comb_methods.yml | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 95f46a0d7..ed6751a22 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -16,12 +16,11 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\powershell.exe' + Image|endswith: '\powershell.exe' selection2: - CommandLine|contains|all: - - 'char' - - 'joint' + CommandLine|all: + - '*char*' + - '*joint*' selection3: CommandLine|contains: - 'ToInt' @@ -35,13 +34,13 @@ detection: - 'ToString' - 'String' selection5: - CommandLine|contains|all: - - 'split' - - 'join' + CommandLine|all: + - '*split*' + - '*join*' selection6: - CommandLine|contains|all: - - 'ForEach' - - 'Xor' + CommandLine|all: + - '*ForEach*' + - '*Xor*' selection7: CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' From e2911a025e6ed6f4573c890f5f91144f1f4e5689 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Mon, 12 Oct 2020 17:00:57 +0530 Subject: [PATCH 0280/1335] added tags and corrected image condition format --- rules/windows/process_creation/win_susp_adfind.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index 1d0301f1f..07b234894 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -11,11 +11,10 @@ date: 2020/09/26 modified: 2020/10/11 tags: - attack.discovery - - attack.t1016 - attack.t1018 + - attack.t1087.002 - attack.t1482 - #- attack.t1069.002 - #- attack.t1087.002 + - attack.t1069.002 logsource: product: windows service: process_creation @@ -27,8 +26,7 @@ detection: - 'dcmodes' - 'dclist' - 'computers_pwdnotreqd' - Image: - - '*\adfind.exe' + Image|endswith: '\adfind.exe' condition: selection falsepositives: - Administrative activity From d31f8d6977e413444e2b094fdc412ff0f692e2f9 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 14:43:53 +0300 Subject: [PATCH 0281/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell/powershell_cmdline_specific_comb_methods.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index ed6751a22..311c81d07 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -20,7 +20,7 @@ detection: selection2: CommandLine|all: - '*char*' - - '*joint*' + - '*join*' selection3: CommandLine|contains: - 'ToInt' From b32b6f0e09644829567267789633364df6ec98d3 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 17:20:22 +0530 Subject: [PATCH 0282/1335] script loading .net --- ...sysmon_susp_script_dotnet_clr_dll_load.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml new file mode 100644 index 000000000..b3b6ec5b7 --- /dev/null +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -0,0 +1,30 @@ +title: CLR DLL Loaded Via Scripting Applications +id: 4508a70e-97ef-4300-b62b-ff27992990ea +status: experimental +description: Detects CLR DLL being loaded by an scripting applications +references: + - https://github.com/tyranid/DotNetToJScript + - https://thewover.github.io/Introducing-Donut/ +author: omkar72, oscd.community +date: 2020/10/10 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1055 +logsource: + category: image_load + product: windows +detection: + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + - '*\mshta.exe' + ImageLoaded: + - '*\clr.dll' + - '*\mscoree.dll' + - '*\mscorlib.dll' + condition: selection +falsepositives: + - unknown +level: high \ No newline at end of file From a5575f30794478241a471f32932665a4d792d484 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 17:47:26 +0530 Subject: [PATCH 0283/1335] adding shortened commands --- .../process_creation/win_netsh_port_fwd.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index ad6128419..63e2c8bfd 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -11,15 +11,22 @@ tags: - attack.command_and_control - attack.t1090 status: experimental -author: Florian Roth +author: Florian Roth, omkar72, oscd.community logsource: category: process_creation product: windows detection: - selection: + selection1: CommandLine: - netsh interface portproxy add v4tov4 * - condition: selection + selection2: + Image|endswith: + - '\netsh.exe' + CommandLine|contains|all: + - 'connectp' + - 'listena' + - 'c=' + condition: selection1 OR selection2 falsepositives: - Legitimate administration -level: medium +level: medium \ No newline at end of file From 7d69a08c3089adcc40a2e76bb4f610e7764159e0 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Mon, 12 Oct 2020 18:29:02 +0530 Subject: [PATCH 0284/1335] Update win_netsh_port_fwd.yml --- rules/windows/process_creation/win_netsh_port_fwd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index 63e2c8bfd..08befd419 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -4,7 +4,7 @@ description: Detects netsh commands that configure a port forwarding references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 -modified: 2020/09/01 +modified: 2020/10/12 tags: - attack.lateral_movement - attack.defense_evasion @@ -29,4 +29,4 @@ detection: condition: selection1 OR selection2 falsepositives: - Legitimate administration -level: medium \ No newline at end of file +level: medium From a67c19c08b80810db920b3f54c0d9520f1b8de39 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Mon, 12 Oct 2020 09:00:08 -0400 Subject: [PATCH 0285/1335] Split up powershell detection --- .../win_non_priv_reg_or_ps.yml | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml index df59804b6..8ff4bf024 100644 --- a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -14,27 +14,28 @@ logsource: product: windows detection: integrity_level: - IntegrityLevel: Medium + IntegrityLevel: 'Medium' reg: CommandLine|contains|all: - - reg - - add - powershell: - CommandLine|contains: powershell + - 'reg' + - 'add' + powershell_1: + CommandLine|contains: 'powershell' + powershell_2: CommandLine|contains: - - set-itemproperty - - " sp " - - new-itemproperty + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' registry_folder: CommandLine|contains|all: - - ControlSet - - Services + - 'ControlSet' + - 'Services' registry_key: CommandLine|contains: - - ImagePath - - FailureCommand - - ServiceDLL - condition: integrity_level and (reg or powershell) and registry_folder and registry_key + - 'ImagePath' + - 'FailureCommand' + - 'ServiceDLL' + condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key fields: - EventID - IntegrityLevel From cf60438c93dc89e8e01a5ab9e4e8bdf0aeb86e86 Mon Sep 17 00:00:00 2001 From: omkar72 Date: Mon, 12 Oct 2020 18:42:09 +0530 Subject: [PATCH 0286/1335] clr logs creation --- .../file_event/sysmon_susp_clr_logs.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/sysmon_susp_clr_logs.yml diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml new file mode 100644 index 000000000..64a46c51c --- /dev/null +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -0,0 +1,27 @@ +title: Susopcious CLR Logs Creation +id: e4b63079-6198-405c-abd7-3fe8b0ce3263 +status: experimental +description: Detects suspicious .NET assembly executions +references: + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +tags: + - attack.execution + - attack.t1059.001 +author: omkar72, oscd.community +date: 2020/10/12 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename|endswith: + - '\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*' + - '\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*' + - '\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' + - '\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' + - '\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From ecb42fb5dd6191227046ee39807c7c07ff5c86fb Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Mon, 12 Oct 2020 18:50:07 +0530 Subject: [PATCH 0287/1335] Update sysmon_susp_clr_logs.yml --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index 64a46c51c..cea943ef0 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -1,14 +1,14 @@ -title: Susopcious CLR Logs Creation +title: Suspcious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -status: experimental description: Detects suspicious .NET assembly executions references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +date: 2020/10/12 tags: - attack.execution - attack.t1059.001 +status: experimental author: omkar72, oscd.community -date: 2020/10/12 logsource: product: windows service: sysmon @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high From f162bc1aff74a45b5879a3fb0197f8d6f66f8ec5 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Mon, 12 Oct 2020 18:53:47 +0530 Subject: [PATCH 0289/1335] remove space --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index cea943ef0..e28172782 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -21,7 +21,7 @@ detection: - '\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' - condition: selection +condition: selection falsepositives: - Unknown level: high From 8f618c9a1f87119b1c1adbc24a8f5caca3e8c9e3 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Mon, 12 Oct 2020 18:59:53 +0530 Subject: [PATCH 0290/1335] changed condition --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index e28172782..dd36e05ad 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -15,13 +15,13 @@ logsource: detection: selection: EventID: 11 - TargetFilename|endswith: + TargetFilename|contains: - '\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' - '\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' -condition: selection + condition: selection falsepositives: - Unknown level: high From f1c9286a256afdd19586a945f2fc0af6c97a6624 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 12 Oct 2020 20:06:36 +0530 Subject: [PATCH 0291/1335] Updated minor changes Change tags. Change author (add "oscd.community"). Change date format. Change logsource. Change detection (use endswith as a modifier). Change fields. --- ...l => silenttrinity_stager_msbuild_activity.yml} | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) rename rules/windows/sysmon/{silenttrinity_stager_communicating_to_c2.yml => silenttrinity_stager_msbuild_activity.yml} (60%) diff --git a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml similarity index 60% rename from rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml rename to rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 8c7a073d3..71926924b 100644 --- a/rules/windows/sysmon/silenttrinity_stager_communicating_to_c2.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -1,21 +1,23 @@ -title: Silenttrinity Stager Communication To C2 -id: c4f2d4b1-ca0f-42e4-9b7b-a69790524fab +title: Silenttrinity Stager Msbuild Activity description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - T1127.001 + - attack.defense_evasion status: experimental -author: Kiran kumar s -date: 11/10/2020 +author: Kiran kumar s, oscd.community +date: 2020/10/11 logsource: + category: sysmon product: windows - service: sysmon detection: selection: EventID: 3 - ParentImage: '*\msbuild.exe' + ParentImage|endswith: '*\msbuild.exe' condition: selection +fields: fields: + - ParentImage falsepositives: - unknown level: high From a640c1e151e38e15738f14f2e51773be868837f0 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 12 Oct 2020 20:11:24 +0530 Subject: [PATCH 0292/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 71926924b..5ff7eb4ea 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -16,7 +16,7 @@ detection: EventID: 3 ParentImage|endswith: '*\msbuild.exe' condition: selection -fields: fields: +fields: - ParentImage falsepositives: - unknown From 27823763cb2f5743ba684179ebb399cd52029ad4 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 12 Oct 2020 20:14:43 +0530 Subject: [PATCH 0293/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 5ff7eb4ea..3adf63ff3 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -1,4 +1,5 @@ title: Silenttrinity Stager Msbuild Activity +id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ From 643d700d532f52278b960acc4394b550970772f8 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 17:51:19 +0300 Subject: [PATCH 0294/1335] Update powershell_cmdline_specific_comb_methods.yml --- .../powershell_cmdline_specific_comb_methods.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 311c81d07..5786f7d40 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -15,36 +15,36 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: '\powershell.exe' - selection2: + selection_2: CommandLine|all: - '*char*' - '*join*' - selection3: + selection_3: CommandLine|contains: - 'ToInt' - 'ToDecimal' - 'ToByte' - 'ToSingle' - 'ToSByte' - selection4: + selection_4: CommandLine|contains: - 'ToChar' - 'ToString' - 'String' - selection5: + selection_5: CommandLine|all: - '*split*' - '*join*' - selection6: + selection_6: CommandLine|all: - '*ForEach*' - '*Xor*' - selection7: + selection_7: CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' - condition: selection1 and (selection2 or (selection3 and selection4) or selection5 or selection6 or selection7) + condition: selection_1 and (selection_2 or (selection_3 and selection_4) or selection_5 or selection_6 or selection_7) falsepositives: - Unlikely level: high From 95cd271686108af22fb250e6b3ec49612c579f92 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 12 Oct 2020 18:10:46 +0300 Subject: [PATCH 0295/1335] Update powershell_cmdline_specific_comb_methods.yml --- ...wershell_cmdline_specific_comb_methods.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 5786f7d40..273c0f2ca 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -15,36 +15,40 @@ logsource: category: process_creation product: windows detection: - selection_1: + selection1: Image|endswith: '\powershell.exe' - selection_2: CommandLine|all: - '*char*' - '*join*' - selection_3: + selection2: + Image|endswith: '\powershell.exe' CommandLine|contains: - 'ToInt' - 'ToDecimal' - 'ToByte' - 'ToSingle' - 'ToSByte' - selection_4: + selection3: + Image|endswith: '\powershell.exe' CommandLine|contains: - 'ToChar' - 'ToString' - 'String' - selection_5: + selection4: + Image|endswith: '\powershell.exe' CommandLine|all: - '*split*' - '*join*' - selection_6: + selection5: + Image|endswith: '\powershell.exe' CommandLine|all: - '*ForEach*' - '*Xor*' - selection_7: + selection6: + Image|endswith: '\powershell.exe' CommandLine|contains: - 'cOnvErTTO-SECUreStRIng' - condition: selection_1 and (selection_2 or (selection_3 and selection_4) or selection_5 or selection_6 or selection_7) + condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - Unlikely level: high From 07a4d11af76a9aa236b9d0566582279d886c24d2 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Mon, 12 Oct 2020 18:23:06 +0300 Subject: [PATCH 0296/1335] Update win_powershell_script_installed_as_service.yml --- ...in_powershell_script_installed_as_service.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index e300b5b9d..e37c984bb 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -1,5 +1,5 @@ title: PowerShell Scripts Installed as Services -id: 3f07b9d1-2082-4c56-9277-613a621983cc +id: a2e5019d-a658-4c6a-92bf-7197b54e2cae description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova @@ -12,25 +12,19 @@ tag: logsource: product: windows detection: - selection: - EventID: 1 - ParentImage|endswith: '\services.exe' - CommandLine|contains: - - 'powershell' - - 'pwsh' - selection2: + selection1: EventID: - 7045 - 4697 ServiceFileName|contains: - 'powershell' - 'pwsh' - selection3: + selection2: EventID: 13 TargetObject: '*\Services\*\ImagePath' Details|contains: - 'powershell' - 'pwsh' - condition: selection or selection2 or selection3 + condition: selection1 or selection2 falsepositives: Unknown -level: high \ No newline at end of file +level: high From df8cd24a5d9b0bd1d947c8587cbd625f4a23eb37 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Mon, 12 Oct 2020 18:28:28 +0300 Subject: [PATCH 0297/1335] Update sysmon_long_powershell_commandline.yml --- .../sysmon_long_powershell_commandline.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index bd4a58ee9..f80cbcfcc 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -1,5 +1,5 @@ title: Too Long PowerShell Commandlines -id: 3f07b9d1-2082-4c56-9277-613a621983cc +id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 description: Detects Too long PowerShell command lines references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse @@ -14,13 +14,13 @@ logsource: product: windows detection: Powershell_selection: - - CommandLine: - - '*powershell*' - - '*pwsh*' + - CommandLine|contains: + - 'powershell' + - 'pwsh' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' - Length_selection|re: - CommandLine: '(.){1000,}' + Length_selection: + CommandLine|re: '(.){1000,}' condition: all of them falsepositives: Unknown level: medium From e94a47b9d38f2bb96484bfdee6e4090e13eaba2e Mon Sep 17 00:00:00 2001 From: nsaddler Date: Mon, 12 Oct 2020 18:33:43 +0300 Subject: [PATCH 0298/1335] Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml --- ...n_accessing_winapi_in_powershell_credentials_dumping.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 539827197..c8d6bed39 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell. Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc description: Detects Accessing to lsass.exe by Powershell status: experimental -author: Natalia Shornikova +author: oscd.community, Natalia Shornikova date: 2020/10/06 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse @@ -17,8 +17,8 @@ detection: EventID: - 8 - 10 - SourceImage: '*\powershell.exe' - TargetImage: '*\lsass.exe' + SourceImage|endswith: '\powershell.exe' + TargetImage|endswith: '\lsass.exe' condition: selection falsepositives: Unknown level: high From c5efbc8345bcfd01ab18c3a6067d1b67fda61294 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Mon, 12 Oct 2020 18:47:51 +0300 Subject: [PATCH 0299/1335] Detects Obfuscated Powershell via Stdin in Scripts --- ...owershell_invoke_obfuscation_via_stdin.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml new file mode 100644 index 000000000..266887248 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation Via Stdin +id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high From ec383d97847f31712c1aa020ed15c44cb797e65a Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Mon, 12 Oct 2020 18:52:28 +0300 Subject: [PATCH 0300/1335] Detects Obfuscated Powershell via Stdin in Scripts --- .../win_invoke_obfuscation_via_stdin.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml new file mode 100644 index 000000000..8f6466f93 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Stdin +id: 9c14c9fa-1a63-4a64-8e57-d19280559490 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection +falsepositives: + - Unknown +level: high From 9b17634aa4ba6e4d1410fbdb43e055e1b9c1f966 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Mon, 12 Oct 2020 18:56:12 +0300 Subject: [PATCH 0301/1335] Detects Obfuscated Powershell via Stdin in Scripts --- ..._invoke_obfuscation_via_stdin_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml new file mode 100644 index 000000000..9790bb96b --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation Via Stdin +id: 487c7524-f892-4054-b263-8a0ace63fc25 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 From bd5e7fda14c4b9b479ea403c54126151e742577e Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 12 Oct 2020 21:26:44 +0530 Subject: [PATCH 0302/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 3adf63ff3..cca688889 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -5,6 +5,8 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - T1127.001 + - TA0002 + - T1127 - attack.defense_evasion status: experimental author: Kiran kumar s, oscd.community @@ -17,7 +19,7 @@ detection: EventID: 3 ParentImage|endswith: '*\msbuild.exe' condition: selection -fields: +fields: - ParentImage falsepositives: - unknown From e70368f1f0db613e8de69022329cbf4f3f374279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Mon, 12 Oct 2020 19:00:47 +0300 Subject: [PATCH 0303/1335] [OSCD] Updating existing rule sysmon_in_memory_powershell.yml --- ...smon_powershell_without_powershell_exe.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml diff --git a/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml b/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml deleted file mode 100644 index 7bf41e22e..000000000 --- a/rules/windows/sysmon/sysmon_powershell_without_powershell_exe.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: PowerShell without PowerShell.exe -id: 3f07b9d1-2082-4c56-9277-613a621983cc -description: Detects loading Powershell packet by non-Powershell process -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tag: - - attack.defense_evasion -status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - ImageLoaded|endswith: - - '\System.Management.Automation.dll' - - '\System.Management.Automation.ni.dll' - filter: - SourceImage|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' - - '\sqlps.exe' - - '\sdiagnhost.exe' - - '\wsmprovhost.exe' - - '\winrshost.exe' - - '\mscorsvw.exe' - - '\syncappvpublishingserver.exe' - - '\runscripthelper.exe' - - '\ServerManager.exe' - condition: selection and not filter -falsepositives: Legitimate Software -level: medium From 28c8b56473577f1f4d59b89b2f677d7a3a53f533 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Mon, 12 Oct 2020 19:05:08 +0300 Subject: [PATCH 0304/1335] Update sysmon_in_memory_powershell.yml --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 7c077934c..cd0e9acbe 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -4,7 +4,7 @@ status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community date: 2019/11/14 -modified: 2019/11/30 +modified: 2020/10/12 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -27,6 +27,12 @@ detection: - '\WINDOWS\System32\sdiagnhost.exe' - '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance - '\WINDOWS\System32\RemoteFXvGPUDisablement.exe' # on win10 + - '\sqlps.exe' + - '\wsmprovhost.exe' + - '\winrshost.exe' + - '\syncappvpublishingserver.exe' + - '\runscripthelper.exe' + - '\ServerManager.exe' # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: From c6ddbc78ce5504d65210d2d65397eea24a3f6201 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Mon, 12 Oct 2020 15:55:38 -0700 Subject: [PATCH 0305/1335] OSCD LOLBAS atbroker suspicious execution of ATs --- .../process_creation/win_susp_atbroker.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_atbroker.yml diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml new file mode 100644 index 000000000..9036e28a4 --- /dev/null +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -0,0 +1,53 @@ +title: Suspicious atbroker execution +id: f24bcaea-0cd1-11eb-adc1-0242ac120002 +description: Atbroker executing non-deafualt Assistive Technology applications +references: + - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ + - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ +status: experimental +author: Mateusz Wydra, oscd.community +date: 2020/10/12 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection1: + - Image|endswith: 'AtBroker.exe' + selection2: + - CommandLine|contains: 'start' + filter: + - CommandLine|contains: + - animations + - audiodescription + - caretbrowsing + - caretwidth + - colorfiltering + - cursorscheme + - filterkeys + - focusborderheight + - focusborderwidth + - highcontrast + - keyboardcues + - keyboardpref + - magnifierpane + - messageduration + - minimumhitradius + - mousekeys + - Narrator + - osk + - overlappedcontent + - showsounds + - soundsentry + - stickykeys + - togglekeys + - windowarranging + - windowtracking + - windowtrackingtimeout + - windowtrackingzorder + condition: selection1 and selection2 and not filter +falsepositives: + - Legitimate, non-deafualt Assistive Technology applications execution +level: high From 863b880845a188086c4b86da3fd0c5daafec10d7 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Mon, 12 Oct 2020 16:04:41 -0700 Subject: [PATCH 0306/1335] Titile capitalization --- rules/windows/process_creation/win_susp_atbroker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml index 9036e28a4..ca842b913 100644 --- a/rules/windows/process_creation/win_susp_atbroker.yml +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -1,4 +1,4 @@ -title: Suspicious atbroker execution +title: Suspicious Atbroker Execution id: f24bcaea-0cd1-11eb-adc1-0242ac120002 description: Atbroker executing non-deafualt Assistive Technology applications references: From 870574b635a76b7f812f67bc4bd89c0dacf0c570 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Tue, 13 Oct 2020 02:19:57 +0300 Subject: [PATCH 0307/1335] Add powershell_invoke_obfuscation_via_var++.yml --- ...owershell_invoke_obfuscation_via_var++.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml new file mode 100644 index 000000000..610fd0d7d --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high \ No newline at end of file From 946d84329e6b6c1f821e2922b8c3482b2951a433 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Tue, 13 Oct 2020 02:22:15 +0300 Subject: [PATCH 0308/1335] Add win_invoke_obfuscation_via_var++_services.yml --- ..._invoke_obfuscation_via_var++_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml new file mode 100644 index 000000000..fb74d50bf --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file From 5bd75521f275becd2bd9c181bc3dad2d40eb3ac7 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Tue, 13 Oct 2020 02:23:50 +0300 Subject: [PATCH 0309/1335] Add win_invoke_obfuscation_via_var++.yml --- .../win_invoke_obfuscation_via_var++.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml new file mode 100644 index 000000000..1fd2993b4 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From d1ef56bddb77344b4c5737c44a2801777038472b Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Tue, 13 Oct 2020 02:47:09 +0300 Subject: [PATCH 0310/1335] @aw350m3 style complience (: --- .../powershell_invoke_obfuscation_via_var++.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index 610fd0d7d..62f796ce2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' selection_2: - - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + condition: selection_1 or selection_2 falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 55201a94c0d14e4de66cf8171d89f31fbb9ff652 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Tue, 13 Oct 2020 02:05:00 +0200 Subject: [PATCH 0311/1335] [OSCD] Powershell Disable Windows Defender AV --- .../win_powershell_disable_windef_av.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_powershell_disable_windef_av.yml diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml new file mode 100644 index 000000000..c606d74da --- /dev/null +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -0,0 +1,26 @@ +title: Powershell Used To Disable Windows Defender AV Security Monitoring +id: a7ee1722-c3c5-aeff-3212-c777e4733217 +status: experimental +description: Detects attackers attempting to disable Windows Defender using Powershell +author: 'ok @securonix invrep-de, oscd.community' +date: 2020/10/12 +references: + - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ + - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/ +tags: + - attack.defense_evasion + - attack.t1089 # legacy + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - '-DisableBehaviorMonitoring $true' + - '-DisableRuntimeMonitoring $true' + condition: selection +falsepositives: + - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.' +level: high From 1df582d8db26e788435cd9e8ee9c0bd973087fd4 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Mon, 12 Oct 2020 17:10:34 -0700 Subject: [PATCH 0312/1335] OSCD LOLBAS atbroker suspicious creation of ATs --- .../sysmon_susp_atbroker_change.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_susp_atbroker_change.yml diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml new file mode 100644 index 000000000..8ad56900a --- /dev/null +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -0,0 +1,25 @@ +title: Atbroker Registry Change +id: 9577edbb-851f-4243-8c91-1d5b50c1a39b +description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs +author: Mateusz Wydra, oscd.community +references: + - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml +date: 2020/10/13 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.persistance + - attack.t1547 +logsource: + category: registry_event + product: windows +detection: + creation: + TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + persistance: + TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration + condition: creation or persistance +falsepositives: + - Creation of non-default, legitimate AT. +level: High \ No newline at end of file From 6a9bc7063f565560d9146a8bd26809ef951763b3 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Tue, 13 Oct 2020 02:21:46 +0200 Subject: [PATCH 0313/1335] [OSCD] Bad Opsec Powershell Artifacts --- .../powershell_bad_opsec_artifacts.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/powershell/powershell_bad_opsec_artifacts.yml diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml new file mode 100644 index 000000000..99a12e3f3 --- /dev/null +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -0,0 +1,42 @@ +title: Bad Opsec Powershell Code Artifacts +id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 +description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. +status: experimental +references: + - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ + - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ + - https://www.mdeditor.tw/pl/pgRt +author: 'ok @securonix invrep_de, oscd.community' +date: 2020/10/09 +modified: 2020/10/09 +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection1: + EventID: 4104 + selection2: + - ScriptBlockText|contains: '$DoIt' + - ScriptBlockText|contains: 'harmj0y' + - ScriptBlockText|contains: 'mattifestation' + - ScriptBlockText|contains: '_RastaMouse' + - ScriptBlockText|contains: 'tifkin_' + - ScriptBlockText|contains: '0xdeadbeef' + selection3: + EventID: 4103 + selection4: + - Payload|contains: '$DoIt' + - Payload|contains: 'harmj0y' + - Payload|contains: 'mattifestation' + - Payload|contains: 'obscuresec' + - Payload|contains: 'tifkin_' + - Payload|contains: '0xdeadbeef' + condition: ( selection1 and selection2 ) or ( selection3 and selection4 ) +falsepositives: + - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' +level: high From 89c8a589a5d9c6b90f90df25b4814abfb65835cd Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Mon, 12 Oct 2020 22:49:19 -0500 Subject: [PATCH 0314/1335] updating search syntax, splitting process name and cmdline and adding category --- rules/linux/macos_clear_system_logs.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index 840decff7..7d7f654ca 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -8,12 +8,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md logsource: product: macos + category: process_creation detection: selection: + - ProcessName: 'rm' CommandLine|contains: - - 'rm -rf /var/log' - - 'rm -rf /private/var/log' - - 'rm -rf /Users/*/Library/Logs/' + - '-rf /var/log' + - '-rf /private/var/log' + - '-rf /Users/*/Library/Logs/' condition: selection falsepositives: - Legitimate administration activities From 7d49db39884fade0bccfff89251b23cbd9db32e0 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Mon, 12 Oct 2020 23:19:02 -0500 Subject: [PATCH 0315/1335] updating falsepositives documentation to remove line that's not applicable --- rules/linux/macos_clear_system_logs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index 7d7f654ca..aa60ca692 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -19,7 +19,6 @@ detection: condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" level: low tags: - attack.defense_evasion From a85c19db173ae6a6aed6b8cbcf5798de046e8691 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 00:39:53 -0500 Subject: [PATCH 0316/1335] updating files to cover broader network discovery logic, renaming alert, adding recommended changes --- ...m.yml => lnx_system_network_discovery.yml} | 20 ++++++------- .../macos_system_net_disc_firewall_enum.yml | 24 --------------- .../linux/macos_system_network_discovery.yml | 30 +++++++++++++++++++ 3 files changed, 40 insertions(+), 34 deletions(-) rename rules/linux/{lnx_system_net_disc_firewall_enum.yml => lnx_system_network_discovery.yml} (61%) delete mode 100644 rules/linux/macos_system_net_disc_firewall_enum.yml create mode 100644 rules/linux/macos_system_network_discovery.yml diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_network_discovery.yml similarity index 61% rename from rules/linux/lnx_system_net_disc_firewall_enum.yml rename to rules/linux/lnx_system_network_discovery.yml index a41bbabd6..35f8da72a 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -1,4 +1,4 @@ -title: System Network Discovery - Firewall Enumeration +title: System Network Discovery - Linux id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c status: experimental description: Detects enumeration of firewall configuration @@ -11,18 +11,18 @@ logsource: product: unix detection: selection: - CommandLine|contains: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' + ProcessName: + - '/usr/bin/firewall-cmd' + - '/usr/sbin/ufw' + - '/usr/sbin/iptables' + - '/usr/bin/netstat' + - '/usr/bin/ss' + - '/usr/sbin/ip' + - '/usr/sbin/ifconfig' condition: selection falsepositives: - Legitimate administration activities level: low tags: - attack.discovery - - attack.t1016 + - attack.t1016 \ No newline at end of file diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml deleted file mode 100644 index cf7bd1db9..000000000 --- a/rules/linux/macos_system_net_disc_firewall_enum.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System Network Discovery - Firewall Enumeration -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c -status: experimental -description: Detects enumeration of firewall configuration -author: remotephone, oscd.community -date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md -logsource: - product: macos -detection: - selection: - ParentCommandLine|contains: - - 'netstat' - - 'ifconfig' - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1016 diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml new file mode 100644 index 000000000..fc24eabad --- /dev/null +++ b/rules/linux/macos_system_network_discovery.yml @@ -0,0 +1,30 @@ +title: System Network Discovery - macOS +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos + category: process_creation +detection: + selection1: + ProcessName: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + ProcessName: '/usr/bin/defaults' + Commandline|contains: 'read /Library/Preferences/com.apple.alf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1016 From 09d4160b98d410a61f516df6d2f79e74258a5baf Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 10:23:08 +0300 Subject: [PATCH 0317/1335] filter added --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index ab1473eab..287c9184b 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -24,7 +24,9 @@ detection: ParentImage|endswith: '\sqlps.exe' selection3: OriginalFileName: '\sqlps.exe' - condition: selection1 or selection2 or selection3 + reduction: + ParentImage|endswith: '\sqlagent.exe' + condition: selection1 or selection2 or selection3 and not reduction falsepositives: - Direct PS command execution through SQLPS.exe is uncommon. level: medium From 3f6ad0cb820ca99a6b17bfb62539555c12144d83 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 10:25:35 +0300 Subject: [PATCH 0318/1335] falsepositives changed --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 287c9184b..c908caeaa 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -28,5 +28,5 @@ detection: ParentImage|endswith: '\sqlagent.exe' condition: selection1 or selection2 or selection3 and not reduction falsepositives: - - Direct PS command execution through SQLPS.exe is uncommon. + - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From dff2e16ad224875efebd3bffec2903b94cdc36ef Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 13 Oct 2020 10:59:20 +0300 Subject: [PATCH 0319/1335] Update powershell_cmdline_specific_comb_methods.yml --- ...wershell_cmdline_specific_comb_methods.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 273c0f2ca..8bbb7d5be 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -17,15 +17,16 @@ logsource: detection: selection1: Image|endswith: '\powershell.exe' - CommandLine|all: - - '*char*' - - '*join*' + CommandLine|contains|all: + - 'char' + - 'join' selection2: Image|endswith: '\powershell.exe' CommandLine|contains: - 'ToInt' - 'ToDecimal' - 'ToByte' + - 'ToUint' - 'ToSingle' - 'ToSByte' selection3: @@ -36,14 +37,14 @@ detection: - 'String' selection4: Image|endswith: '\powershell.exe' - CommandLine|all: - - '*split*' - - '*join*' + CommandLine|contains|all: + - 'split' + - 'join' selection5: Image|endswith: '\powershell.exe' - CommandLine|all: - - '*ForEach*' - - '*Xor*' + CommandLine|contains|all: + - 'ForEach' + - 'Xor' selection6: Image|endswith: '\powershell.exe' CommandLine|contains: From 52319c1c181181ff587201fe867c60f822f2f0b1 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Tue, 13 Oct 2020 01:16:01 -0700 Subject: [PATCH 0320/1335] typo fixed --- rules/windows/registry_event/sysmon_susp_atbroker_change.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 8ad56900a..af723560f 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -9,7 +9,7 @@ date: 2020/10/13 tags: - attack.defense_evasion - attack.t1218 - - attack.persistance + - attack.persistence - attack.t1547 logsource: category: registry_event @@ -22,4 +22,4 @@ detection: condition: creation or persistance falsepositives: - Creation of non-default, legitimate AT. -level: High \ No newline at end of file +level: High From 7459bcd08c036044cee96818098dd6fea726d729 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Tue, 13 Oct 2020 10:41:50 +0200 Subject: [PATCH 0321/1335] Use process_creation for the detection --- ...ron.yml => lnx_schedule_task_job_cron.yml} | 23 ++++++++-------- rules/linux/macos_schedule_task_job_cron.yml | 26 +++++++++++++++++++ 2 files changed, 37 insertions(+), 12 deletions(-) rename rules/linux/{unix_schedule_task_job_cron.yml => lnx_schedule_task_job_cron.yml} (53%) create mode 100644 rules/linux/macos_schedule_task_job_cron.yml diff --git a/rules/linux/unix_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml similarity index 53% rename from rules/linux/unix_schedule_task_job_cron.yml rename to rules/linux/lnx_schedule_task_job_cron.yml index 8bd297f77..dc37f2270 100644 --- a/rules/linux/unix_schedule_task_job_cron.yml +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -1,27 +1,26 @@ title: Scheduled Cron Task/Job id: 6b14bac8-3e3a-4324-8109-42f0546a347f status: experimental -description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Crontabs in OS X, has the minor difference that the per-user files are in /usr/lib/cron/tabs/ +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. author: Alejandro Ortuno, oscd.community date: 2020/10/06 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md - - https://attack.mitre.org/techniques/T1053/003/ logsource: - product: unix + category: process_creation + product: linux detection: - keywords: - - 'echo "*" > * && crontab *' - # Cover Linux /etc/cron.{hourly,daily,weekly,monthly}/ - # and MacOS /usr/lib/cron/tabs/ - - 'echo "*" > */cron*/*' - condition: keywords + selection: + ProcessName|endswith: + - 'crontab' + CommandLine|contains: + - '/tmp/' + condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" -level: low +level: medium tags: - attack.execution - attack.persistence - attack.privilege_escalation - - attack.t1059.003 + - attack.t1053.003 diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml new file mode 100644 index 000000000..ffbb9c82a --- /dev/null +++ b/rules/linux/macos_schedule_task_job_cron.yml @@ -0,0 +1,26 @@ +title: Scheduled Cron Task/Job +id: 7c3b43d8-d794-47d2-800a-d277715aa460 +status: experimental +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName|endswith: + - 'crontab' + CommandLine|contains: + - '/tmp/' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 From 30bd626d767c5c35f2df1ce67934af42a593e745 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Tue, 13 Oct 2020 10:51:00 +0200 Subject: [PATCH 0322/1335] Split command line and do contains all. --- rules/linux/lnx_local_account.yml | 8 ++++---- rules/linux/macos_local_account.yml | 20 +++++++++++--------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index 3026984cd..c470ca6cb 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -12,22 +12,22 @@ logsource: detection: selection_1: ProcessName|endswith: - - '*/lastlog' + - '/lastlog' selection_2: CommandLine|contains: - "'x:0:'" selection_3: ProcessName|endswith: - - '*/cat' + - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: ProcessName|endswith: - - '*/id' + - '/id' selection_5: ProcessName|endswith: - - '*/lsof' + - '/lsof' CommandLine|contains: - '-u' condition: 1 of them diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index db2b6b588..97aecfc82 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -12,29 +12,31 @@ logsource: detection: selection_1: ProcessName|endswith: - - '*/dscl' - CommandLine|contains: - - '. list /users' + - '/dscl' + CommandLine|contains|all: + - 'list' + - '/users' selection_2: ProcessName|endswith: - - '*/dscacheutil' - CommandLine|contains: - - '-q user' + - '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'user' selection_3: CommandLine|contains: - "'x:0:'" selection_4: ProcessName|endswith: - - '*/cat' + - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: ProcessName|endswith: - - '*/id' + - '/id' selection_6: ProcessName|endswith: - - '*/lsof' + - '/lsof' CommandLine|contains: - '-u' condition: 1 of them From 50fde8c13f32587c85931f3c3a7082fe968589e8 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Tue, 13 Oct 2020 10:55:29 +0200 Subject: [PATCH 0323/1335] minor changes on command line --- rules/linux/macos_create_account.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index c866aba10..915f90488 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -12,13 +12,13 @@ logsource: detection: selection: ProcessName|endswith: - - '*/dscl' + - '/dscl' CommandLine|contains: - - '. -create *' + - 'create' condition: selection falsepositives: - Legitimate administration activities -level: Admin +level: medium tags: - attack.t1136 # an old one - attack.t1136.001 From c03a6967624c865b051442e087dea682bd46c05f Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Tue, 13 Oct 2020 11:00:06 +0200 Subject: [PATCH 0324/1335] additional modifications on commands and process names --- rules/linux/lnx_local_groups.yml | 4 ++-- rules/linux/macos_local_groups.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml index 04cd384c9..7bdb042a7 100644 --- a/rules/linux/lnx_local_groups.yml +++ b/rules/linux/lnx_local_groups.yml @@ -12,10 +12,10 @@ logsource: detection: selection_1: ProcessName|endswith: - - '*/groups' + - '/groups' selection_2: ProcessName|endswith: - - '*/cat' + - '/cat' CommandLine|contains: - '/etc/group' condition: 1 of them diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index a456e13ae..3441c43d5 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -12,19 +12,21 @@ logsource: detection: selection_1: ProcessName|endswith: - - '*/dscacheutil' - CommandLine|contains: - - '-q group' + - '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'group' selection_2: ProcessName|endswith: - - '*/cat' + - '/cat' CommandLine|contains: - '/etc/group' selection_3: ProcessName|endswith: - - '*/dscl' - CommandLine|contains: - - '. -list /groups' + - '/dscl' + CommandLine|contains|all: + - '-list' + - '/groups' condition: 1 of them falsepositives: - Legitimate administration activities From 77ca94a47fe7f9ffa1a43b998f3a6aa787d7efa6 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 12:39:32 +0300 Subject: [PATCH 0325/1335] sqltoolsps.exe usage detection added --- .../win_susp_use_of_sqltoolsps_bin.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml new file mode 100644 index 000000000..ed582f1f4 --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -0,0 +1,32 @@ +title: Detection of PowerShell Execution via SQL client tools +id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 +status: experimental +description: PowerShell execution through builtin SQL Server Management Studio "SQLToolsPS.exe" binary. Microsoft PS logging like + ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml + - https://twitter.com/pabraeken/status/993298228840992768 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 +author: Agro (@agro_sev) +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\sqltoolsps.exe' + selection2: + ParentImage|endswith: '\sqltoolsps.exe' + selection3: + OriginalFileName: '\sqltoolsps.exe' + reduction: + ParentImage|endswith: '\smss.exe' + condition: selection1 or selection2 or selection3 and not reduction +falsepositives: + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. +level: medium + From b6b9ef85b1f37148cd7797531996d7738cba640b Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 12:48:58 +0300 Subject: [PATCH 0326/1335] Revert "sqltoolsps.exe usage detection added" This reverts commit 77ca94a47fe7f9ffa1a43b998f3a6aa787d7efa6. wrong branch --- .../win_susp_use_of_sqltoolsps_bin.yml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml deleted file mode 100644 index ed582f1f4..000000000 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Detection of PowerShell Execution via SQL client tools -id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 -status: experimental -description: PowerShell execution through builtin SQL Server Management Studio "SQLToolsPS.exe" binary. Microsoft PS logging like - ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - - https://twitter.com/pabraeken/status/993298228840992768 -tags: - - attack.execution - - attack.t1059.001 - - attack.defense_evasion - - attack.t1127 -author: Agro (@agro_sev) -date: 2020/10/12 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\sqltoolsps.exe' - selection2: - ParentImage|endswith: '\sqltoolsps.exe' - selection3: - OriginalFileName: '\sqltoolsps.exe' - reduction: - ParentImage|endswith: '\smss.exe' - condition: selection1 or selection2 or selection3 and not reduction -falsepositives: - - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. -level: medium - From 62bb2bc2722705b0acfff93b0d673b2adbd0e673 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 13:04:37 +0300 Subject: [PATCH 0327/1335] [OSCD] LOLBin sqltoolsps.exe detection added --- .../win_susp_use_of_sqltoolsps_bin.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml new file mode 100644 index 000000000..d8d56114a --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -0,0 +1,32 @@ +title: Detection of PowerShell Execution via SQL client tools +id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 +status: experimental +description: PowerShell execution through builtin SQL Server Management Studio "SQLToolsPS.exe" binary. Microsoft PS logging like + ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml + - https://twitter.com/pabraeken/status/993298228840992768 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 +author: Agro (@agro_sev) +date: 2020/10/13 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\sqltoolsps.exe' + selection2: + ParentImage|endswith: '\sqltoolsps.exe' + selection3: + OriginalFileName: '\sqltoolsps.exe' + reduction: + ParentImage|endswith: '\smss.exe' + condition: selection1 or selection2 or selection3 and not reduction +falsepositives: + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. +level: medium + From 5c65d07100d72bf7ee7a40276e1545f43edbff8a Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Tue, 13 Oct 2020 17:44:39 +0530 Subject: [PATCH 0328/1335] add reference & ends with condition --- .../image_load/sysmon_susp_script_dotnet_clr_dll_load.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index b3b6ec5b7..c6c274aad 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -5,6 +5,7 @@ description: Detects CLR DLL being loaded by an scripting applications references: - https://github.com/tyranid/DotNetToJScript - https://thewover.github.io/Introducing-Donut/ + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: omkar72, oscd.community date: 2020/10/10 tags: @@ -16,15 +17,15 @@ logsource: product: windows detection: selection: - Image: + Image|endswith: - '*\wscript.exe' - '*\cscript.exe' - '*\mshta.exe' - ImageLoaded: + ImageLoaded|endswith: - '*\clr.dll' - '*\mscoree.dll' - '*\mscorlib.dll' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high From cdcb16dcd35eecb1cbee23cb80f36b9766136671 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Tue, 13 Oct 2020 17:48:14 +0530 Subject: [PATCH 0329/1335] changed main condition for Netsh as well --- rules/windows/process_creation/win_netsh_port_fwd.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index 08befd419..806818da9 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -4,7 +4,7 @@ description: Detects netsh commands that configure a port forwarding references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 -modified: 2020/10/12 +modified: 2020/10/13 tags: - attack.lateral_movement - attack.defense_evasion @@ -17,8 +17,13 @@ logsource: product: windows detection: selection1: - CommandLine: - - netsh interface portproxy add v4tov4 * + Image|endswith: + - '\netsh.exe' + CommandLine|contains|all: + - 'interface' + - 'portproxy' + - 'add' + - 'v4tov4' selection2: Image|endswith: - '\netsh.exe' From 5b161ff4aea90c51212a274f2b6f2dea4378fb74 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Tue, 13 Oct 2020 17:51:05 +0530 Subject: [PATCH 0330/1335] added regex & changed logsource --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index dd36e05ad..d30976caf 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -10,17 +10,16 @@ tags: status: experimental author: omkar72, oscd.community logsource: + category: file_event product: windows - service: sysmon detection: selection: - EventID: 11 - TargetFilename|contains: - - '\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*' - - '\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*' - - '\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' - - '\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' - - '\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' + TargetFilename: + - '*\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*' + - '*\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*' + - '*\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' + - '*\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' + - '*\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' condition: selection falsepositives: - Unknown From 3d3efcd3db0a75009b65dcecf71ed9688ae72f1c Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 16:24:52 +0300 Subject: [PATCH 0331/1335] title changed --- .../windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index d8d56114a..01c2d5200 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -1,4 +1,4 @@ -title: Detection of PowerShell Execution via SQL client tools +title: SQL Client Tools PowerShell Session Detection id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: experimental description: PowerShell execution through builtin SQL Server Management Studio "SQLToolsPS.exe" binary. Microsoft PS logging like From fa3a06aadb92bd8a9c6eacdf85589fff32cccb42 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:50:43 +0300 Subject: [PATCH 0332/1335] Added 2 More Detection Methods Issue #576 --- rules/windows/other/win_wmi_persistence.yml | 49 ++++++++++++++++----- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index dbb17a226..3a087081c 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,23 +1,30 @@ +action: global title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) -author: Florian Roth +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Sysmon logs. +author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 -modified: 2020/08/23 +modified: 2020/10/13 references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ + - https://attack.mitre.org/techniques/T1546/003/ tags: - attack.persistence - attack.privilege_escalation - attack.t1084 # an old one - attack.t1546.003 +falsepositives: + - Unknown (data set is too small; further testing needed) +level: medium +--- logsource: product: windows - service: wmi + service: wmi #native windows detection + definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher' detection: - selection: + wmi_activity_5861: EventID: 5861 keywords: Message: @@ -25,9 +32,31 @@ detection: - '*CommandLineEventConsumer*' - '*CommandLineTemplate*' # - 'Binding EventFilter' # too many false positive with HP Health Driver - selection2: + wmi_activity_5859: EventID: 5859 - condition: selection and 1 of keywords or selection2 -falsepositives: - - Unknown (data set is too small; further testing needed) -level: medium + network_logon: + EventID: 4624 + LogonType: 3 + privileges_assigned: + EventID: 4672 + wmi_subscription: + EventID: 4662 + ObjectType: 'WMI Namespace' + ObjectName: '*subscription*' + condition: (wmi_activity_5861 and 1 of keywords) OR (wmi_activity_5859) OR (network_logon and privileges_assigned and wmi_subscription) +--- +logsource: + product: windows + service: sysmon #sysmon detection +detection: + filter_creation: + # Sysmon WMI Filter Creation + EventID: 19 + consumer_creation: + # Sysmon WMI Consumer Creation + EventID: 20 + consumer_binding: + # Sysmon WMI Consumer Binding + EventID: 21 + timeframe: 5m + condition: all of them From 1824259ebf36db537bb3e24c2126974e7c484832 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:03:06 +0300 Subject: [PATCH 0333/1335] Added New Registry Keys Issue #576 --- .../sysmon_asep_reg_keys_modification.yml | 190 ++++++++++++++++-- 1 file changed, 168 insertions(+), 22 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 80f4a8237..b5eedb3e9 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -4,35 +4,181 @@ description: Detects modification of autostart extensibility point (ASEP) in reg status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://attack.mitre.org/techniques/T1547/001/ tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 -date: 2019/10/21 -modified: 2020/09/06 -author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community + - attack.t1060 # an old one +date: 2019/10/25 +modified: 2020/10/13 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community logsource: category: registry_event - product: windows + product: windows +level: medium detection: - selection: - TargetObject|contains: - - '\software\Microsoft\Windows\CurrentVersion\Run' - - '\software\Microsoft\Windows\CurrentVersion\RunOnce' - - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\software\Microsoft\Windows\CurrentVersion\RunServices' - - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU - - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + selection: + TargetObject|contains: + - '\System\CurrentControlSet\Services' + - '\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' + - '\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms' + - '\System\CurrentControlSet\Control\Session Manager\SetupExecute' + - '\System\CurrentControlSet\Control\Session Manager\S0InitialCommand' + - '\System\CurrentControlSet\Control\Session Manager\KnownDlls' + - '\System\CurrentControlSet\Control\Session Manager\Execute' + - '\System\CurrentControlSet\Control\Session Manager\BootExecute' + - '\System\CurrentControlSet\Control\Session Manager\AppCertDlls' + - '\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders' + - '\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell' + - '\SYSTEM\CurrentControlSet\Control\Print\Providers' + - '\SYSTEM\CurrentControlSet\Control\Print\Monitors' + - '\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order' + - '\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages' + - '\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages' + - '\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' + - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' + - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' + - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' + - '\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' + - '\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect' + - '\Software\Wow6432Node\Microsoft\Office\Word\Addins' + - '\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins' + - '\Software\Wow6432Node\Microsoft\Office\Outlook\Addins' + - '\Software\Wow6432Node\Microsoft\Office\Onenote\Addins' + - '\Software\Wow6432Node\Microsoft\Office\Excel\Addins' + - '\Software\Wow6432Node\Microsoft\Office\Access\Addins' + - '\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar' + - '\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions' + - '\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars' + - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' + - '\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers' + - '\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews' + - '\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers' + - '\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers' + - '\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers' + - '\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers' + - '\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers' + - '\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers' + - '\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers' + - '\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers' + - '\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers' + - '\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' + - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' + - '\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers' + - '\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers' + - '\Software\Policies\Microsoft\Windows\System\Scripts\Startup' + - '\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown' + - '\Software\Policies\Microsoft\Windows\System\Scripts\Logon' + - '\Software\Policies\Microsoft\Windows\System\Scripts\Logoff' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' + - '\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup' + - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown' + - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon' + - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' + - '\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' + - '\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' + - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup' + - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells' + - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run' + - '\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers' + - '\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' + - '\Software\Microsoft\Office\Word\Addins' + - '\Software\Microsoft\Office\PowerPoint\Addins' + - '\Software\Microsoft\Office\Outlook\Addins' + - '\Software\Microsoft\Office\Onenote\Addins' + - '\Software\Microsoft\Office\Excel\Addins' + - '\Software\Microsoft\Office\Access\Addins' + - '\SOFTWARE\Microsoft\Office test\Special\Perf' + - '\Software\Microsoft\Internet Explorer\Toolbar' + - '\Software\Microsoft\Internet Explorer\Extensions' + - '\Software\Microsoft\Internet Explorer\Explorer Bars' + - '\SYSTEM\Setup\CmdLine' + - '\Software\Microsoft\Ctf\LangBarAddin' + - '\Software\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Microsoft\Active Setup\Installed Components' + - '\SOFTWARE\Classes\Protocols\Handler' + - '\SOFTWARE\Classes\Protocols\Filter' + - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' + - '\Software\Classes\Folder\ShellEx\PropertySheetHandlers' + - '\Software\Classes\Folder\ShellEx\ExtShellFolderViews' + - '\Software\Classes\Folder\ShellEx\DragDropHandlers' + - '\Software\Classes\Folder\ShellEx\ContextMenuHandlers' + - '\Software\Classes\Folder\Shellex\ColumnHandlers' + - '\Software\Classes\Filter' + - '\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)' + - '\Software\Classes\Drive\ShellEx\ContextMenuHandlers' + - '\Software\Classes\Directory\Shellex\PropertySheetHandlers' + - '\Software\Classes\Directory\Shellex\DragDropHandlers' + - '\Software\Classes\Directory\Shellex\CopyHookHandlers' + - '\Software\Classes\Directory\ShellEx\ContextMenuHandlers' + - '\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers' + - '\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' + - '\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' + - '\Software\Classes\.exe' + - '\Software\Classes\.cmd' + - '\Software\Classes\*\ShellEx\PropertySheetHandlers' + - '\Software\Classes\*\ShellEx\ContextMenuHandlers' + - '\Environment\UserInitMprLogonScript' + - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' + - '\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64' + - '\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries' + - '\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64' + - '\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries' + - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run' + - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load' + - '\Software\Microsoft\Internet Explorer\UrlSearchHooks' + - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' + - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' + - '\Control Panel\Desktop\Scrnsave.exe' condition: selection +fields: + - SecurityID + - ObjectName + - OldValueType + - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason -level: medium From 992edf66cc6e41c5d351668c7ed668e2500b39b5 Mon Sep 17 00:00:00 2001 From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Date: Tue, 13 Oct 2020 11:30:17 -0700 Subject: [PATCH 0334/1335] values enclosed in quotation marks' --- rules/windows/registry_event/sysmon_susp_atbroker_change.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index af723560f..e060cdb8f 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: creation: - TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' persistance: - TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration + TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' condition: creation or persistance falsepositives: - Creation of non-default, legitimate AT. From cd98d907a1dbe481d4f57408a3b925059dee0cdc Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:39:03 +0300 Subject: [PATCH 0335/1335] Log Sources Modified Modified Log Sources and Deleted a Sysmon Detection due to Discussion in PR #1161 --- rules/windows/other/win_wmi_persistence.yml | 28 +++++++-------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 3a087081c..81ab651d4 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -24,7 +24,7 @@ logsource: service: wmi #native windows detection definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher' detection: - wmi_activity_5861: + wmi_filter_to_consumer_binding: EventID: 5861 keywords: Message: @@ -32,8 +32,14 @@ detection: - '*CommandLineEventConsumer*' - '*CommandLineTemplate*' # - 'Binding EventFilter' # too many false positive with HP Health Driver - wmi_activity_5859: + wmi_filter_registration: EventID: 5859 + condition: (wmi_filter_to_consumer_binding and 1 of keywords) OR (wmi_filter_registration) +--- +logsource: + product: windows + service: security +detection: network_logon: EventID: 4624 LogonType: 3 @@ -43,20 +49,4 @@ detection: EventID: 4662 ObjectType: 'WMI Namespace' ObjectName: '*subscription*' - condition: (wmi_activity_5861 and 1 of keywords) OR (wmi_activity_5859) OR (network_logon and privileges_assigned and wmi_subscription) ---- -logsource: - product: windows - service: sysmon #sysmon detection -detection: - filter_creation: - # Sysmon WMI Filter Creation - EventID: 19 - consumer_creation: - # Sysmon WMI Consumer Creation - EventID: 20 - consumer_binding: - # Sysmon WMI Consumer Binding - EventID: 21 - timeframe: 5m - condition: all of them + condition: network_logon and privileges_assigned and wmi_subscription From b4604f88aa1597a50360b290acb938099ba9cf14 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Tue, 13 Oct 2020 21:49:21 +0300 Subject: [PATCH 0336/1335] title fixed --- .../windows/process_creation/win_susp_use_of_sqlps_bin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index c908caeaa..b30217212 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -1,8 +1,8 @@ -title: Detection of PowerShell Execution via SQL +title: Detection of PowerShell Execution via Sqlps.exe id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: experimental -description: PowerShell execution through builtin SQL Server "SQLPS.exe" binary. Microsoft PS logging like - ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. +description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. + references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ From b732c060a1bf3f2b84b9aec8b81a471743be01d6 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 13 Oct 2020 22:02:53 +0300 Subject: [PATCH 0337/1335] Fixed sigma syntax --- rules/windows/other/win_wmi_persistence.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 81ab651d4..6466ab79a 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -26,15 +26,14 @@ logsource: detection: wmi_filter_to_consumer_binding: EventID: 5861 - keywords: - Message: - - '*ActiveScriptEventConsumer*' - - '*CommandLineEventConsumer*' - - '*CommandLineTemplate*' + Message|contains: + - 'ActiveScriptEventConsumer' + - 'CommandLineEventConsumer' + - 'CommandLineTemplate' # - 'Binding EventFilter' # too many false positive with HP Health Driver wmi_filter_registration: EventID: 5859 - condition: (wmi_filter_to_consumer_binding and 1 of keywords) OR (wmi_filter_registration) + condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration) --- logsource: product: windows @@ -48,5 +47,5 @@ detection: wmi_subscription: EventID: 4662 ObjectType: 'WMI Namespace' - ObjectName: '*subscription*' + ObjectName|contains: 'subscription' condition: network_logon and privileges_assigned and wmi_subscription From 9da9c20c63bc243640228b9a2ab8603946d2ac5f Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 13 Oct 2020 22:06:34 +0300 Subject: [PATCH 0338/1335] Description Changed --- rules/windows/other/win_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 6466ab79a..224be0c8f 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,7 @@ action: global title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on WMI and Sysmon logs. +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 modified: 2020/10/13 From a998c9b74cbca62fc18432fa6ab4167a40072ac1 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Tue, 13 Oct 2020 22:37:51 +0300 Subject: [PATCH 0339/1335] Remove asterisk from condition --- rules/windows/process_creation/win_susp_vboxdrvInst.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml index a7157354a..024b51499 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvInst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -17,8 +17,9 @@ logsource: detection: selection: Image|endswith: '\VBoxDrvInst.exe' - CommandLine: - - 'driver*executeinf' + CommandLine|contains|all: + - 'driver' + - 'executeinf' condition: selection fields: - ComputerName From 54a9598d4b7b631f8bf147b09484d17986fe771c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 13 Oct 2020 22:27:27 +0200 Subject: [PATCH 0340/1335] Fixed typo --- rules/windows/process_creation/win_susp_winrm_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml index 218390dee..2ecb2b39e 100644 --- a/rules/windows/process_creation/win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -1,4 +1,4 @@ -title: Remore Code Execute via Winrm.vbs +title: Remote Code Execute via Winrm.vbs id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 description: Detects an attempt to execude code or create service on remote host via winrm.vbs. status: experimental From 0914c03acba6791324ecc812f367dd72d4ba6701 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 13 Oct 2020 22:32:55 +0200 Subject: [PATCH 0341/1335] Update sysmon_accessing_winapi_in_powershell_credentials_dumping.yml --- ...ysmon_accessing_winapi_in_powershell_credentials_dumping.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index c8d6bed39..96e861348 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -1,4 +1,4 @@ -title: Accessing WinAPI in PowerShell. Credentials Dumping +title: Accessing WinAPI in PowerShell for Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc description: Detects Accessing to lsass.exe by Powershell status: experimental From 208798e373d16d122a0fb9100f700f3e4653bceb Mon Sep 17 00:00:00 2001 From: Demyan Sokolin Date: Wed, 14 Oct 2020 01:55:45 +0300 Subject: [PATCH 0342/1335] [OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools --- ...gon_exploitation_using_wellknown_tools.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml new file mode 100644 index 000000000..8bfa909f1 --- /dev/null +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -0,0 +1,27 @@ +title: Possible Zerologon (CVE-2020-1472) exploitation using well-known tools +id: 18f37338-b9bd-4117-a039-280c81f7a596 +status: stable +description: This rule is designed to detect attempts to exploit Zerologon vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. +references: + - https://www.secura.com/blog/zero-logon +author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' +date: 2020/10/13 +tags: + - attack.t1210 + - attack.lateral_movement +logsource: + category: other + service: system + product: windows +detection: + selection: + - EventID: '5805' + Message|contains: + - kali + - mimikatz + - EventID: '5723' + Message|contains: + - kali + - mimikatz + condition: selection +level: critical \ No newline at end of file From ba2771147bb504ce1e1999c8b6193cb5df8bf324 Mon Sep 17 00:00:00 2001 From: Demyan Sokolin Date: Wed, 14 Oct 2020 02:04:34 +0300 Subject: [PATCH 0343/1335] Title length fixed Title and description changed to meet requirements. --- ..._possible_zerologon_exploitation_using_wellknown_tools.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index 8bfa909f1..2a809660c 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -1,7 +1,7 @@ -title: Possible Zerologon (CVE-2020-1472) exploitation using well-known tools +title: Zerologon exploitation using well-known tools id: 18f37338-b9bd-4117-a039-280c81f7a596 status: stable -description: This rule is designed to detect attempts to exploit Zerologon vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. +description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. references: - https://www.secura.com/blog/zero-logon author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' From fce386388dcec3d19297221a6ed84221845ea0fd Mon Sep 17 00:00:00 2001 From: Demyan Sokolin Date: Wed, 14 Oct 2020 02:17:20 +0300 Subject: [PATCH 0344/1335] Title fixed [2] Title capitalization added --- ...in_possible_zerologon_exploitation_using_wellknown_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index 2a809660c..673967b83 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -1,4 +1,4 @@ -title: Zerologon exploitation using well-known tools +title: Zerologon Exploitation Using Well-known Tools id: 18f37338-b9bd-4117-a039-280c81f7a596 status: stable description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. From f2ab4a7e3222e14e7fcbf6c322e958bce9c317f5 Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:31:15 -0400 Subject: [PATCH 0345/1335] [OSCD] Add Accesschk tool usage rule Page 43 from #574 --- ..._accesschk_usage_after_priv_escalation.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml diff --git a/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml new file mode 100644 index 000000000..ce6fda427 --- /dev/null +++ b/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml @@ -0,0 +1,33 @@ +title: Accesschk Usage after Privilege Escalation +id: c625d754-6a3d-4f65-9c9a-536aea960d37 +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg +tags: + - attack.discovery + - attack.t1069.001 +logsource: + product: windows + service: sysmon +detection: + event_id: + EventID: 1 + integrity_level: + IntegrityLevel: 'Medium' + product: + Product|endswith: 'AccessChk' + description: + Description|contains: 'Reports effective permissions' + condition: event_id and integrity_level and (product or description) +fields: + - EventID + - IntegrityLevel + - Product + - Description +falsepositives: + - System administrator Usage + - Penetration test +level: high \ No newline at end of file From dd705cc7f9434ce453e0fb63289d1ad06ab43efd Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:43:19 -0400 Subject: [PATCH 0346/1335] Update sysmon_accesschk_usage_after_priv_escalation.yml --- .../sysmon/sysmon_accesschk_usage_after_priv_escalation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml index ce6fda427..d54d43775 100644 --- a/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml @@ -1,4 +1,4 @@ -title: Accesschk Usage after Privilege Escalation +title: Accesschk Usage After Privilege Escalation id: c625d754-6a3d-4f65-9c9a-536aea960d37 description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not status: experimental From 36a5f13b0ce18d6b80fed5319395d0202e87bf30 Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:48:16 -0400 Subject: [PATCH 0347/1335] Moved the file to the right category --- .../sysmon_accesschk_usage_after_priv_escalation.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{sysmon => process_creation}/sysmon_accesschk_usage_after_priv_escalation.yml (100%) diff --git a/rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml similarity index 100% rename from rules/windows/sysmon/sysmon_accesschk_usage_after_priv_escalation.yml rename to rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml From 7916ae051790a11af9015beec4d449dfaf1e1afd Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:58:00 -0400 Subject: [PATCH 0348/1335] Changed the category to process_creation --- .../sysmon_accesschk_usage_after_priv_escalation.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index d54d43775..ca74e39f9 100644 --- a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -11,19 +11,16 @@ tags: - attack.t1069.001 logsource: product: windows - service: sysmon + category: process_creation detection: - event_id: - EventID: 1 integrity_level: IntegrityLevel: 'Medium' product: Product|endswith: 'AccessChk' description: Description|contains: 'Reports effective permissions' - condition: event_id and integrity_level and (product or description) + condition: integrity_level and (product or description) fields: - - EventID - IntegrityLevel - Product - Description From 56952ecdd45e7a92e1a156b6412fc7c95b25fd7f Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 22:09:37 -0500 Subject: [PATCH 0349/1335] updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules --- rules/linux/lnx_system_network_discovery.yml | 4 ++-- rules/linux/macos_system_network_discovery.yml | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 35f8da72a..9e52dd26f 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -1,7 +1,7 @@ title: System Network Discovery - Linux -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa status: experimental -description: Detects enumeration of firewall configuration +description: Detects enumeration of local network configuration author: remotephone, oscd.community date: 2020/10/06 references: diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index fc24eabad..2bf068e4e 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -1,7 +1,7 @@ title: System Network Discovery - macOS -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +id: 58800443-f9fc-4d55-ae0c-98a3966dfb97 status: experimental -description: Detects enumeration of firewall configuration +description: Detects enumeration of local network configuration author: remotephone, oscd.community date: 2020/10/06 references: @@ -20,7 +20,9 @@ detection: - '/usr/sbin/arp' selection2: ProcessName: '/usr/bin/defaults' - Commandline|contains: 'read /Library/Preferences/com.apple.alf' + Commandline|contains|all: + - 'read' + - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 falsepositives: - Legitimate administration activities From 7e002fcb5f7db5541efe12e362857602406784fa Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 22:17:26 -0500 Subject: [PATCH 0350/1335] updating selections to make query more efficient and less prone to evasion --- rules/linux/macos_clear_system_logs.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index aa60ca692..e5aecc052 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -10,13 +10,15 @@ logsource: product: macos category: process_creation detection: - selection: - - ProcessName: 'rm' - CommandLine|contains: - - '-rf /var/log' - - '-rf /private/var/log' - - '-rf /Users/*/Library/Logs/' - condition: selection + selection1: + - ProcessName|endswith: '/rm' + selection2: + CommandLine|contains: '/var/log' + selection3: + Commandline|contains|all: + - '/Users/' + - '/Library/Logs/' + condition: selection1 and (selection2 or selection3) falsepositives: - Legitimate administration activities level: low From df20d2a5d283ac1779056c8fe2a044c0992d371d Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 22:44:02 -0500 Subject: [PATCH 0351/1335] adding new line at end of file --- rules/linux/lnx_system_network_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 9e52dd26f..937ab7509 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -25,4 +25,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1016 \ No newline at end of file + - attack.t1016 From 4fa6ca01efa217c1797d86839020f7b75e8c04ea Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 14 Oct 2020 10:05:41 +0530 Subject: [PATCH 0352/1335] Changed category. --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index cca688889..95e6cb027 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -12,7 +12,7 @@ status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 logsource: - category: sysmon + category: network_connection product: windows detection: selection: From 6b25378a61a640cfed605d574064f721f6eae59c Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 14 Oct 2020 10:07:16 +0530 Subject: [PATCH 0353/1335] Removed * operator --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 95e6cb027..308474475 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 3 - ParentImage|endswith: '*\msbuild.exe' + ParentImage|endswith: '\msbuild.exe' condition: selection fields: - ParentImage From 7343936653b462daaef63d06e1f3e6ad933f0ee6 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 23:59:53 -0500 Subject: [PATCH 0354/1335] adding gui input capture, first iteration --- rules/linux/macos_gui_input_capture.yml | 39 +++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/linux/macos_gui_input_capture.yml diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml new file mode 100644 index 000000000..3a90066a1 --- /dev/null +++ b/rules/linux/macos_gui_input_capture.yml @@ -0,0 +1,39 @@ +title: GUI Input Capture - macOS +id: 60f1ce20-484e-41bd-85f4-ac4afec2c541 +status: experimental +description: Detects attempts to use system dialog prompts to capture user credentials +author: remotephone, oscd.community +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md + - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ +logsource: + product: macos + category: process_creation +detection: + selection1: + ProcessName: + - '/usr/sbin/osascript' + selection2: + Commandline|contains|all: + - '-e' + - 'display' + - 'dialog' + - 'answer' + selection3: + Commandline|contains: + - 'admin' + - 'administrator' + - 'authenticate' + - 'authentication' + - 'credentials' + - 'pass' + - 'password' + - 'unlock' + condition: all of them +falsepositives: + - Legitimate administration tools and activities +level: low +tags: + - attack.discovery + - attack.t1056.002 \ No newline at end of file From 3cddb86b702db04921e578842a32c05cc6dbf4c8 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 14 Oct 2020 00:01:30 -0500 Subject: [PATCH 0355/1335] updating tags --- rules/linux/macos_gui_input_capture.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml index 3a90066a1..87d10a819 100644 --- a/rules/linux/macos_gui_input_capture.yml +++ b/rules/linux/macos_gui_input_capture.yml @@ -35,5 +35,5 @@ falsepositives: - Legitimate administration tools and activities level: low tags: - - attack.discovery + - attack.credential_access - attack.t1056.002 \ No newline at end of file From 8bbde90328ef86438c2695e21dcea99023ffd56d Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 14 Oct 2020 00:05:28 -0500 Subject: [PATCH 0356/1335] adding line at end of file --- rules/linux/macos_gui_input_capture.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml index 87d10a819..711705d36 100644 --- a/rules/linux/macos_gui_input_capture.yml +++ b/rules/linux/macos_gui_input_capture.yml @@ -36,4 +36,4 @@ falsepositives: level: low tags: - attack.credential_access - - attack.t1056.002 \ No newline at end of file + - attack.t1056.002 From ed22c8e0fe12049023dd181e4d685e22dcade3cf Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 14 Oct 2020 00:51:55 -0500 Subject: [PATCH 0357/1335] adding macos screencapture rule --- rules/linux/macos_screencapture.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/macos_screencapture.yml diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml new file mode 100644 index 000000000..643329002 --- /dev/null +++ b/rules/linux/macos_screencapture.yml @@ -0,0 +1,23 @@ +title: Screen Capture - macOS +id: 38a16051-0922-4c47-96e6-72ca9fc03633 +status: experimental +description: Detects attempts to use capture macOS system screenshots +author: remotephone, oscd.community +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py +logsource: + product: macos + category: process_creation +detection: + selection1: + ProcessName: + - '/usr/sbin/screencapture' + condition: selection1 +falsepositives: + - Legitimate user activity taking screenshots +level: low +tags: + - attack.collection + - attack.t1113 From 8e7fbbd147a30140a1b178be02ba57cebc8f7229 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 14 Oct 2020 00:54:51 -0500 Subject: [PATCH 0358/1335] fixing UUID and description --- rules/linux/macos_screencapture.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml index 643329002..13334b388 100644 --- a/rules/linux/macos_screencapture.yml +++ b/rules/linux/macos_screencapture.yml @@ -1,7 +1,7 @@ title: Screen Capture - macOS -id: 38a16051-0922-4c47-96e6-72ca9fc03633 +id: 0877ed01-da46-4c49-8476-d49cdd80dfa7 status: experimental -description: Detects attempts to use capture macOS system screenshots +description: Detects attempts to use screencapture to collect macOS screenshots author: remotephone, oscd.community date: 2020/10/13 references: From 75a05db44611c825059cfe0e7b222da621de420f Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 14 Oct 2020 08:50:15 +0200 Subject: [PATCH 0359/1335] Add slash to bypass testing --- rules/linux/macos_schedule_task_job_cron.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml index ffbb9c82a..9746a0ff6 100644 --- a/rules/linux/macos_schedule_task_job_cron.yml +++ b/rules/linux/macos_schedule_task_job_cron.yml @@ -12,7 +12,7 @@ logsource: detection: selection: ProcessName|endswith: - - 'crontab' + - '/crontab' CommandLine|contains: - '/tmp/' condition: selection From 2f06c30760e71f2132ec64df79d3de98a4555289 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Wed, 14 Oct 2020 10:06:34 +0300 Subject: [PATCH 0360/1335] empty line + authors fixed --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index b30217212..55303d4a7 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -2,7 +2,6 @@ title: Detection of PowerShell Execution via Sqlps.exe id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: experimental description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ @@ -12,7 +11,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: Agro (@agro_sev) +author: Agro (@agro_sev) oscd.community date: 2020/10/10 logsource: category: process_creation From 196debf0adf6b1b74347f21902b540d487414014 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Wed, 14 Oct 2020 10:12:34 +0300 Subject: [PATCH 0361/1335] description + author fields fixed --- .../process_creation/win_susp_use_of_sqltoolsps_bin.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index 01c2d5200..f87a9852e 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -1,8 +1,7 @@ title: SQL Client Tools PowerShell Session Detection id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: experimental -description: PowerShell execution through builtin SQL Server Management Studio "SQLToolsPS.exe" binary. Microsoft PS logging like - ScriptBlock logging function of PowerShell is not an option here, PS session caused by the binary won't be recorded/logged. +description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 @@ -11,7 +10,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: Agro (@agro_sev) +author: Agro (@agro_sev) oscd.community date: 2020/10/13 logsource: category: process_creation @@ -27,6 +26,6 @@ detection: ParentImage|endswith: '\smss.exe' condition: selection1 or selection2 or selection3 and not reduction falsepositives: - - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium From c0e70106fa323e1dd791744a90eac8eb3bc3d85c Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 10:15:06 +0300 Subject: [PATCH 0362/1335] Fixed att&ck, deleted commandline key "exec" (does not works without interactive mode so there is no commandline appear) --- rules/windows/process_creation/win_susp_diskshadow.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index ba47a9853..d3b618750 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -1,13 +1,12 @@ -title: Diskshadow.exe Execution +title: Execution via Diskshadow.exe id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 status: experimental description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary code references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - - attack.credential_access - attack.execution - - attack.t1003 + - attack.t1218 author: Ivan Dyachkov, oscd.community date: 2020/10/07 logsource: @@ -19,7 +18,6 @@ detection: Image: 'c:\windows\system32\diskshadow.exe' CommandLine|contains: - '/s' - - 'exec' condition: selection fields: - CommandLine From 2fa7ae2c1c4329eb8d139cbd4d8dc8d416df2870 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 14 Oct 2020 13:04:49 +0530 Subject: [PATCH 0363/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 308474475..b2e42f372 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 3 - ParentImage|endswith: '\msbuild.exe' + ParentImage|endswith: 'msbuild.exe' condition: selection fields: - ParentImage From bf8426d71bd97825abf388aacbc9aa62ad2ebb69 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 14 Oct 2020 10:14:00 +0200 Subject: [PATCH 0364/1335] Initial commit of sigma rule --- rules/linux/macos_startup_items.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/macos_startup_items.yml diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml new file mode 100644 index 000000000..f930be4a9 --- /dev/null +++ b/rules/linux/macos_startup_items.yml @@ -0,0 +1,27 @@ +title: Startup Items +id: dfe8b941-4e54-4242-b674-6b613d521962 +status: experimental +description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. +author: Alejandro Ortuno, oscd.community +date: 2020/10/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: + - '/Library/StartupItems/' + selection_2: + TargetFilename|endswith: + - '.plist' + condition: selection_1 and selection_2 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 + From 2ef52dbfd849810bf980d0701c4ef77b849c05ca Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 14 Oct 2020 10:24:59 +0200 Subject: [PATCH 0365/1335] Initial Sigma Rule --- rules/linux/macos_network_sniffing.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/macos_network_sniffing.yml diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml new file mode 100644 index 000000000..823b448cb --- /dev/null +++ b/rules/linux/macos_network_sniffing.yml @@ -0,0 +1,26 @@ +title: Network Sniffing +id: adc9bcc4-c39c-4f6b-a711-1884017bf043 +status: experimental +description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Alejandro Ortuno, oscd.community +date: 2020/10/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + ProcessName|endswith: + - '/tcpdump' + selection_2: + ProcessName|endswith: + - '/tshark' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 From 0d2566062423e3147845de9a4f6578cc73b64b6d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 14 Oct 2020 14:13:20 +0530 Subject: [PATCH 0366/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index b2e42f372..308474475 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 3 - ParentImage|endswith: 'msbuild.exe' + ParentImage|endswith: '\msbuild.exe' condition: selection fields: - ParentImage From cf9b0406008e6c6e3cc0fa592c1a754e2f5e24a7 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 12:08:22 +0300 Subject: [PATCH 0368/1335] fixed description, tags --- rules/windows/process_creation/win_susp_diskshadow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index d3b618750..19f47b823 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -1,12 +1,12 @@ title: Execution via Diskshadow.exe id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 status: experimental -description: Detects using Diskshadow.exe to dump NTDS.dit or execute arbitrary code +description: Detects using Diskshadow.exe to execute arbitrary code in text file references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - attack.execution - - attack.t1218 + - attack.t1218 author: Ivan Dyachkov, oscd.community date: 2020/10/07 logsource: From 8fdca7853c0eb14ca7ef9ac85e97eae709c465ae Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Wed, 14 Oct 2020 13:02:45 +0300 Subject: [PATCH 0369/1335] te.exe LOLbin detection --- .../win_susp_use_of_te_bin.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_use_of_te_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml new file mode 100644 index 000000000..c285a0192 --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -0,0 +1,27 @@ +title: Malicious WSC (Windows Script Components) File Execution by TAEF Detection +id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b +status: experimental +description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml + - https://twitter.com/pabraeken/status/993298228840992768 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ +tags: + - attack.t1218 +author: Agro (@agro_sev) oscd.community +date: 2020/10/13 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\te.exe' + selection2: + ParentImage|endswith: '\te.exe' + selection3: + OriginalFileName: '\te.exe' + condition: selection1 or selection2 or selection3 +falsepositives: + - It's not an uncommon to use te.exe directly to execute legal TAEF tests +level: low + From 22d5acde105684650b9203bc7fc557f364b68ca5 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 13:28:41 +0300 Subject: [PATCH 0370/1335] New rule --- .../win_susp_Register_cimprovider.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_Register_cimprovider.yml diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml new file mode 100644 index 000000000..92895bb42 --- /dev/null +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -0,0 +1,30 @@ +title: DLL execution via register-cimprovider.exe +id: a2910908-e86f-4687-aeba-76a5f996e652 +status: experimental +description: Detects using register-cimprovider.exe to execute arbitrary dll file. +references: + - https://twitter.com/PhilipTsukerman/status/992021361106268161 + - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md +tags: + - attack.Defense Evasion + - attack.t1574 +author: Ivan Dyachkov, Yulia Fomina oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image|endswith: + - 'cimprovider.exe' + CommandLine|contains|all: + - 'register-cimprovider' + - '-path' + - 'dll' + condition: selection +fields: + - CommandLine +falsepositives: + - Unknown +level: medium \ No newline at end of file From 947fa79dd3d00a4ce577b16b643c15e6f744a419 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Wed, 14 Oct 2020 13:29:25 +0300 Subject: [PATCH 0371/1335] vsjitdebugger detection added --- .../win_susp_use_of_vsjitdebugger_bin.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml new file mode 100644 index 000000000..89382b90c --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -0,0 +1,23 @@ +title: Malicious PE Execution by Microsoft Visual Studio Debugger +id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 +status: experimental +description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. +references: + - https://twitter.com/pabraeken/status/990758590020452353 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml + - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +tags: + - attack.t1218 +author: Agro (@agro_sev) oscd.community +date: 2020/10/14 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vsjitdebugger.exe' + condition: selection +falsepositives: + - the process spawned by vsjitdebugger.exe is uncommon. +level: medium + From fa558035455102250539c96b1ac15b92ff3a2367 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 13:33:27 +0300 Subject: [PATCH 0372/1335] fixed spaces and tabs --- rules/windows/process_creation/win_susp_diskshadow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 19f47b823..3775fb677 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -9,7 +9,7 @@ tags: - attack.t1218 author: Ivan Dyachkov, oscd.community date: 2020/10/07 -logsource: +logsource: category: process_creation product: windows definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' From 90725564c6f3bde710761320263c02b5209e49c9 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 17:29:45 +0530 Subject: [PATCH 0373/1335] separated & changed conditions --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index d30976caf..aa904e2c7 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -15,11 +15,14 @@ logsource: detection: selection: TargetFilename: - - '*\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*' - - '*\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*' - - '*\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*' - - '*\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*' - - '*\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*' + - '\AppData\Local\Microsoft\CLR' + - '\UsageLogs\' + TargetFilename|contains: + - 'mshta' + - 'cscript' + - 'wscript' + - 'regsvr32' + - 'wmic' condition: selection falsepositives: - Unknown From 8e792f95ab8c916e2cd9d9290984755328042724 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 17:31:38 +0530 Subject: [PATCH 0374/1335] removed regex --- .../sysmon_susp_script_dotnet_clr_dll_load.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index c6c274aad..3a85034dd 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -18,13 +18,13 @@ logsource: detection: selection: Image|endswith: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' ImageLoaded|endswith: - - '*\clr.dll' - - '*\mscoree.dll' - - '*\mscorlib.dll' + - '\clr.dll' + - '\mscoree.dll' + - '\mscorlib.dll' condition: selection falsepositives: - unknown From f123a51d421511c8e55250cc5730de0e85a822fa Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 17:34:01 +0530 Subject: [PATCH 0375/1335] contains all condition --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index aa904e2c7..feea41cf3 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - TargetFilename: + TargetFilename|contains|all: - '\AppData\Local\Microsoft\CLR' - '\UsageLogs\' TargetFilename|contains: From 75ee2e0f47f0468d8a3c0c8e6a516e9893b94962 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 18:10:42 +0530 Subject: [PATCH 0376/1335] Update sysmon_susp_clr_logs.yml --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index feea41cf3..33d165a04 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -5,8 +5,8 @@ references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html date: 2020/10/12 tags: - - attack.execution - - attack.t1059.001 + - attack.execution + - attack.t1059.001 status: experimental author: omkar72, oscd.community logsource: From 23098d042c8b047905de77f14af130e2a8c49c63 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 18:11:49 +0530 Subject: [PATCH 0377/1335] Update sysmon_susp_clr_logs.yml --- rules/windows/file_event/sysmon_susp_clr_logs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml index 33d165a04..97fa03b0c 100644 --- a/rules/windows/file_event/sysmon_susp_clr_logs.yml +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -2,7 +2,7 @@ title: Suspcious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 description: Detects suspicious .NET assembly executions references: - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html date: 2020/10/12 tags: - attack.execution From 3f932e4252ae8cb08cfc39084309841716257ad1 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 15:51:32 +0300 Subject: [PATCH 0378/1335] #1014 --- .../windows/process_creation/win_susp_Register_cimprovider.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index 92895bb42..17c55b094 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -1,4 +1,4 @@ -title: DLL execution via register-cimprovider.exe +title: DLL Execution Via Register-cimprovider.exe id: a2910908-e86f-4687-aeba-76a5f996e652 status: experimental description: Detects using register-cimprovider.exe to execute arbitrary dll file. From b24bec6c6cae0e63eaabc4f7273ec3907ec566e8 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 15:55:24 +0300 Subject: [PATCH 0379/1335] delete diskshadow --- .../process_creation/win_susp_diskshadow.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_diskshadow.yml diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml deleted file mode 100644 index 19f47b823..000000000 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Execution via Diskshadow.exe -id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 -status: experimental -description: Detects using Diskshadow.exe to execute arbitrary code in text file -references: - - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -tags: - - attack.execution - - attack.t1218 -author: Ivan Dyachkov, oscd.community -date: 2020/10/07 -logsource: - category: process_creation - product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' -detection: - selection: - Image: 'c:\windows\system32\diskshadow.exe' - CommandLine|contains: - - '/s' - condition: selection -fields: - - CommandLine -falsepositives: - - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. -level: high \ No newline at end of file From e50306f549e1310c3785963ac3b4ff211a966a84 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:00:08 +0300 Subject: [PATCH 0380/1335] edited --- rules/windows/process_creation/win_susp_diskshadow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 3775fb677..e55ab8ac1 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -23,4 +23,4 @@ fields: - CommandLine falsepositives: - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. -level: high \ No newline at end of file +level: high From d58d55668fc551c804a3c9110b0b7c1fb8f16480 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:00:50 +0300 Subject: [PATCH 0381/1335] fixed tags --- .../windows/process_creation/win_susp_Register_cimprovider.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index 17c55b094..e364cc1f6 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md tags: - - attack.Defense Evasion + - attack.defense_evasion - attack.t1574 author: Ivan Dyachkov, Yulia Fomina oscd.community date: 2020/10/07 From 2e52cb7f868b9be0868ac35dcd63482d5dac3e64 Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 18:47:25 +0530 Subject: [PATCH 0382/1335] Update sysmon_susp_script_dotnet_clr_dll_load.yml --- .../image_load/sysmon_susp_script_dotnet_clr_dll_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index 3a85034dd..701d372fa 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -7,7 +7,7 @@ references: - https://thewover.github.io/Introducing-Donut/ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: omkar72, oscd.community -date: 2020/10/10 +date: 2020/10/14 tags: - attack.execution - attack.privilege_escalation From b1aa50ebcda099bed6b87fb08683bdbc9cb1b26e Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Wed, 14 Oct 2020 16:27:46 +0300 Subject: [PATCH 0383/1335] T1059.001 added --- rules/windows/process_creation/win_susp_pester.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index 7d10550f8..8d3f41734 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -9,6 +9,8 @@ date: 2020/10/08 tags: - attack.defense_evasion - attack.t1216 + - attack.execution + - attack.t1059.001 logsource: category: process_creation product: windows From a8d5ddd93d935bad973ae186054fc3dbfae722a9 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:31:00 +0300 Subject: [PATCH 0384/1335] commented tags --- rules/windows/process_creation/win_susp_diskshadow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index e55ab8ac1..365c5a9e4 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -5,8 +5,8 @@ description: Detects using Diskshadow.exe to execute arbitrary code in text file references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ tags: - - attack.execution - - attack.t1218 +# - attack.execution + # - attack.t1218 author: Ivan Dyachkov, oscd.community date: 2020/10/07 logsource: From f2f72163782ad8cb8cb9b04172e7e29eb5b4475b Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:32:24 +0300 Subject: [PATCH 0385/1335] commented tags --- .../process_creation/win_susp_Register_cimprovider.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index e364cc1f6..0b8215ec8 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md tags: - - attack.defense_evasion - - attack.t1574 -author: Ivan Dyachkov, Yulia Fomina oscd.community + # - attack.defense_evasion + # - attack.t1574 +author: Ivan Dyachkov, Yulia Fomina, oscd.community date: 2020/10/07 logsource: category: process_creation From f005a74c49b42554019f5a4bfe48ff19919397c0 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:56:10 +0300 Subject: [PATCH 0386/1335] commented tags --- .../windows/process_creation/win_susp_Register_cimprovider.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index 0b8215ec8..65f3c64bc 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -5,7 +5,7 @@ description: Detects using register-cimprovider.exe to execute arbitrary dll fil references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md -tags: +#tags: # - attack.defense_evasion # - attack.t1574 author: Ivan Dyachkov, Yulia Fomina, oscd.community From 24eb0b92be5fe91c196516f8323182fbd356b0d6 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Wed, 14 Oct 2020 16:56:52 +0300 Subject: [PATCH 0387/1335] commented tags --- rules/windows/process_creation/win_susp_diskshadow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 365c5a9e4..8ba8426a8 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -4,7 +4,7 @@ status: experimental description: Detects using Diskshadow.exe to execute arbitrary code in text file references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -tags: +#tags: # - attack.execution # - attack.t1218 author: Ivan Dyachkov, oscd.community From d0b2c021ce4871fb276e5360e49acd5f74f95e00 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Wed, 14 Oct 2020 16:57:58 +0300 Subject: [PATCH 0388/1335] attack.t1059.001 try 2 --- rules/windows/process_creation/win_susp_pester.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index 8d3f41734..41c888d69 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -7,10 +7,11 @@ references: author: Julia Fomina, oscd.community date: 2020/10/08 tags: - - attack.defense_evasion - - attack.t1216 - attack.execution - attack.t1059.001 + - attack.t1086 # an old one + - attack.defense_evasion + - attack.t1216 logsource: category: process_creation product: windows From 2e2b2c239392291dbf90535edf4d1ad1b17ae3dc Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Wed, 14 Oct 2020 19:44:31 +0530 Subject: [PATCH 0389/1335] removed backslash --- .../sysmon_susp_script_dotnet_clr_dll_load.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index 701d372fa..6f267d990 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -18,13 +18,13 @@ logsource: detection: selection: Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' + - 'wscript.exe' + - 'cscript.exe' + - 'mshta.exe' ImageLoaded|endswith: - - '\clr.dll' - - '\mscoree.dll' - - '\mscorlib.dll' + - 'clr.dll' + - 'mscoree.dll' + - 'mscorlib.dll' condition: selection falsepositives: - unknown From 20a54d86b1fb07b6133885baa426db84a03fbfb8 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 14 Oct 2020 19:49:39 +0530 Subject: [PATCH 0390/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 308474475..95e6cb027 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 3 - ParentImage|endswith: '\msbuild.exe' + ParentImage|endswith: '*\msbuild.exe' condition: selection fields: - ParentImage From a7e5b0ac40302cda987c76e6f0bf149188759e8b Mon Sep 17 00:00:00 2001 From: uchakin <50711155+400notOK@users.noreply.github.com> Date: Wed, 14 Oct 2020 19:06:59 +0300 Subject: [PATCH 0392/1335] Some fixes for rules --- rules/windows/image_load/sysmon_uac_bypass_via_dism.yml | 7 +++++-- ...sysmon_load_undocumented_autoelevated_com_interface.yml | 2 +- rules/windows/registry_event/sysmon_bypass_via_wsreset.yml | 1 - 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml index 08c909af2..7c336fd06 100644 --- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -17,10 +17,13 @@ logsource: product: windows detection: selection: - Image: + Image|endswith: - '\dism.exe' - ImageLoaded: + ImageLoaded|endswith: - '\dismcore.dll' + filter: + ImageLoaded: + - 'C:\Windows\System32\Dism\dismcore.dll' condition: selection falsepositives: - Pentests diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 6ecb4f6f1..3370443a9 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CallTrace: '*editionupgrademanagerobj.dll*' + CallTrace|contains: '*editionupgrademanagerobj.dll*' condition: selection fields: - ComputerName diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml index 8ac1fdd55..d20032bda 100644 --- a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml +++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml @@ -5,7 +5,6 @@ description: Unfixed method for UAC bypass from windows 10. WSReset.exe file ass references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset - tags: - attack.defense_evasion - attack.privilege_escalation From 2672b108087f07f9cdc4661b7e533e060b0873dc Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Wed, 14 Oct 2020 15:37:15 -0400 Subject: [PATCH 0393/1335] Some minor restructuring to incorporate the feedback from the oscd team; Some minor restructuring to incorporate the feedback from the oscd team; --- .../powershell_bad_opsec_artifacts.yml | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 99a12e3f3..7f0610f3d 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -18,25 +18,25 @@ logsource: service: powershell definition: 'Script block logging must be enabled' detection: - selection1: + selection_4104: EventID: 4104 - selection2: - - ScriptBlockText|contains: '$DoIt' - - ScriptBlockText|contains: 'harmj0y' - - ScriptBlockText|contains: 'mattifestation' - - ScriptBlockText|contains: '_RastaMouse' - - ScriptBlockText|contains: 'tifkin_' - - ScriptBlockText|contains: '0xdeadbeef' - selection3: + ScriptBlockText|contains: + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' + selection_4104: EventID: 4103 - selection4: - - Payload|contains: '$DoIt' - - Payload|contains: 'harmj0y' - - Payload|contains: 'mattifestation' - - Payload|contains: 'obscuresec' - - Payload|contains: 'tifkin_' - - Payload|contains: '0xdeadbeef' - condition: ( selection1 and selection2 ) or ( selection3 and selection4 ) + Payload|contains: + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - 'obscuresec' + - 'tifkin_' + - '0xdeadbeef' + condition: selection_4104 or selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' level: high From 637065fd97ea3f4be5b5c8ada60c0f04182b7321 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Wed, 14 Oct 2020 15:41:31 -0400 Subject: [PATCH 0394/1335] Some minor updates to address spacing; Some further minor updates to address spacing; --- .../powershell_bad_opsec_artifacts.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 7f0610f3d..c5fcf6c14 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -20,22 +20,22 @@ logsource: detection: selection_4104: EventID: 4104 - ScriptBlockText|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' - selection_4104: + ScriptBlockText|contains: + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' + selection_4103: EventID: 4103 Payload|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - 'obscuresec' - - 'tifkin_' - - '0xdeadbeef' + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' condition: selection_4104 or selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' From 8f28c16d6eab59f36edb990a38b2831e7597cf33 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Wed, 14 Oct 2020 15:42:19 -0400 Subject: [PATCH 0395/1335] Some further updates to fix spacing; Some further updates to fix spacing; --- rules/windows/powershell/powershell_bad_opsec_artifacts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index c5fcf6c14..b336d46d2 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -20,7 +20,7 @@ logsource: detection: selection_4104: EventID: 4104 - ScriptBlockText|contains: + ScriptBlockText|contains: - '$DoIt' - 'harmj0y' - 'mattifestation' From 3be21d547800ed5f96eea33f7f743a3f2091963d Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Wed, 14 Oct 2020 16:55:52 -0400 Subject: [PATCH 0396/1335] Some minor formatting updates; Formatting updates; --- .../powershell_bad_opsec_artifacts.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index b336d46d2..eb2a473e4 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -21,21 +21,21 @@ detection: selection_4104: EventID: 4104 ScriptBlockText|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' selection_4103: EventID: 4103 Payload|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' condition: selection_4104 or selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' From df7bd91ffbf2381e9f98b6b1818f3ad60fd3b8b0 Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Thu, 15 Oct 2020 17:50:27 +1100 Subject: [PATCH 0397/1335] Create powershell_invoke_obfuscation_clip+.yml --- .../powershell_invoke_obfuscation_clip+.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml new file mode 100644 index 000000000..b6072659b --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 73e67340-0d25-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high \ No newline at end of file From 109fb4f493fc122ea82560885a15da48adc379f5 Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Thu, 15 Oct 2020 17:53:16 +1100 Subject: [PATCH 0398/1335] Create win_invoke_obfuscation_clip+_services.yml --- .../win_invoke_obfuscation_clip+_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml new file mode 100644 index 000000000..dad1ab836 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation CLIP+ Launcher +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file From efe877375347708a1c7cae115d48f35fb928898b Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Thu, 15 Oct 2020 17:56:41 +1100 Subject: [PATCH 0399/1335] Create win_invoke_obfuscation_clip+.yml --- .../win_invoke_obfuscation_clip+.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_clip+.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml new file mode 100644 index 000000000..65be1cc7a --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: b222df08-0e07-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 762840ec259bb6c77c1ef163dbfce4a93f6fc427 Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Thu, 15 Oct 2020 17:59:36 +1100 Subject: [PATCH 0400/1335] Creation of Rules for Task 25 - Invoke-Obfuscation STDIN+ Launcher --- ...win_invoke_obfuscation_stdin+_services.yml | 42 +++++++++++++++++++ .../powershell_invoke_obfuscation_stdin+.yml | 29 +++++++++++++ .../win_invoke_obfuscation_stdin+.yml | 23 ++++++++++ 3 files changed, 94 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml new file mode 100644 index 000000000..2f1d86338 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation STDIN+ Launcher +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: 'powershell.+(\$\{?input|noexit)' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml new file mode 100644 index 000000000..0e081caa7 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -0,0 +1,29 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: 'powershell.+(\$\{?input|noexit)' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: 'powershell.+(\$\{?input|noexit)' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml new file mode 100644 index 000000000..dcbc79456 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: 'powershell.+(\$\{?input|noexit)' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 688e85aefc47ffde0313b7f85c608a1fe2194586 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Thu, 15 Oct 2020 10:21:01 +0300 Subject: [PATCH 0401/1335] chertovy testy, prohoditezz --- rules/windows/process_creation/win_susp_pester.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index 41c888d69..a549111f6 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -9,7 +9,6 @@ date: 2020/10/08 tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one - attack.defense_evasion - attack.t1216 logsource: From 5a9c368e9cb571fc00e11096161b2e0592b26c64 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 15 Oct 2020 10:51:15 +0300 Subject: [PATCH 0402/1335] fixed tags, image search --- .../win_susp_Register_cimprovider.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index 65f3c64bc..249e9eea5 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -5,9 +5,9 @@ description: Detects using register-cimprovider.exe to execute arbitrary dll fil references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md -#tags: - # - attack.defense_evasion - # - attack.t1574 +tags: + - attack.defense_evasion + - attack.t1574 author: Ivan Dyachkov, Yulia Fomina, oscd.community date: 2020/10/07 logsource: @@ -16,8 +16,9 @@ logsource: definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: - Image|endswith: - - 'cimprovider.exe' + Image: + - 'c:\windows\system32\register-cimprovider.exe' + - 'c:\windows\syswow64\register-cimprovider.exe' CommandLine|contains|all: - 'register-cimprovider' - '-path' From cf399927e1986547f6f6438dab8068b69e508b6e Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 15 Oct 2020 10:52:54 +0300 Subject: [PATCH 0403/1335] uncommented tags --- rules/windows/process_creation/win_susp_diskshadow.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 8ba8426a8..e55ab8ac1 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -4,9 +4,9 @@ status: experimental description: Detects using Diskshadow.exe to execute arbitrary code in text file references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -#tags: -# - attack.execution - # - attack.t1218 +tags: + - attack.execution + - attack.t1218 author: Ivan Dyachkov, oscd.community date: 2020/10/07 logsource: From 3a3079789a6809d103cb73a92c36374badb0ffd3 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Thu, 15 Oct 2020 11:50:56 +0300 Subject: [PATCH 0404/1335] The author field escape char added --- .../process_creation/win_susp_use_of_vsjitdebugger_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 89382b90c..863a47e5f 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 tags: - attack.t1218 -author: Agro (@agro_sev) oscd.community +author: 'Agro (@agro_sev)' oscd.community date: 2020/10/14 logsource: category: process_creation From 7269114e5dca621151b7b84df8fe2d25b0760feb Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Thu, 15 Oct 2020 11:52:18 +0300 Subject: [PATCH 0405/1335] The author field escape char added --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 55303d4a7..5590472d5 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -11,7 +11,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: Agro (@agro_sev) oscd.community +author: 'Agro (@agro_sev)' oscd.community date: 2020/10/10 logsource: category: process_creation From 0e8c92a864c76d961eb0e05cd017348275aa1acb Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Thu, 15 Oct 2020 11:54:11 +0300 Subject: [PATCH 0406/1335] The author field escape char added --- rules/windows/process_creation/win_susp_use_of_te_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index c285a0192..75f31427d 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ tags: - attack.t1218 -author: Agro (@agro_sev) oscd.community +author: 'Agro (@agro_sev)' oscd.community date: 2020/10/13 logsource: category: process_creation From 0018b66e7da30e91620cd3bbd130adbbffbd5074 Mon Sep 17 00:00:00 2001 From: "uncleP@sk" Date: Thu, 15 Oct 2020 11:55:57 +0300 Subject: [PATCH 0407/1335] The author field escape char added --- .../windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index f87a9852e..9091c9a2e 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -10,7 +10,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: Agro (@agro_sev) oscd.community +author: 'Agro (@agro_sev)' oscd.community date: 2020/10/13 logsource: category: process_creation From 7ca50c94f25c42b26e6b2068ac6fbf4c63c75b9c Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Thu, 15 Oct 2020 12:12:22 +0300 Subject: [PATCH 0408/1335] Reference changed --- rules/windows/other/win_wmi_persistence.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 224be0c8f..346f81b4b 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -9,7 +9,6 @@ modified: 2020/10/13 references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ - - https://attack.mitre.org/techniques/T1546/003/ tags: - attack.persistence - attack.privilege_escalation From dd712b0c0e58b9f3876d53bae46ffad282a2513f Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Thu, 15 Oct 2020 12:35:14 +0300 Subject: [PATCH 0409/1335] Updated Reference and Detection --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index b5eedb3e9..17a08139f 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -4,7 +4,7 @@ description: Detects modification of autostart extensibility point (ASEP) in reg status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml - - https://attack.mitre.org/techniques/T1547/001/ + - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns tags: - attack.persistence - attack.t1547.001 @@ -18,8 +18,7 @@ logsource: level: medium detection: selection: - TargetObject|contains: - - '\System\CurrentControlSet\Services' + TargetObject|contains: - '\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms' - '\System\CurrentControlSet\Control\Session Manager\SetupExecute' From f79342cc597b33a2071cb1e5b511e90f25ef88a2 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 15 Oct 2020 13:21:06 +0300 Subject: [PATCH 0410/1335] fixed image search --- rules/windows/process_creation/win_susp_diskshadow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index e55ab8ac1..15f1d93ac 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -15,7 +15,7 @@ logsource: definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: - Image: 'c:\windows\system32\diskshadow.exe' + Image|endswith: 'diskshadow.exe' CommandLine|contains: - '/s' condition: selection From ffbcb402e3a1e0173982d1ff62a5fa4f78aa32a3 Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Thu, 15 Oct 2020 21:36:27 +1100 Subject: [PATCH 0411/1335] Creation of Rules for Task 24 - Invoke-Obfuscation VAR+ Launcher --- .../win_invoke_obfuscation_var+_services.yml | 43 +++++++++++++++++++ .../powershell_invoke_obfuscation_var+.yml | 31 +++++++++++++ .../win_invoke_obfuscation_var+.yml | 24 +++++++++++ 3 files changed, 98 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_var+_services.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_var+.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_var+.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml new file mode 100644 index 000000000..d583e05d3 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation VAR+ Launcher +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - ImagePath|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..1434326e0 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -0,0 +1,31 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - ScriptBlockText|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - Payload|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..52422dd0c --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -0,0 +1,24 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 27aec9c9-dbb0-4939-8422-1742242471d0 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' + - CommandLine|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 787c87e032435d868b0d3519fca314744698dd16 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 15 Oct 2020 14:01:30 +0300 Subject: [PATCH 0412/1335] added backslash for image search --- rules/windows/process_creation/win_susp_diskshadow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 15f1d93ac..1e129b19b 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -15,7 +15,7 @@ logsource: definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: - Image|endswith: 'diskshadow.exe' + Image|endswith: '\diskshadow.exe' CommandLine|contains: - '/s' condition: selection From 02d49c091a3aa40743e6151518191f77df831cd7 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 15 Oct 2020 14:20:15 +0200 Subject: [PATCH 0413/1335] Created rule regedit export to ads --- .../sysmon/sysmon_regedit_export_to_ads.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_regedit_export_to_ads.yml diff --git a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml new file mode 100644 index 000000000..ac15e6d99 --- /dev/null +++ b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml @@ -0,0 +1,25 @@ +title: Exports Registry Key To an Alternate Data Stream +id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 +status: experimental +description: Exports the target Registry key and hides it in the specified alternate data stream. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.defense_evasion + - attack.t1564.004 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 15 + Image|endswith: '\regedit.exe' + condition: selection +fieds: + - TargetFilename +falsepositives: + - Unknown +level: high From ecdb0b49974065385a42fa8abe1a7347e3a37afb Mon Sep 17 00:00:00 2001 From: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Date: Thu, 15 Oct 2020 17:51:21 +0530 Subject: [PATCH 0414/1335] adding slashes --- .../sysmon_susp_script_dotnet_clr_dll_load.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index 6f267d990..701d372fa 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -18,13 +18,13 @@ logsource: detection: selection: Image|endswith: - - 'wscript.exe' - - 'cscript.exe' - - 'mshta.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' ImageLoaded|endswith: - - 'clr.dll' - - 'mscoree.dll' - - 'mscorlib.dll' + - '\clr.dll' + - '\mscoree.dll' + - '\mscorlib.dll' condition: selection falsepositives: - unknown From b1b77c15ad98fa71eecbd54f81ec17f2c06a991c Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Thu, 15 Oct 2020 18:50:24 +0530 Subject: [PATCH 0415/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 95e6cb027..0665ba633 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -7,7 +7,6 @@ tags: - T1127.001 - TA0002 - T1127 - - attack.defense_evasion status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From a8b31dfa5e958b8ac43896fd06fa3e0c161ec584 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 15 Oct 2020 15:27:11 +0200 Subject: [PATCH 0416/1335] Fixed field typo --- rules/windows/sysmon/sysmon_regedit_export_to_ads.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml index ac15e6d99..bfd3bb138 100644 --- a/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/sysmon/sysmon_regedit_export_to_ads.yml @@ -18,7 +18,7 @@ detection: EventID: 15 Image|endswith: '\regedit.exe' condition: selection -fieds: +fields: - TargetFilename falsepositives: - Unknown From 0cb340a7187e098dc10822bd1089a75ec53c879d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Thu, 15 Oct 2020 19:00:24 +0530 Subject: [PATCH 0417/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 0665ba633..eda481733 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -4,9 +4,8 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - T1127.001 - - TA0002 - - T1127 + - attack.t1127.001 + - attack.t1127 status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From 61ded7e0d722dce6e87239be4bd0869f671e68ca Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Thu, 15 Oct 2020 19:22:41 +0530 Subject: [PATCH 0418/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index eda481733..857e9ab86 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -1,5 +1,5 @@ title: Silenttrinity Stager Msbuild Activity -id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 +id: c4f2d4b1-ca0f-42e4-9b7b-a69790524fab description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ From 2f843482e39317b7c41f52fd68566272b0100f09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:28:24 +0300 Subject: [PATCH 0419/1335] Adding sysmon_wab_dllpath_reg_change.yml Rule --- .../sysmon_wab_dllpath_reg_change.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml new file mode 100644 index 000000000..50b0b9ba8 --- /dev/null +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -0,0 +1,24 @@ +title: Modification of HKLM\Software\Microsoft\WAB\DLLPath +id: fc014922-5def-4da9-a0fc-28c973f41bfb +description: Detects modification of HKLM\Software\Microsoft\WAB\DLLPath Registry Key that may indicate an attempt to execute a malicious library through WAB.exe +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml + - https://twitter.com/Hexacorn/status/991447379864932352 + - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +tags: + - attack.defense_evasion + - attack.t1218 +date: 2020/10/13 +author: oscd.community, Natalia Shornikova +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' + filter: + Details: '%CommonProgramFiles%\System\wab32.dll' + condition: selection and not filter +falsepositives: Unknown +level: high From be67acd52d19bfe856a56479dbac7fefb4869c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:36:18 +0300 Subject: [PATCH 0420/1335] Adding win_CL_Invocation_LOLScript.yml Rule --- .../win_CL_Invocation_LOLScript.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_CL_Invocation_LOLScript.yml diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml new file mode 100644 index 000000000..d7136f783 --- /dev/null +++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml @@ -0,0 +1,24 @@ +title: Execution via CL_Invocation.ps1 +id: a0459f02-ac51-4c09-b511-b8c9203fc429 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" + condition: selection +falsepositives: Unknown +level: high From e8f21bc09440fc00328c41a2d4693e02357c438d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:41:52 +0300 Subject: [PATCH 0421/1335] Adding powershell_CL_Invocation_LOLScript.yml Rule --- .../powershell_CL_Invocation_LOLScript.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml new file mode 100644 index 000000000..3a97e90fb --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -0,0 +1,35 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + timeframe: 1m + condition: + - selection + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe + - selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: Unknown +level: high \ No newline at end of file From c3c71a74760e47b37501d9de0e29496c76485f03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:51:44 +0300 Subject: [PATCH 0422/1335] Adding win_CL_Mutexverifiers_LOLScript.yml Rule --- .../win_CL_Mutexverifiers_LOLScript.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml new file mode 100644 index 000000000..5893591cb --- /dev/null +++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml @@ -0,0 +1,24 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 99465c8f-f102-4157-b11c-b0cddd53b79a +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" + condition: selection +falsepositives: Unknown +level: high \ No newline at end of file From ef8f5e626fb1b943fc906c50e49d84ec7a69b10d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:55:11 +0300 Subject: [PATCH 0423/1335] Adding powershell_CL_Mutexverifiers_LOLScript.yml Rule --- ...powershell_CL_Mutexverifiers_LOLScript.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml new file mode 100644 index 000000000..d39ce280f --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -0,0 +1,35 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + timeframe: 1m + condition: + - selection + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe + - selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: Unknown +level: high \ No newline at end of file From aa1824838fb16f8d52d219f6b0ebc3dadcfbfa97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Thu, 15 Oct 2020 17:59:43 +0300 Subject: [PATCH 0424/1335] Adding win_manage-bde_lolbas.yml Rule --- .../win_manage-bde_lolbas.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_manage-bde_lolbas.yml diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml new file mode 100644 index 000000000..3dcdeac85 --- /dev/null +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -0,0 +1,25 @@ +title: Suspicious Usage of the Manage-bde.wsf Script +id: c363385c-f75d-4753-a108-c1a8e28bdbda +description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml + - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 + - https://twitter.com/bohops/status/980659399495741441 + - https://twitter.com/JohnLaTwC/status/1223292479270600706 +tags: + - attack.defense_evasion + - attack.t1216 +date: 2020/10/13 +author: oscd.community, Natalia Shornikova +logsource: + category: process_creation + product: windows +detection: + selection: + Commandline|contains|all: + - 'cscript' + - 'manage-bde.wsf' + condition: selection +falsepositives: Unknown +level: medium From 1b0d4e546f1158f3b3eb8ba804e9eb83578434c3 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 19:04:22 +0300 Subject: [PATCH 0425/1335] Create powershell_cmdline_special_characters.yml --- .../powershell_cmdline_special_characters.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/powershell/powershell_cmdline_special_characters.yml diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml new file mode 100644 index 000000000..9420909b3 --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -0,0 +1,28 @@ +title: Suspicious PowerShell Command Line +id: d7bcd677-645d-4691-a8d4-7a5602b780d1 +description: Detects the PowerShell command lines with special characters "({, [, ‘, ` + …):" +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +date: 2020/10/15 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*`.*`.*`.*`.*`.*' + CommandLine|re: '.*^.*^.*^.*^.*^.*' + CommandLine|re: '.*{.*{.*{.*{.*{.*' + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + condition: selection +falsepositives: + - Unlikely +level: high From 72162125e9adb97eaf791cffa3d3675fd29af91f Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 15 Oct 2020 18:14:25 +0200 Subject: [PATCH 0426/1335] Created Win Regedit export rules --- .../win_regedit_export_critical_keys.yml | 36 +++++++++++++++++++ .../win_regedit_export_keys.yml | 36 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 rules/windows/process_creation/win_regedit_export_critical_keys.yml create mode 100644 rules/windows/process_creation/win_regedit_export_keys.yml diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml new file mode 100644 index 000000000..656842570 --- /dev/null +++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml @@ -0,0 +1,36 @@ +title: Exports Critical Registry Keys To a File +id: 82880171-b475-4201-b811-e9c826cd5eaa +status: experimental +description: Detects the export of a crital Registry key to a file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.exfiltration + - attack.t1012 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /E ' + selection_2: + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + selection_3: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and selection_2 and selection_3 +fields: + - ParentImage + - CommandLine +falsepositives: + - Dumping hives for legitimate purpouse i.e. backup or forensic investigation +level: high diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml new file mode 100644 index 000000000..f40cc2436 --- /dev/null +++ b/rules/windows/process_creation/win_regedit_export_keys.yml @@ -0,0 +1,36 @@ +title: Exports Registry Key To a File +id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a +status: experimental +description: Detects the export of the target Registry key to a file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.exfiltration + - attack.t1012 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /E ' + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + filter_2: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and not (filter_1 and filter_2) +fields: + - ParentImage + - CommandLine +falsepositives: + - Legitimate export of keys +level: low From 0c718d5ce7c3af0e0d8feb5445f96efe2322fe04 Mon Sep 17 00:00:00 2001 From: Sander Date: Thu, 15 Oct 2020 18:14:56 +0200 Subject: [PATCH 0427/1335] Created Win Regedit import rules --- .../win_regedit_import_keys.yml | 35 +++++++++++++++++++ .../win_regedit_import_keys_ads.yml | 35 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 rules/windows/process_creation/win_regedit_import_keys.yml create mode 100644 rules/windows/process_creation/win_regedit_import_keys_ads.yml diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml new file mode 100644 index 000000000..176da7f72 --- /dev/null +++ b/rules/windows/process_creation/win_regedit_import_keys.yml @@ -0,0 +1,35 @@ +title: Imports Registry Key From a File +id: 73bba97f-a82d-42ce-b315-9182e76c57b1 +status: experimental +description: Detects the import of the specified file to the registry with regedit.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + filter_2: + CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + condition: selection and not filter and not filter_2 +fields: + - ParentImage + - CommandLine +falsepositives: + - Legitimate import of keys +level: medium diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml new file mode 100644 index 000000000..2d347763a --- /dev/null +++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml @@ -0,0 +1,35 @@ +title: Imports Registry Key From an ADS +id: 0b80ade5-6997-4b1d-99a1-71701778ea61 +status: experimental +description: Detects the import of a alternate datastream to the registry with regedit.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + selection_2: + CommandLine|re: ':[^ \\]' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + condition: selection and selection_2 and not filter +fields: + - ParentImage + - CommandLine +falsepositives: + - Unknown +level: high From 26af11985a73e03365282ba5b1279c0e6bc886d2 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Thu, 15 Oct 2020 21:50:34 +0530 Subject: [PATCH 0428/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 857e9ab86..c01972ae7 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -1,11 +1,8 @@ title: Silenttrinity Stager Msbuild Activity -id: c4f2d4b1-ca0f-42e4-9b7b-a69790524fab +id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ -tags: - - attack.t1127.001 - - attack.t1127 status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From 9a9c189de7a61c27f60641baa4d456690492a1ba Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Thu, 15 Oct 2020 19:26:38 +0300 Subject: [PATCH 0429/1335] Removed Duplicated Keys --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 17a08139f..17156dd59 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -36,8 +36,6 @@ detection: - '\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages' - '\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath' - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' @@ -85,8 +83,6 @@ detection: - '\Software\Policies\Microsoft\Windows\System\Scripts\Logon' - '\Software\Policies\Microsoft\Windows\System\Scripts\Logoff' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - '\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' @@ -111,9 +107,6 @@ detection: - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells' - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run' - '\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers' - '\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' From fa7036430e034d4b91bfe9e28300542e6f012afb Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 19:39:24 +0300 Subject: [PATCH 0430/1335] Update powershell_cmdline_special_characters.yml --- .../powershell_cmdline_special_characters.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 9420909b3..7db7e2be8 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -17,11 +17,12 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - CommandLine|re: '.*`.*`.*`.*`.*`.*' - CommandLine|re: '.*^.*^.*^.*^.*^.*' - CommandLine|re: '.*{.*{.*{.*{.*{.*' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + CommandLine|re: + - '.*`.*`.*`.*`.*`.*' + - '.*^.*^.*^.*^.*^.*' + - '.*{.*{.*{.*{.*{.*' + - '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + - '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' condition: selection falsepositives: - Unlikely From 1838aac682c4d922efc1eb714802ef5c26f4e8f7 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 20:04:49 +0300 Subject: [PATCH 0432/1335] Update powershell_cmdline_special_characters.yml --- .../powershell_cmdline_special_characters.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 7db7e2be8..732eb91b7 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Command Line id: d7bcd677-645d-4691-a8d4-7a5602b780d1 -description: Detects the PowerShell command lines with special characters "({, [, ‘, ` + …):" +description: Detects the PowerShell command lines with special characters ({, [, ‘, ` + …): status: experimental references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 @@ -16,14 +16,14 @@ logsource: product: windows detection: selection: + - CommandLine|re: '.*`.*`.*`.*`.*`.*' + - CommandLine|re: '.*^.*^.*^.*^.*^.*' + - CommandLine|re: '.*{.*{.*{.*{.*{.*' + - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + filter: Image|endswith: '\powershell.exe' - CommandLine|re: - - '.*`.*`.*`.*`.*`.*' - - '.*^.*^.*^.*^.*^.*' - - '.*{.*{.*{.*{.*{.*' - - '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - - '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - condition: selection + condition: selection and filter falsepositives: - Unlikely level: high From d27574ce083ec39b4965aefa81a0e6f1723aac1d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 20:07:59 +0300 Subject: [PATCH 0433/1335] Update powershell_cmdline_special_characters.yml --- .../powershell/powershell_cmdline_special_characters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 732eb91b7..c0258fef5 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Command Line id: d7bcd677-645d-4691-a8d4-7a5602b780d1 -description: Detects the PowerShell command lines with special characters ({, [, ‘, ` + …): +description: Detects the PowerShell command lines with special characters status: experimental references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 From 2657a0219cf8d8a15088e9dbc58530ed84f79a31 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 20:33:56 +0300 Subject: [PATCH 0434/1335] Update powershell_cmdline_special_characters.yml --- .../windows/powershell/powershell_cmdline_special_characters.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index c0258fef5..65ca59a52 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -16,7 +16,6 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*`.*`.*`.*`.*`.*' - CommandLine|re: '.*^.*^.*^.*^.*^.*' - CommandLine|re: '.*{.*{.*{.*{.*{.*' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' From ea1a288cc8efb8c6f7637a287cf80b628347b0cf Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 20:55:12 +0300 Subject: [PATCH 0435/1335] Update powershell_cmdline_special_characters.yml --- .../windows/powershell/powershell_cmdline_special_characters.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 65ca59a52..7741ca4ec 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -16,7 +16,6 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*^.*^.*^.*^.*^.*' - CommandLine|re: '.*{.*{.*{.*{.*{.*' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' From 17e7eee3a6bb856bc638cd34c5d250b73f153c9a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 14:57:14 -0300 Subject: [PATCH 0436/1335] Revert "Changed the rule to download only and not the copy" This reverts commit 1324bc1ad14e1caa1a9ca0d6873de20b44a6baee. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index 9dbdb1e21..d530fec79 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Download operations using Replace.exe. +description: Detect Copy and Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains|all: + CommandLine|contains: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary to download files from a share + - Legitimate use of the binary level: low From fdd9234acc0a4d3d30c270b14ce3381ef5653e55 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 14:57:18 -0300 Subject: [PATCH 0437/1335] Revert "Create win_susp_replace_lolbin.yml" This reverts commit e6a65496768a460d32de0b7d9742ce969fb4ea5d. --- .../win_susp_replace_lolbin.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml deleted file mode 100644 index d530fec79..000000000 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Ingress Tool Transfer Using Replace.exe -id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Replace -author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/07 -tags: - - attack.command_and_control - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\replace.exe' - CommandLine|contains: - - "\\\\\\\\" - - "/A" - condition: selection -falsepositives: - - Legitimate use of the binary -level: low From 9c7a23e432345c6fab2f441c9b140f62670e0e3d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:01:31 -0300 Subject: [PATCH 0438/1335] Update win_account_discovery.yml Getting rid of '*' use --- .../windows/builtin/win_account_discovery.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index d7d9b1ce6..2945d8881 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -21,17 +21,18 @@ detection: ObjectType: - 'SAM_USER' - 'SAM_GROUP' - ObjectName: - - '*-512' - - '*-502' - - '*-500' - - '*-505' - - '*-519' - - '*-520' - - '*-544' - - '*-551' - - '*-555' - - '*admin*' + ObjectName|endswith: + - '-512' + - '-502' + - '-500' + - '-505' + - '-519' + - '-520' + - '-544' + - '-551' + - '-555' + ObjectName|contains: + - 'admin' condition: selection falsepositives: - if source account name is not an admin then its super suspicious From 085dc21d25e80a73d50858b3ba01155ba9d4a214 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:02:40 -0300 Subject: [PATCH 0439/1335] Update win_admin_rdp_login.yml Getting rid of '*' use --- rules/windows/builtin/win_admin_rdp_login.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index c276804b0..99aa6af16 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -23,7 +23,7 @@ detection: EventID: 4624 LogonType: 10 AuthenticationPackageName: Negotiate - AccountName: 'Admin-*' + AccountName|startswith: 'Admin-' condition: selection falsepositives: - Legitimate administrative activity From 1c06c9e16677840e9fa895ed1c0fa1d18b5342f2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:03:31 -0300 Subject: [PATCH 0440/1335] Update win_admin_share_access.yml Getting rid of '*' use --- rules/windows/builtin/win_admin_share_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 22919f3bc..33ea11512 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -18,7 +18,7 @@ detection: EventID: 5140 ShareName: Admin$ filter: - SubjectUserName: '*$' + SubjectUserName|endswith: '$' condition: selection and not filter falsepositives: - Legitimate administrative activity From 5765573907445fa88d7f70a42fa9c1af9fcb0ffe Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:04:08 -0300 Subject: [PATCH 0441/1335] Update win_alert_active_directory_user_control.yml Getting rid of '*' use --- .../builtin/win_alert_active_directory_user_control.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 882bda89c..078f02eb0 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -17,8 +17,8 @@ detection: selection: EventID: 4704 keywords: - Message: - - '*SeEnableDelegationPrivilege*' + Message|contains: + - 'SeEnableDelegationPrivilege' condition: all of them falsepositives: - Unknown From 4aa96a2ac9e32b3a0f34ad5398f7bcc84c439cd7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:05:49 -0300 Subject: [PATCH 0442/1335] Update win_alert_enable_weak_encryption.yml --- .../builtin/win_alert_enable_weak_encryption.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index ad1a2174c..c0904ce53 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -18,13 +18,13 @@ detection: selection: EventID: 4738 keywords: - Message: - - '*DES*' - - '*Preauth*' - - '*Encrypted*' + Message|contains: + - 'DES' + - 'Preauth' + - 'Encrypted' filters: - Message: - - '*Enabled*' + Message|contains: + - 'Enabled' condition: selection and keywords and filters falsepositives: - Unknown From 79c2b8d570950d4f38b89a725fabf454c2b7086c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:07:16 -0300 Subject: [PATCH 0443/1335] Update win_GPO_scheduledtasks.yml Getting rid of '*' use --- rules/windows/builtin/win_GPO_scheduledtasks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index b44e64c24..cd9f525aa 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -19,8 +19,8 @@ detection: selection: EventID: 5145 ShareName: \\*\SYSVOL - RelativeTargetName: '*ScheduledTasks.xml' - Accesses: '*WriteData*' + RelativeTargetName|endswith: 'ScheduledTasks.xml' + Accesses|contains: 'WriteData' condition: selection falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks From 26b442ec48a30c163f5e9e97bab8f80a178f42e4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:09:35 -0300 Subject: [PATCH 0444/1335] Update win_alert_lsass_access.yml Getting rid of '*' use --- rules/windows/builtin/win_alert_lsass_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index 3c6ec77fc..a2cddf48a 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 1121 - Path: '*\lsass.exe' + Path|endswith: '\lsass.exe' condition: selection falsepositives: - Google Chrome GoogleUpdate.exe From 02a1ab40333435745886e972a9993e873dbebad3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:11:10 -0300 Subject: [PATCH 0445/1335] Update win_alert_mimikatz_keywords.yml --- .../builtin/win_alert_mimikatz_keywords.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 34f43994a..1280bd767 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -19,17 +19,17 @@ logsource: product: windows detection: keywords: - Message: - - "* mimikatz *" - - "* mimilib *" - - "* <3 eo.oe *" - - "* eo.oe.kiwi *" - - "* privilege::debug *" - - "* sekurlsa::logonpasswords *" - - "* lsadump::sam *" - - "* mimidrv.sys *" - - "* p::d *" - - "* s::l *" + Message|contains: + - "mimikatz" + - "mimilib" + - "<3 eo.oe" + - "eo.oe.kiwi" + - "privilege::debug" + - "sekurlsa::logonpasswords" + - "lsadump::sam" + - "mimidrv.sys" + - " p::d " + - " s::l " condition: keywords falsepositives: - Naughty administrators From 44735049b62fc32287a2f6753933a6473204235f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:14:27 -0300 Subject: [PATCH 0446/1335] Update win_apt_stonedrill.yml --- rules/windows/builtin/win_apt_stonedrill.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 4d07c3077..1d61e8bfe 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 7045 ServiceName: NtsSrv - ServiceFileName: '* LocalService' + ServiceFileName|endswith: ' LocalService' condition: selection falsepositives: - Unlikely From b55562832190a96bd6211d36e8d76251e4336b5e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:15:01 -0300 Subject: [PATCH 0447/1335] Update win_atsvc_task.yml --- rules/windows/builtin/win_atsvc_task.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index 037db2528..c0f68564f 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -21,7 +21,7 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: atsvc - Accesses: '*WriteData*' + Accesses|contains: 'WriteData' condition: selection falsepositives: - pentesting From 777e49b76c700f9fd8817cbe2f08a0b6079e82d2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:17:33 -0300 Subject: [PATCH 0448/1335] Update win_av_relevant_match.yml --- .../windows/builtin/win_av_relevant_match.yml | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index 360f9a1b0..4a2c35ebc 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -8,32 +8,32 @@ logsource: service: application detection: keywords: - Message: - - "*HTool*" - - "*Hacktool*" - - "*ASP/Backdoor*" - - "*JSP/Backdoor*" - - "*PHP/Backdoor*" - - "*Backdoor.ASP*" - - "*Backdoor.JSP*" - - "*Backdoor.PHP*" - - "*Webshell*" - - "*Portscan*" - - "*Mimikatz*" - - "*WinCred*" - - "*PlugX*" - - "*Korplug*" - - "*Pwdump*" - - "*Chopper*" - - "*WmiExec*" - - "*Xscan*" - - "*Clearlog*" - - "*ASPXSpy*" - filters: - Message: - - "*Keygen*" - - "*Crack*" - condition: keywords and not 1 of filters + Message|contains: + - "HTool" + - "Hacktool" + - "ASP/Backdoor" + - "JSP/Backdoor" + - "PHP/Backdoor" + - "Backdoor.ASP" + - "Backdoor.JSP" + - "Backdoor.PHP" + - "Webshell" + - "Portscan" + - "Mimikatz" + - "WinCred" + - "PlugX" + - "Korplug" + - "Pwdump" + - "Chopper" + - "WmiExec" + - "Xscan" + - "Clearlog" + - "ASPXSpy" + filter: + Message|contains: + - "Keygen" + - "Crack" + condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools level: high From e5789a2a52e04b5432e861d2f5498118000bf953 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:19:18 -0300 Subject: [PATCH 0449/1335] Update win_dcsync.yml --- rules/windows/builtin/win_dcsync.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index cfe2bd114..b84c54531 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -19,16 +19,17 @@ logsource: detection: selection: EventID: 4662 - Properties: - - '*Replicating Directory Changes All*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' + Properties|contains: + - 'Replicating Directory Changes All' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' filter1: SubjectDomainName: 'Window Manager' filter2: - SubjectUserName: - - 'NT AUTHORITY*' - - '*$' - - 'MSOL_*' + SubjectUserName|startswith: + - 'NT AUTHORITY' + - 'MSOL_' + SubjectUserName|endswith: + - '$' condition: selection and not filter1 and not filter2 falsepositives: - Valid DC Sync that is not covered by the filters; please report From 9bfd63ec266717c37133742161d31f7118ffb70d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:20:08 -0300 Subject: [PATCH 0450/1335] Update win_hack_smbexec.yml --- rules/windows/builtin/win_hack_smbexec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 0140cbe32..9a1d9139f 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -20,7 +20,7 @@ detection: service_installation: EventID: 7045 ServiceName: 'BTOBTO' - ServiceFileName: '*\execute.bat' + ServiceFileName|endswith: '\execute.bat' condition: service_installation fields: - ServiceName From b10332dde88071651b2ff9aed52a897efc5bb8c8 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 15 Oct 2020 21:31:24 +0300 Subject: [PATCH 0451/1335] Update powershell_cmdline_special_characters.yml --- .../windows/powershell/powershell_cmdline_special_characters.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 7741ca4ec..319d5175f 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -16,7 +16,6 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*{.*{.*{.*{.*{.*' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' filter: From 8f3542a73ea55d24b63d0fff0cd01bd1c170a81f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:41:13 -0300 Subject: [PATCH 0452/1335] Update win_mal_wceaux_dll.yml --- rules/windows/builtin/win_mal_wceaux_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index df16fe303..e188aa447 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -21,7 +21,7 @@ detection: - 4658 - 4660 - 4663 - ObjectName: '*\wceaux.dll' + ObjectName|endswith: '\wceaux.dll' condition: selection falsepositives: - Penetration testing From 82617377288c6aaa5cc5568cb0f0eb1c92466341 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:42:07 -0300 Subject: [PATCH 0453/1335] Update win_mmc20_lateral_movement.yml --- rules/windows/builtin/win_mmc20_lateral_movement.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 31b971d24..15fbbaec0 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - ParentImage: '*\svchost.exe' - Image: '*\mmc.exe' - CommandLine: '*-Embedding*' + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mmc.exe' + CommandLine|endswith: '-Embedding*' condition: selection falsepositives: - Unlikely From 6961ee498639165a406425d3ada7689b4b663f9d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:44:24 -0300 Subject: [PATCH 0454/1335] Update win_net_ntlm_downgrade.yml --- rules/windows/builtin/win_net_ntlm_downgrade.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index be83d333a..c4010daaf 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -24,10 +24,10 @@ logsource: detection: selection1: EventID: 13 - TargetObject: - - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec' - - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic' + TargetObject|endswith: + - 'SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' + - 'SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec' + - 'SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic' --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: From e089118718e473ca674b395ba34b8a65812bba61 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:45:55 -0300 Subject: [PATCH 0455/1335] Update win_possible_dc_shadow.yml --- rules/windows/builtin/win_possible_dc_shadow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml index f227cd538..280873fed 100644 --- a/rules/windows/builtin/win_possible_dc_shadow.yml +++ b/rules/windows/builtin/win_possible_dc_shadow.yml @@ -18,11 +18,11 @@ logsource: detection: selection1: EventID: 4742 - ServicePrincipalNames: '*GC/*' + ServicePrincipalNames|contains: 'GC/' selection2: EventID: 5136 LDAPDisplayName: servicePrincipalName - Value: 'GC/*' + Value|startswith: 'GC/' condition: selection1 OR selection2 falsepositives: - Exclude known DCs From 1eb0ccbf14e4d03ebabedf71c0ab88883a72b358 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:48:36 -0300 Subject: [PATCH 0456/1335] Update win_susp_local_anon_logon_created.yml --- rules/windows/builtin/win_susp_local_anon_logon_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml index 2c8e93217..cb631d803 100644 --- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: 4720 - SAMAccountName: '*ANONYMOUS*LOGON*' + SAMAccountName|contains: 'ANONYMOUS*LOGON' condition: selection falsepositives: - Unknown From 7419396351ad376749365af7744018238309feee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:49:26 -0300 Subject: [PATCH 0457/1335] Update win_susp_mshta_execution.yml --- .../builtin/win_susp_mshta_execution.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index 83b26c58d..adf95f8cd 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -22,15 +22,15 @@ falsepositives: level: high detection: selection1: - Image: '*\mshta.exe' - CommandLine: - - '*vbscript*' - - '*.jpg*' - - '*.png*' - - '*.lnk*' + Image|endswith: '\mshta.exe' + CommandLine|contains: + - 'vbscript' + - '.jpg' + - '.png' + - '.lnk' # - '*.chm*' # could be prone to false positives - - '*.xls*' - - '*.doc*' - - '*.zip*' + - '.xls' + - '.doc' + - '.zip' condition: selection1 From c310d72e2b462d27db27bb0a892f94cf37500bbd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:49:39 -0300 Subject: [PATCH 0458/1335] Update win_susp_mshta_execution.yml --- rules/windows/builtin/win_susp_mshta_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index adf95f8cd..cac81fb5b 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -28,7 +28,7 @@ detection: - '.jpg' - '.png' - '.lnk' - # - '*.chm*' # could be prone to false positives + # - '.chm' # could be prone to false positives - '.xls' - '.doc' - '.zip' From 9b8817f489867a77355feacb22a32b447d3b48ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:50:01 -0300 Subject: [PATCH 0459/1335] Update win_susp_msmpeng_crash.yml --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index a33b52842..ad62efc82 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -23,9 +23,9 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - Message: - - '*MsMpEng.exe*' - - '*mpengine.dll*' + Message|contains: + - 'MsMpEng.exe' + - 'mpengine.dll' condition: 1 of selection* and all of keywords falsepositives: - MsMpEng.exe can crash when C:\ is full From dae1f3fa7142ebc9b9a3b8a46d4656e65d4417b3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:50:44 -0300 Subject: [PATCH 0460/1335] Update win_susp_ntlm_rdp.yml --- rules/windows/builtin/win_susp_ntlm_rdp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml index bed9e568a..96e1d00a8 100644 --- a/rules/windows/builtin/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 8001 - TargetName: TERMSRV* + TargetName|startswith: TERMSRV condition: selection fields: - Computer From 054255fb175d2f3d1fab162948ec23976513ffdd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:51:16 -0300 Subject: [PATCH 0461/1335] Update win_susp_psexec.yml --- rules/windows/builtin/win_susp_psexec.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index 84d8da0e7..f64f235f7 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -17,14 +17,14 @@ detection: selection1: EventID: 5145 ShareName: \\*\IPC$ - RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' + RelativeTargetName|endswith: + - '-stdin' + - '-stdout' + - '-stderr' selection2: EventID: 5145 ShareName: \\*\IPC$ - RelativeTargetName: 'PSEXESVC*' + RelativeTargetName|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: - nothing observed so far From 43a56b67599f1d8c4ca7e489688db3f1babae6ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:51:57 -0300 Subject: [PATCH 0462/1335] Update win_susp_raccess_sensitive_fext.yml --- .../win_susp_raccess_sensitive_fext.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index 16114b2be..66caa1f78 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -14,19 +14,19 @@ detection: selection: EventID: - 5145 - RelativeTargetName: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' + RelativeTargetName|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' condition: selection fields: - ComputerName From 754e67c0d96d82d4ee194620f57580995124a419 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:52:48 -0300 Subject: [PATCH 0463/1335] Update win_susp_rc4_kerberos.yml --- rules/windows/builtin/win_susp_rc4_kerberos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 41a25dc72..496ed1524 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -20,7 +20,7 @@ detection: TicketOptions: '0x40810000' TicketEncryptionType: '0x17' reduction: - - ServiceName: '$*' + - ServiceName|startswith: '$' condition: selection and not reduction falsepositives: - Service accounts used on legacy systems (e.g. NetApp) From 600c7057b137a41322bbabdc2d78fcf4f464fe49 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:53:26 -0300 Subject: [PATCH 0464/1335] Update win_susp_sam_dump.yml --- rules/windows/builtin/win_susp_sam_dump.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 7c0894b6b..19d97f8e2 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -15,8 +15,8 @@ logsource: detection: selection: EventID: 16 - Message: - - '*\AppData\Local\Temp\SAM-*.dmp *' + Message|contains: + - '\AppData\Local\Temp\SAM-*.dmp' condition: selection falsepositives: - Penetration testing From 496cfcb26ac7032d04395c4ccf9391640aefe1e5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:53:51 -0300 Subject: [PATCH 0465/1335] Update win_susp_sdelete.yml --- rules/windows/builtin/win_susp_sdelete.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 5bb8bd700..558a109e1 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -28,9 +28,9 @@ detection: - 4656 - 4663 - 4658 - ObjectName: - - '*.AAA' - - '*.ZZZ' + ObjectName|endswith: + - '.AAA' + - '.ZZZ' condition: selection falsepositives: - Legitime usage of SDelete From d96bd0d9f397de2f3dbcdf1de196af5f84ee154c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:54:21 -0300 Subject: [PATCH 0466/1335] Update win_susp_wmi_login.yml --- rules/windows/builtin/win_susp_wmi_login.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml index e9627a54e..cf0bad0c5 100644 --- a/rules/windows/builtin/win_susp_wmi_login.yml +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventID: 4624 - ProcessName: "*\\WmiPrvSE.exe" + ProcessName|endswith: "\\WmiPrvSE.exe" condition: selection falsepositives: - Monitoring tools From c0892c63c868cd1cc62bb15c744cab2c4d4f0448 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:54:47 -0300 Subject: [PATCH 0467/1335] Update win_svcctl_remote_service.yml --- rules/windows/builtin/win_svcctl_remote_service.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index bd8939a65..be19e9ffb 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -19,7 +19,7 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: svcctl - Accesses: '*WriteData*' + Accesses|contains: 'WriteData' condition: selection falsepositives: - pentesting From 4e70b2d797e20686d561238366b958f486e70275 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:55:21 -0300 Subject: [PATCH 0468/1335] Update win_user_added_to_local_administrators.yml --- .../windows/builtin/win_user_added_to_local_administrators.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml index 418b2bb86..0443447e9 100644 --- a/rules/windows/builtin/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml @@ -22,7 +22,7 @@ detection: selection_group2: GroupSid: 'S-1-5-32-544' filter: - SubjectUserName: '*$' + SubjectUserName|endswith: '$' condition: selection and (1 of selection_group*) and not filter falsepositives: - Legitimate administrative activity From ef3af551e9afe3abd22e4134ff2bf99f27cd0fa8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:56:16 -0300 Subject: [PATCH 0469/1335] Update win_user_driver_loaded.yml --- .../builtin/win_user_driver_loaded.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 5abc45e1f..d829a0781 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -21,18 +21,18 @@ detection: Service: '-' selection_2: ProcessName|contains: - - '*\Windows\System32\Dism.exe' - - '*\Windows\System32\rundll32.exe' - - '*\Windows\System32\fltMC.exe' - - '*\Windows\HelpPane.exe' - - '*\Windows\System32\mmc.exe' - - '*\Windows\System32\svchost.exe' - - '*\Windows\System32\wimserv.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe' + - '\Windows\System32\Dism.exe' + - '\Windows\System32\rundll32.exe' + - '\Windows\System32\fltMC.exe' + - '\Windows\HelpPane.exe' + - '\Windows\System32\mmc.exe' + - '\Windows\System32\svchost.exe' + - '\Windows\System32\wimserv.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + - '\Google\Chrome\Application\chrome.exe' condition: selection_1 and not selection_2 falsepositives: - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' From 1cd56f5daefac3f3dca0a7e0c39d786142fbaadf Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:56:36 -0300 Subject: [PATCH 0470/1335] Update win_vul_cve_2020_0688.yml --- rules/windows/builtin/win_vul_cve_2020_0688.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 38b8e95e6..f89fdb6a0 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -17,8 +17,8 @@ detection: EventID: 4 Source: MSExchange Control Panel Level: Error - selection2: - - '*&__VIEWSTATE=*' + selection2|contains: + - '&__VIEWSTATE=' condition: selection1 and selection2 falsepositives: - Unknown From 427962937be3c2100e5ff03e7404deed82b972e3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:57:05 -0300 Subject: [PATCH 0471/1335] Update sysmon_susp_driver_load.yml --- rules/windows/driver_load/sysmon_susp_driver_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml index 009665b75..479c799e6 100755 --- a/rules/windows/driver_load/sysmon_susp_driver_load.yml +++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ImageLoaded: '*\Temp\\*' + ImageLoaded|contains: '\Temp\\' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment From 099843470e416cd9cee4cd119c1766fe32d514f6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:58:10 -0300 Subject: [PATCH 0472/1335] Update sysmon_creation_system_file.yml --- .../sysmon_creation_system_file.yml | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index bd723e0e8..1c6840e89 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -14,40 +14,40 @@ logsource: product: windows detection: selection: - TargetFilename: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\runtimebroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' + TargetFilename|endswith: + - '\svchost.exe' + - '\rundll32.exe' + - '\services.exe' + - '\powershell.exe' + - '\regsvr32.exe' + - '\spoolsv.exe' + - '\lsass.exe' + - '\smss.exe' + - '\csrss.exe' + - '\conhost.exe' + - '\wininit.exe' + - '\lsm.exe' + - '\winlogon.exe' + - '\explorer.exe' + - '\taskhost.exe' + - '\Taskmgr.exe' + - '\taskmgr.exe' + - '\sihost.exe' + - '\RuntimeBroker.exe' + - '\runtimebroker.exe' + - '\smartscreen.exe' + - '\dllhost.exe' + - '\audiodg.exe' + - '\wlanext.exe' filter: - TargetFilename: - - 'C:\Windows\System32\\*' - - 'C:\Windows\system32\\*' - - 'C:\Windows\SysWow64\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\winsxs\\*' - - 'C:\Windows\WinSxS\\*' - - '\SystemRoot\System32\\*' + TargetFilename|startswith: + - 'C:\Windows\System32\\' + - 'C:\Windows\system32\\' + - 'C:\Windows\SysWow64\\' + - 'C:\Windows\SysWOW64\\' + - 'C:\Windows\winsxs\\' + - 'C:\Windows\WinSxS\\' + - '\SystemRoot\System32\\' condition: selection and not filter fields: - Image From b6b34b37d9472a78262954216a402601f6ba8f6d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:59:09 -0300 Subject: [PATCH 0473/1335] Update sysmon_ghostpack_safetykatz.yml --- rules/windows/file_event/sysmon_ghostpack_safetykatz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index a82059024..3019ca420 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - TargetFilename: '*\Temp\debug.bin' + TargetFilename|endswith: '\Temp\debug.bin' condition: selection falsepositives: - Unknown From d2d49c445a38f0f695ca96a7ae1db21e41bb8263 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:00:20 -0300 Subject: [PATCH 0474/1335] Update sysmon_powershell_exploit_scripts.yml --- .../sysmon_powershell_exploit_scripts.yml | 192 +++++++++--------- 1 file changed, 96 insertions(+), 96 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index 7ca774187..e446c5307 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -15,102 +15,102 @@ logsource: product: windows detection: selection: - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' + TargetFilename|endswith: + - '\Invoke-DllInjection.ps1' + - '\Invoke-WmiCommand.ps1' + - '\Get-GPPPassword.ps1' + - '\Get-Keystrokes.ps1' + - '\Get-VaultCredential.ps1' + - '\Invoke-CredentialInjection.ps1' + - '\Invoke-Mimikatz.ps1' + - '\Invoke-NinjaCopy.ps1' + - '\Invoke-TokenManipulation.ps1' + - '\Out-Minidump.ps1' + - '\VolumeShadowCopyTools.ps1' + - '\Invoke-ReflectivePEInjection.ps1' + - '\Get-TimedScreenshot.ps1' + - '\Invoke-UserHunter.ps1' + - '\Find-GPOLocation.ps1' + - '\Invoke-ACLScanner.ps1' + - '\Invoke-DowngradeAccount.ps1' + - '\Get-ServiceUnquoted.ps1' + - '\Get-ServiceFilePermission.ps1' + - '\Get-ServicePermission.ps1' + - '\Invoke-ServiceAbuse.ps1' + - '\Install-ServiceBinary.ps1' + - '\Get-RegAutoLogon.ps1' + - '\Get-VulnAutoRun.ps1' + - '\Get-VulnSchTask.ps1' + - '\Get-UnattendedInstallFile.ps1' + - '\Get-WebConfig.ps1' + - '\Get-ApplicationHost.ps1' + - '\Get-RegAlwaysInstallElevated.ps1' + - '\Get-Unconstrained.ps1' + - '\Add-RegBackdoor.ps1' + - '\Add-ScrnSaveBackdoor.ps1' + - '\Gupt-Backdoor.ps1' + - '\Invoke-ADSBackdoor.ps1' + - '\Enabled-DuplicateToken.ps1' + - '\Invoke-PsUaCme.ps1' + - '\Remove-Update.ps1' + - '\Check-VM.ps1' + - '\Get-LSASecret.ps1' + - '\Get-PassHashes.ps1' + - '\Show-TargetScreen.ps1' + - '\Port-Scan.ps1' + - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellWMI.ps1' + - '\Add-Exfiltration.ps1' + - '\Add-Persistence.ps1' + - '\Do-Exfiltration.ps1' + - '\Start-CaptureServer.ps1' + - '\Invoke-ShellCode.ps1' + - '\Get-ChromeDump.ps1' + - '\Get-ClipboardContents.ps1' + - '\Get-FoxDump.ps1' + - '\Get-IndexedItem.ps1' + - '\Get-Screenshot.ps1' + - '\Invoke-Inveigh.ps1' + - '\Invoke-NetRipper.ps1' + - '\Invoke-EgressCheck.ps1' + - '\Invoke-PostExfil.ps1' + - '\Invoke-PSInject.ps1' + - '\Invoke-RunAs.ps1' + - '\MailRaider.ps1' + - '\New-HoneyHash.ps1' + - '\Set-MacAttribute.ps1' + - '\Invoke-DCSync.ps1' + - '\Invoke-PowerDump.ps1' + - '\Exploit-Jboss.ps1' + - '\Invoke-ThunderStruck.ps1' + - '\Invoke-VoiceTroll.ps1' + - '\Set-Wallpaper.ps1' + - '\Invoke-InveighRelay.ps1' + - '\Invoke-PsExec.ps1' + - '\Invoke-SSHCommand.ps1' + - '\Get-SecurityPackages.ps1' + - '\Install-SSP.ps1' + - '\Invoke-BackdoorLNK.ps1' + - '\PowerBreach.ps1' + - '\Get-SiteListPassword.ps1' + - '\Get-System.ps1' + - '\Invoke-BypassUAC.ps1' + - '\Invoke-Tater.ps1' + - '\Invoke-WScriptBypassUAC.ps1' + - '\PowerUp.ps1' + - '\PowerView.ps1' + - '\Get-RickAstley.ps1' + - '\Find-Fruit.ps1' + - '\HTTP-Login.ps1' + - '\Find-TrustedDocuments.ps1' + - '\Invoke-Paranoia.ps1' + - '\Invoke-WinEnum.ps1' + - '\Invoke-ARPScan.ps1' + - '\Invoke-PortScan.ps1' + - '\Invoke-ReverseDNSLookup.ps1' + - '\Invoke-SMBScanner.ps1' + - '\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - Penetration Tests From 9eedeabda9e26b8ef478b176bc6edef41df59f38 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:01:24 -0300 Subject: [PATCH 0475/1335] Update sysmon_quarkspw_filedump.yml --- rules/windows/file_event/sysmon_quarkspw_filedump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 2a582eaa3..fb8c03e24 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -18,7 +18,7 @@ logsource: detection: selection: # Sysmon: File Creation (ID 11) - TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*' + TargetFilename|contains: '\AppData\Local\Temp\SAM-*.dmp' condition: selection falsepositives: - Unknown From 5790cc2ea71ff665e578fe5342ec5ecd051832a2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:01:46 -0300 Subject: [PATCH 0476/1335] Update sysmon_susp_adsi_cache_usage.yml --- rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 204bb61c0..2b8ae5871 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -18,7 +18,7 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch' + TargetFilename|endswith: '\Local\Microsoft\Windows\SchCache\\*.sch' selection_2: Image: - 'C:\windows\system32\svchost.exe' From 7d5e404b32d67bb6509354bb91071b6211fc1e14 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:02:16 -0300 Subject: [PATCH 0477/1335] Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml --- ..._susp_procexplorer_driver_created_in_tmp_folder.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index 2dac9fab7..995c407a6 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -15,13 +15,13 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' + TargetFilename|endswith: '\AppData\Local\Temp\\*\PROCEXP152.sys' selection_2: Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' condition: selection_1 and not selection_2 falsepositives: - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. From 569f14eb1e2f9342c8412f44ecf2096655b63a75 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:02:52 -0300 Subject: [PATCH 0478/1335] Update sysmon_tsclient_filewrite_startup.yml --- .../windows/file_event/sysmon_tsclient_filewrite_startup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index 194b75581..307967868 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -9,8 +9,8 @@ logsource: category: file_event detection: selection: - Image: '*\mstsc.exe' - TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*' + Image|endswith: '\mstsc.exe' + TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\\' condition: selection falsepositives: - unknown From 56594a5a06803607790773424849ef87815fdcbd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:05:11 -0300 Subject: [PATCH 0479/1335] Update sysmon_mimikatz_inmemory_detection.yml --- .../windows/image_load/sysmon_mimikatz_inmemory_detection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml index 50568b560..d21584364 100755 --- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml @@ -18,9 +18,9 @@ detection: selector: Image: 'C:\Windows\System32\rundll32.exe' dllload1: - ImageLoaded: '*\vaultcli.dll' + ImageLoaded|endswith: '\vaultcli.dll' dllload2: - ImageLoaded: '*\wlanapi.dll' + ImageLoaded|endswith: '\wlanapi.dll' exclusion: ImageLoaded: - 'ntdsapi.dll' From 113672572830086c4615a3a7bb9d057bb303a734 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:05:50 -0300 Subject: [PATCH 0480/1335] Update sysmon_susp_image_load.yml --- rules/windows/image_load/sysmon_susp_image_load.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 5a2bc710f..5bf530559 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - Image: - - '*\notepad.exe' - ImageLoaded: - - '*\samlib.dll' - - '*\WinSCard.dll' + Image|endswith: + - '\notepad.exe' + ImageLoaded|endswith: + - '\samlib.dll' + - '\WinSCard.dll' condition: selection falsepositives: - Very likely, needs more tuning From 0d4f3723519e7faf30885c39c92097cc942c3e75 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:06:21 -0300 Subject: [PATCH 0481/1335] Update sysmon_susp_office_dotnet_assembly_dll_load.yml --- ...sysmon_susp_office_dotnet_assembly_dll_load.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index a8c6f2ec5..7e70aed3b 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\assembly\\*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\assembly\\' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From ecbec06709ccfeefa0971b250c759ae57dbc38db Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:06:47 -0300 Subject: [PATCH 0482/1335] Update sysmon_susp_office_dotnet_clr_dll_load.yml --- .../sysmon_susp_office_dotnet_clr_dll_load.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 59b043baa..f75cce094 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\clr.dll*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\clr.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From 4de241d44cddd49df9d6ae942c86c36944c0fe56 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:07:10 -0300 Subject: [PATCH 0483/1335] Update sysmon_susp_office_dotnet_gac_dll_load.yml --- .../sysmon_susp_office_dotnet_gac_dll_load.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index a9f820194..fa0182796 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From 8aa2f8582b9af5efe7ade6d52bacbb8938030b4d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:07:46 -0300 Subject: [PATCH 0484/1335] Update sysmon_susp_office_dsparse_dll_load.yml --- .../sysmon_susp_office_dsparse_dll_load.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 9897408c6..f6297faef 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\dsparse.dll*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\dsparse.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From 38ef5976dcb248566e4ce963a298c2f4ae375786 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:08:55 -0300 Subject: [PATCH 0485/1335] Update sysmon_susp_office_dsparse_dll_load.yml --- .../windows/image_load/sysmon_susp_office_dsparse_dll_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index f6297faef..0a179c242 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -21,7 +21,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|contains: + ImageLoaded|endswith: - '\dsparse.dll' condition: selection falsepositives: From 7c196aed22393e094778f59c1832093c75f94c7c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:09:03 -0300 Subject: [PATCH 0486/1335] Update sysmon_susp_office_kerberos_dll_load.yml --- .../sysmon_susp_office_kerberos_dll_load.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index 2ac8622f5..b42030734 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\kerberos.dll' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\kerberos.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From efe5ad92c3f0d06a2d9eebae4574aa502e206b2a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:09:21 -0300 Subject: [PATCH 0487/1335] Update sysmon_susp_winword_vbadll_load.yml --- .../sysmon_susp_winword_vbadll_load.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index fedeecf64..262d9c7dc 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -16,15 +16,15 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\VBE7.DLL' - - '*\VBEUI.DLL' - - '*\VBE7INTL.DLL' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\VBE7.DLL' + - '\VBEUI.DLL' + - '\VBE7INTL.DLL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From b6cf10fdd23fadc98b53c0b243e540922413e923 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:09:44 -0300 Subject: [PATCH 0488/1335] Update sysmon_susp_winword_wmidll_load.yml --- .../sysmon_susp_winword_wmidll_load.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml index c2d9e429a..e73760127 100755 --- a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml @@ -16,17 +16,17 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\wbemdisp.dll' - - '*\wbemsvc.dll' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\wmiutils.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\wbemdisp.dll' + - '\wbemsvc.dll' condition: selection falsepositives: - Possible. Requires further testing. From 7adfd75c0af851647c2a104d6820a949ba73ce2c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:10:23 -0300 Subject: [PATCH 0489/1335] Update sysmon_svchost_dll_search_order_hijack.yml --- .../sysmon_svchost_dll_search_order_hijack.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 9d009c297..9477a77a3 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -21,15 +21,15 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - ImageLoaded: - - '*\tsmsisrv.dll' - - '*\tsvipsrv.dll' - - '*\wlbsctrl.dll' + Image|endswith: + - '\svchost.exe' + ImageLoaded|endswith: + - '\tsmsisrv.dll' + - '\tsvipsrv.dll' + - '\wlbsctrl.dll' filter: - ImageLoaded: - - 'C:\Windows\WinSxS\\*' + ImageLoaded|startswith: + - 'C:\Windows\WinSxS\\' condition: selection and not filter falsepositives: - Pentest From dea145cd5e4c6226fa416bedb6faac1d052375de Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:11:24 -0300 Subject: [PATCH 0490/1335] Update av_exploiting.yml --- rules/windows/malware/av_exploiting.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index cbdec2bcf..3c499d014 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -15,16 +15,16 @@ logsource: product: antivirus detection: selection: - Signature: - - "*MeteTool*" - - "*MPreter*" - - "*Meterpreter*" - - "*Metasploit*" - - "*PowerSploit*" - - "*CobaltSrike*" - - "*Swrort*" - - "*Rozena*" - - "*Backdoor.Cobalt*" + Signature|contains: + - "MeteTool" + - "MPreter" + - "Meterpreter" + - "Metasploit" + - "PowerSploit" + - "CobaltSrike" + - "Swrort" + - "Rozena" + - "Backdoor.Cobalt" condition: selection fields: - FileName From 7dc720cf1304c40349be59a8646acffd9d1d5f6f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:11:52 -0300 Subject: [PATCH 0491/1335] Update av_password_dumper.yml --- rules/windows/malware/av_password_dumper.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 168d357ee..9db6fec0a 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -16,15 +16,15 @@ logsource: product: antivirus detection: selection: - Signature: - - "*DumpCreds*" - - "*Mimikatz*" - - "*PWCrack*" - - "HTool/WCE" - - "*PSWtool*" - - "*PWDump*" - - "*SecurityTool*" - - "*PShlSpy*" + Signature|contains: + - "DumpCreds" + - "Mimikatz" + - "PWCrack" + - "Tool/WCE" + - "PSWtool" + - "PWDump" + - "SecurityTool" + - "PShlSpy" condition: selection fields: - FileName From cdaa5ef3a641bda080b22671a0097e9b6fd9d649 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:13:22 -0300 Subject: [PATCH 0492/1335] Update av_relevant_files.yml --- rules/windows/malware/av_relevant_files.yml | 54 +++++++++++---------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 747bd494a..f36bbe501 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -10,32 +10,34 @@ logsource: product: antivirus detection: selection: - FileName: - - 'C:\Windows\Temp\\*' - - 'C:\Temp\\*' - - '*\\Client\\*' - - 'C:\PerfLogs\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' - - '*.ps1' - - '*.vbs' - - '*.bat' - - '*.chm' - - '*.xml' - - '*.txt' - - '*.jsp' - - '*.jspx' - - '*.asp' - - '*.aspx' - - '*.php' - - '*.war' - - '*.hta' - - '*.lnk' - - '*.scf' - - '*.sct' - - '*.vbe' - - '*.wsf' - - '*.wsh' + FileName|startswith: + - 'C:\Windows\Temp\\' + - 'C:\Temp\\' + - 'C:\PerfLogs\\' + - 'C:\Users\Public\\' + - 'C:\Users\Default\\' + Filename|contains: + - '\\Client\\' + Filename|endswith: + - '.ps1' + - '.vbs' + - '.bat' + - '.chm' + - '.xml' + - '.txt' + - '.jsp' + - '.jspx' + - '.asp' + - '.aspx' + - '.php' + - '.war' + - '.hta' + - '.lnk' + - '.scf' + - '.sct' + - '.vbe' + - '.wsf' + - '.wsh' condition: selection fields: - Signature From 69c90570ec932aa0e6d27b6e84cea49b04c2f1ab Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:14:08 -0300 Subject: [PATCH 0493/1335] Update av_webshell.yml --- rules/windows/malware/av_webshell.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 11f8eb0ba..1dccfdd90 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -14,14 +14,15 @@ logsource: product: antivirus detection: selection: - Signature: - - "PHP/Backdoor*" - - "JSP/Backdoor*" - - "ASP/Backdoor*" - - "Backdoor.PHP*" - - "Backdoor.JSP*" - - "Backdoor.ASP*" - - "*Webshell*" + Signature|startswith: + - "PHP/Backdoor" + - "JSP/Backdoor" + - "ASP/Backdoor" + - "Backdoor.PHP" + - "Backdoor.JSP" + - "Backdoor.ASP" + Signature|contains: + - "Webshell" condition: selection fields: - FileName From ef646e74d8182dd6e09054b631794334874cbd5a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:15:25 -0300 Subject: [PATCH 0494/1335] Update mal_azorult_reg.yml --- rules/windows/malware/mal_azorult_reg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index d99e7c471..db5a39521 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -17,8 +17,8 @@ detection: EventID: - 12 - 13 - TargetObject: - - '*SYSTEM\\*\services\localNETService' + TargetObject|startswith: + - 'SYSTEM\\*\services\localNETService' condition: selection fields: - Image From 8d44548a2cc16c1c8d2445f77baa1c436ca8c87c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:16:08 -0300 Subject: [PATCH 0495/1335] Update win_mal_flowcloud.yml --- rules/windows/malware/win_mal_flowcloud.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 37e315f90..5cb4a3567 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -21,7 +21,8 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' + TargetObject|startswith: + - 'HKLM\SYSTEM\Setup\PrintResponsor\\' condition: selection falsepositives: - Unknown From 983e9cb9ae5ca4722b5646e8370ec7bb1a6c9acd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:18:14 -0300 Subject: [PATCH 0496/1335] Update win_mal_ryuk.yml --- rules/windows/malware/win_mal_ryuk.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index aa5977d23..465212393 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,10 +11,13 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\net.exe stop "samss" *' - - '*\net.exe stop "audioendpointbuilder" *' - - '*\net.exe stop "unistoresvc_?????" *' + CommandLine|contains|all: + - 'net.exe' + - 'stop' + CommandLine|contains: + - 'samss' + - 'audioendpointbuilder' + - 'unistoresvc_?????' condition: selection falsepositives: - Unlikely From acfe0633e27481c3abd6640b6afded250dc26cb8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:18:38 -0300 Subject: [PATCH 0497/1335] Update win_mal_ursnif.yml --- rules/windows/malware/win_mal_ursnif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index 902d85ae3..cf696cf73 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' + TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\\' condition: selection falsepositives: - Unknown From 22e5f83a6c965ef25c1422bc7e9bb075c7898fb5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:19:43 -0300 Subject: [PATCH 0498/1335] Update sysmon_dllhost_net_connections.yml --- .../sysmon_dllhost_net_connections.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index 48a2a8c46..e97176154 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -18,29 +18,29 @@ logsource: product: windows detection: selection: - Image: '*\dllhost.exe' + Image|endswith: '\dllhost.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces From b479cbdb10662120bc743ccc79fbc0b2160e33d0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:20:27 -0300 Subject: [PATCH 0499/1335] Update sysmon_malware_backconnect_ports.yml --- .../sysmon_malware_backconnect_ports.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index a8dd264d6..6ab3c851a 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -70,28 +70,28 @@ detection: - '4040' - '9943' filter1: - Image: '*\Program Files*' + Image|contains: '\Program Files' filter2: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' DestinationIsIpv6: 'false' condition: selection and not ( filter1 or filter2 ) falsepositives: From e20027965f8a9165f05afd3b2d1183457ef2e5b3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:21:38 -0300 Subject: [PATCH 0500/1335] Update sysmon_notepad_network_connection.yml --- .../network_connection/sysmon_notepad_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml index 857d1e7e5..0ab14bd51 100755 --- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml +++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml @@ -18,7 +18,7 @@ date: 2020/05/14 modified: 2020/08/24 detection: selection: - Image: '*\notepad.exe' + Image|endswith: '\notepad.exe' filter: DestinationPort: '9100' condition: selection and not filter From 689bea2681b1eaf300266c41bc0cd94c65be056c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:22:13 -0300 Subject: [PATCH 0501/1335] Update sysmon_powershell_network_connection.yml --- .../sysmon_powershell_network_connection.yml | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index 23d39f5bd..4a110b53e 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -16,28 +16,28 @@ logsource: product: windows detection: selection: - Image: '*\powershell.exe' + Image|endswith: '\powershell.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' - '127.0.0.1' DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' From bbf0210f70b52c360b490107fb8635b8e74d3c75 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:23:17 -0300 Subject: [PATCH 0502/1335] Update sysmon_rdp_reverse_tunnel.yml --- .../network_connection/sysmon_rdp_reverse_tunnel.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index 77bde60a2..87a85b318 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -19,11 +19,12 @@ logsource: product: windows detection: selection: - Image: '*\svchost.exe' + Image|endswith: '\svchost.exe' Initiated: 'true' SourcePort: 3389 - DestinationIp: - - '127.*' + DestinationIp|startswith: + - '127.' + DestinationIP: - '::1' condition: selection falsepositives: From 9c58db9271068ceec1c6275d848918f1c613ad11 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:24:38 -0300 Subject: [PATCH 0503/1335] Update sysmon_rundll32_net_connections.yml --- .../sysmon_rundll32_net_connections.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 3766fc091..75920a653 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -17,29 +17,29 @@ logsource: product: windows detection: selection: - Image: '*\rundll32.exe' + Image|endswith: '\rundll32.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces From 71785b91b500bef1fe8307ad2376b4f0396bedb8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:25:25 -0300 Subject: [PATCH 0504/1335] Update sysmon_susp_prog_location_network_connection.yml --- ..._susp_prog_location_network_connection.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index 9b152411f..42f1e5d0c 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -12,19 +12,19 @@ logsource: definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: selection: - Image: - # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - '*\Users\Contacts\\*' - - '*\Users\Searches\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' + Image|contains: + # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows + - '\$Recycle.bin' + - '\Users\All Users\\' + - '\Users\Default\\' + - '\Users\Public\\' + - '\Users\Contacts\\' + - '\Users\Searches\\' + - 'C:\Perflogs\\' + - '\config\systemprofile\\' + - '\Windows\Fonts\\' + - '\Windows\IME\\' + - '\Windows\addins\\' condition: selection falsepositives: - unknown From 554adb85624f8fac7ac726374263c0337473a205 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:25:58 -0300 Subject: [PATCH 0505/1335] Update sysmon_susp_rdp.yml --- .../network_connection/sysmon_susp_rdp.yml | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 8955b940f..e12fde626 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -20,26 +20,26 @@ detection: DestinationPort: 3389 Initiated: 'true' filter: - Image: - - '*\mstsc.exe' - - '*\RTSApp.exe' - - '*\RTS2App.exe' - - '*\RDCMan.exe' - - '*\ws_TunnelService.exe' - - '*\RSSensor.exe' - - '*\RemoteDesktopManagerFree.exe' - - '*\RemoteDesktopManager.exe' - - '*\RemoteDesktopManager64.exe' - - '*\mRemoteNG.exe' - - '*\mRemote.exe' - - '*\Terminals.exe' - - '*\spiceworks-finder.exe' - - '*\FSDiscovery.exe' - - '*\FSAssessment.exe' - - '*\MobaRTE.exe' - - '*\chrome.exe' - - '*\thor.exe' - - '*\thor64.exe' + Image|endswith: + - '\mstsc.exe' + - '\RTSApp.exe' + - '\RTS2App.exe' + - '\RDCMan.exe' + - '\ws_TunnelService.exe' + - '\RSSensor.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RemoteDesktopManager.exe' + - '\RemoteDesktopManager64.exe' + - '\mRemoteNG.exe' + - '\mRemote.exe' + - '\Terminals.exe' + - '\spiceworks-finder.exe' + - '\FSDiscovery.exe' + - '\FSAssessment.exe' + - '\MobaRTE.exe' + - '\chrome.exe' + - '\thor.exe' + - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools From 5dc02f3a87d8d1ff4d522c8c821d189ebacecb19 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:26:28 -0300 Subject: [PATCH 0506/1335] Update sysmon_win_binary_github_com.yml --- .../network_connection/sysmon_win_binary_github_com.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 1d197ab93..6e76f63df 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -21,10 +21,10 @@ logsource: detection: selection: Initiated: 'true' - DestinationHostname: - - '*.github.com' - - '*.githubusercontent.com' - Image: 'C:\Windows\\*' + DestinationHostname|endswith: + - '.github.com' + - '.githubusercontent.com' + Image|startswith: 'C:\Windows\\' condition: selection falsepositives: - 'Unknown' From fb851e1f41febd0c69c5829f7f55be7ed05e745a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:27:01 -0300 Subject: [PATCH 0507/1335] Update sysmon_win_binary_susp_com.yml --- .../network_connection/sysmon_win_binary_susp_com.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml index 6e324b9cb..0dab809fd 100755 --- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml @@ -16,11 +16,11 @@ logsource: detection: selection: Initiated: 'true' - DestinationHostname: - - '*dl.dropboxusercontent.com' - - '*.pastebin.com' - - '*.githubusercontent.com' # includes both gists and github repositories - Image: 'C:\Windows\\*' + DestinationHostname|endswith: + - 'dl.dropboxusercontent.com' + - '.pastebin.com' + - '.githubusercontent.com' # includes both gists and github repositories + Image|startswith: 'C:\Windows\\' condition: selection falsepositives: - 'Unknown' From b769728d0bce2b1469dd6a644836abacfad54784 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:07:22 -0300 Subject: [PATCH 0508/1335] Update win_pcap_drivers.yml --- rules/windows/other/win_pcap_drivers.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index c24d04104..814dab6a6 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -16,16 +16,16 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName: - - '*pcap*' - - '*npcap*' - - '*npf*' - - '*nm3*' - - '*ndiscap*' - - '*nmnt*' - - '*windivert*' - - '*USBPcap*' - - '*pktmon*' + ServiceFileName|constains: + - 'pcap' + - 'npcap' + - 'npf' + - 'nm3' + - 'ndiscap' + - 'nmnt' + - 'windivert' + - 'USBPcap' + - 'pktmon' condition: selection fields: - EventID From 09c43b7517bfdeb899a34259fd43cff5c4ccec4d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:08:15 -0300 Subject: [PATCH 0509/1335] Update win_wmi_persistence.yml --- rules/windows/other/win_wmi_persistence.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index dbb17a226..a3deb48fe 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -20,10 +20,10 @@ detection: selection: EventID: 5861 keywords: - Message: - - '*ActiveScriptEventConsumer*' - - '*CommandLineEventConsumer*' - - '*CommandLineTemplate*' + Message|contains: + - 'ActiveScriptEventConsumer' + - 'CommandLineEventConsumer' + - 'CommandLineTemplate' # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 From 4a3607d50bc0f15e850a200832798dae409980e4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:09:47 -0300 Subject: [PATCH 0510/1335] Update powershell_exe_calling_ps.yml --- rules/windows/powershell/powershell_exe_calling_ps.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 034b3d02d..4785ccf29 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -17,11 +17,11 @@ logsource: detection: selection1: EventID: 400 - EngineVersion: - - '2.*' - - '4.*' - - '5.*' - HostVersion: '3.*' + EngineVersion|startswith: + - '2.' + - '4.' + - '5.' + HostVersion|startswith: '3.' condition: selection1 falsepositives: - Penetration Tests From ec10d5a61f39e57ebd524f9264915b52f8503f88 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:11:20 -0300 Subject: [PATCH 0511/1335] Update powershell_malicious_commandlets.yml --- .../powershell_malicious_commandlets.yml | 192 +++++++++--------- 1 file changed, 96 insertions(+), 96 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index d75d512ae..2afaf557c 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -16,102 +16,102 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*Invoke-DllInjection*" - - "*Invoke-Shellcode*" - - "*Invoke-WmiCommand*" - - "*Get-GPPPassword*" - - "*Get-Keystrokes*" - - "*Get-TimedScreenshot*" - - "*Get-VaultCredential*" - - "*Invoke-CredentialInjection*" - - "*Invoke-Mimikatz*" - - "*Invoke-NinjaCopy*" - - "*Invoke-TokenManipulation*" - - "*Out-Minidump*" - - "*VolumeShadowCopyTools*" - - "*Invoke-ReflectivePEInjection*" - - "*Invoke-UserHunter*" - - "*Find-GPOLocation*" - - "*Invoke-ACLScanner*" - - "*Invoke-DowngradeAccount*" - - "*Get-ServiceUnquoted*" - - "*Get-ServiceFilePermission*" - - "*Get-ServicePermission*" - - "*Invoke-ServiceAbuse*" - - "*Install-ServiceBinary*" - - "*Get-RegAutoLogon*" - - "*Get-VulnAutoRun*" - - "*Get-VulnSchTask*" - - "*Get-UnattendedInstallFile*" - - "*Get-ApplicationHost*" - - "*Get-RegAlwaysInstallElevated*" - - "*Get-Unconstrained*" - - "*Add-RegBackdoor*" - - "*Add-ScrnSaveBackdoor*" - - "*Gupt-Backdoor*" - - "*Invoke-ADSBackdoor*" - - "*Enabled-DuplicateToken*" - - "*Invoke-PsUaCme*" - - "*Remove-Update*" - - "*Check-VM*" - - "*Get-LSASecret*" - - "*Get-PassHashes*" - - "*Show-TargetScreen*" - - "*Port-Scan*" - - "*Invoke-PoshRatHttp*" - - "*Invoke-PowerShellTCP*" - - "*Invoke-PowerShellWMI*" - - "*Add-Exfiltration*" - - "*Add-Persistence*" - - "*Do-Exfiltration*" - - "*Start-CaptureServer*" - - "*Get-ChromeDump*" - - "*Get-ClipboardContents*" - - "*Get-FoxDump*" - - "*Get-IndexedItem*" - - "*Get-Screenshot*" - - "*Invoke-Inveigh*" - - "*Invoke-NetRipper*" - - "*Invoke-EgressCheck*" - - "*Invoke-PostExfil*" - - "*Invoke-PSInject*" - - "*Invoke-RunAs*" - - "*MailRaider*" - - "*New-HoneyHash*" - - "*Set-MacAttribute*" - - "*Invoke-DCSync*" - - "*Invoke-PowerDump*" - - "*Exploit-Jboss*" - - "*Invoke-ThunderStruck*" - - "*Invoke-VoiceTroll*" - - "*Set-Wallpaper*" - - "*Invoke-InveighRelay*" - - "*Invoke-PsExec*" - - "*Invoke-SSHCommand*" - - "*Get-SecurityPackages*" - - "*Install-SSP*" - - "*Invoke-BackdoorLNK*" - - "*PowerBreach*" - - "*Get-SiteListPassword*" - - "*Get-System*" - - "*Invoke-BypassUAC*" - - "*Invoke-Tater*" - - "*Invoke-WScriptBypassUAC*" - - "*PowerUp*" - - "*PowerView*" - - "*Get-RickAstley*" - - "*Find-Fruit*" - - "*HTTP-Login*" - - "*Find-TrustedDocuments*" - - "*Invoke-Paranoia*" - - "*Invoke-WinEnum*" - - "*Invoke-ARPScan*" - - "*Invoke-PortScan*" - - "*Invoke-ReverseDNSLookup*" - - "*Invoke-SMBScanner*" - - "*Invoke-Mimikittenz*" - - "*Invoke-AllChecks*" + Message|contains: + - "Invoke-DllInjection" + - "Invoke-Shellcode" + - "Invoke-WmiCommand" + - "Get-GPPPassword" + - "Get-Keystrokes" + - "Get-TimedScreenshot" + - "Get-VaultCredential" + - "Invoke-CredentialInjection" + - "Invoke-Mimikatz" + - "Invoke-NinjaCopy" + - "Invoke-TokenManipulation" + - "Out-Minidump" + - "VolumeShadowCopyTools" + - "Invoke-ReflectivePEInjection" + - "Invoke-UserHunter" + - "Find-GPOLocation" + - "Invoke-ACLScanner" + - "Invoke-DowngradeAccount" + - "Get-ServiceUnquoted" + - "Get-ServiceFilePermission" + - "Get-ServicePermission" + - "Invoke-ServiceAbuse" + - "Install-ServiceBinary" + - "Get-RegAutoLogon" + - "Get-VulnAutoRun" + - "Get-VulnSchTask" + - "Get-UnattendedInstallFile" + - "Get-ApplicationHost" + - "Get-RegAlwaysInstallElevated" + - "Get-Unconstrained" + - "Add-RegBackdoor" + - "Add-ScrnSaveBackdoor" + - "Gupt-Backdoor" + - "Invoke-ADSBackdoor" + - "Enabled-DuplicateToken" + - "Invoke-PsUaCme" + - "Remove-Update" + - "Check-VM" + - "Get-LSASecret" + - "Get-PassHashes" + - "Show-TargetScreen" + - "Port-Scan" + - "Invoke-PoshRatHttp" + - "Invoke-PowerShellTCP" + - "Invoke-PowerShellWMI" + - "Add-Exfiltration" + - "Add-Persistence" + - "Do-Exfiltration" + - "Start-CaptureServer" + - "Get-ChromeDump" + - "Get-ClipboardContents" + - "Get-FoxDump" + - "Get-IndexedItem" + - "Get-Screenshot" + - "Invoke-Inveigh" + - "Invoke-NetRipper" + - "Invoke-EgressCheck" + - "Invoke-PostExfil" + - "Invoke-PSInject" + - "Invoke-RunAs" + - "MailRaider" + - "New-HoneyHash" + - "Set-MacAttribute" + - "Invoke-DCSync" + - "Invoke-PowerDump" + - "Exploit-Jboss" + - "Invoke-ThunderStruck" + - "Invoke-VoiceTroll" + - "Set-Wallpaper" + - "Invoke-InveighRelay" + - "Invoke-PsExec" + - "Invoke-SSHCommand" + - "Get-SecurityPackages" + - "Install-SSP" + - "Invoke-BackdoorLNK" + - "PowerBreach" + - "Get-SiteListPassword" + - "Get-System" + - "Invoke-BypassUAC" + - "Invoke-Tater" + - "Invoke-WScriptBypassUAC" + - "PowerUp" + - "PowerView" + - "Get-RickAstley" + - "Find-Fruit" + - "HTTP-Login" + - "Find-TrustedDocuments" + - "Invoke-Paranoia" + - "Invoke-WinEnum" + - "Invoke-ARPScan" + - "Invoke-PortScan" + - "Invoke-ReverseDNSLookup" + - "Invoke-SMBScanner" + - "Invoke-Mimikittenz" + - "Invoke-AllChecks" false_positives: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives From 8cf259606871f76aa1c93c872a4770e13a1d04a7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:12:08 -0300 Subject: [PATCH 0512/1335] Update powershell_malicious_keywords.yml --- .../powershell_malicious_keywords.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index bf8809959..f46ce60b3 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -16,27 +16,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*AdjustTokenPrivileges*" - - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" - - "*Microsoft.Win32.UnsafeNativeMethods*" - - "*ReadProcessMemory.Invoke*" - - "*SE_PRIVILEGE_ENABLED*" - - "*LSA_UNICODE_STRING*" - - "*MiniDumpWriteDump*" - - "*PAGE_EXECUTE_READ*" - - "*SECURITY_DELEGATION*" - - "*TOKEN_ADJUST_PRIVILEGES*" - - "*TOKEN_ALL_ACCESS*" - - "*TOKEN_ASSIGN_PRIMARY*" - - "*TOKEN_DUPLICATE*" - - "*TOKEN_ELEVATION*" - - "*TOKEN_IMPERSONATE*" - - "*TOKEN_INFORMATION_CLASS*" - - "*TOKEN_PRIVILEGES*" - - "*TOKEN_QUERY*" - - "*Metasploit*" - - "*Mimikatz*" + Message|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" condition: keywords falsepositives: - Penetration tests From 013533fceb7d66dd35efc08bbe304e8e675efe0f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:13:16 -0300 Subject: [PATCH 0513/1335] Update powershell_prompt_credentials.yml --- rules/windows/powershell/powershell_prompt_credentials.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index f5601ce97..4513b1dd2 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -20,8 +20,8 @@ detection: selection: EventID: 4104 keyword: - Message: - - '*PromptForCredential*' + Message|contains: + - 'PromptForCredential' condition: all of them falsepositives: - Unknown From efe9c2d3d61735141416559f245625f8ba7259d4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:14:01 -0300 Subject: [PATCH 0514/1335] Update powershell_shellcode_b64.yml --- rules/windows/powershell/powershell_shellcode_b64.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index dcd835dcf..33670742a 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -21,11 +21,11 @@ logsource: detection: selection: EventID: 4104 - keyword1: - - '*AAAAYInlM*' - keyword2: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' + keyword1|contains: + - 'AAAAYInlM' + keyword2|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' condition: selection and keyword1 and keyword2 falsepositives: - Unknown From ce4e22750d70587c697529d04b5782ee954649d5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:15:23 -0300 Subject: [PATCH 0515/1335] Update powershell_winlogon_helper_dll.yml --- .../powershell/powershell_winlogon_helper_dll.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 87e162bd4..9cb140f78 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -13,11 +13,11 @@ logsource: detection: selection: EventID: 4104 - keyword1: - - '*Set-ItemProperty*' - - '*New-Item*' - keyword2: - - '*CurrentVersion\Winlogon*' + keyword1|contains: + - 'Set-ItemProperty' + - 'New-Item' + keyword2|contains: + - 'CurrentVersion\Winlogon' condition: selection and ( keyword1 and keyword2 ) falsepositives: - Unknown From 1878aa5fbd9a16ab6c29b98e10b174a48409c6ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:16:50 -0300 Subject: [PATCH 0516/1335] Update sysmon_cmstp_execution.yml --- rules/windows/process_access/sysmon_cmstp_execution.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml index 10e46582f..25e668584 100755 --- a/rules/windows/process_access/sysmon_cmstp_execution.yml +++ b/rules/windows/process_access/sysmon_cmstp_execution.yml @@ -32,14 +32,14 @@ logsource: detection: # Registry Object Add selection2: - TargetObject: '*\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' EventType: 'CreateKey' # Registry Object Value Set selection3: - TargetObject: '*\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' # Process Access Call Trace selection4: - CallTrace: '*cmlua.dll*' + CallTrace|contains: 'cmlua.dll' condition: 1 of them --- logsource: @@ -48,5 +48,5 @@ logsource: detection: # CMSTP Spawning Child Process selection1: - ParentImage: '*\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' condition: 1 of them From a554c3df235adb1628520f0e3b2150f0b941c98d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:17:19 -0300 Subject: [PATCH 0517/1335] Update sysmon_invoke_phantom.yml --- rules/windows/process_access/sysmon_invoke_phantom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index bbcf116ae..7230b6859 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - TargetImage: '*\windows\system32\svchost.exe' + TargetImage|endswith: '\windows\system32\svchost.exe' GrantedAccess: '0x1f3fff' CallTrace: - '*unknown*' From af5c88e5d5f557f4cc8175a2bfb474e6301b50f3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:17:39 -0300 Subject: [PATCH 0518/1335] Update sysmon_lazagne_cred_dump_lsass_access.yml --- .../process_access/sysmon_lazagne_cred_dump_lsass_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index 2b57d3b48..34b5bf6aa 100644 --- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - TargetImage: '*\lsass.exe' + TargetImage|endswith: '\lsass.exe' CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*" GrantedAccess: "0x1FFFFF" condition: selection From 93faca413e8d212eaa10c85b080fcaa4a0557283 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:17:57 -0300 Subject: [PATCH 0519/1335] Update sysmon_lsass_memdump.yml --- rules/windows/process_access/sysmon_lsass_memdump.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 778afd9bc..ea72d46cc 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -19,9 +19,9 @@ detection: selection: TargetImage: 'C:\windows\system32\lsass.exe' GrantedAccess: '0x1fffff' - CallTrace: - - '*dbghelp.dll*' - - '*dbgcore.dll*' + CallTrace|contains: + - 'dbghelp.dll' + - 'dbgcore.dll' condition: selection falsepositives: - unknown From e0c538fdd431ea4a11e97510051f5e005af1c406 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:19:06 -0300 Subject: [PATCH 0520/1335] Update sysmon_malware_verclsid_shellcode.yml --- .../process_access/sysmon_malware_verclsid_shellcode.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml index 2224ad19f..5a65e0bc0 100755 --- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml @@ -16,13 +16,13 @@ logsource: definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: - TargetImage: '*\verclsid.exe' + TargetImage|endswith: '\verclsid.exe' GrantedAccess: '0x1FFFFF' combination1: - CallTrace: '*|UNKNOWN(*VBE7.DLL*' + CallTrace|contains: '|UNKNOWN(*VBE7.DLL' combination2: - SourceImage: '*\Microsoft Office\\*' - CallTrace: '*|UNKNOWN*' + SourceImage|contains: '\Microsoft Office\\' + CallTrace|contains: '|UNKNOWN' condition: selection and 1 of combination* falsepositives: - unknown From bc1efd98437a4621a4da12ed58f9e0efc4b262b1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:23:44 -0300 Subject: [PATCH 0521/1335] Update sysmon_logon_scripts_userinitmprlogonscript_proc.yml --- .../sysmon_logon_scripts_userinitmprlogonscript_proc.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 2b158b3a3..365be7dcf 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -16,17 +16,17 @@ logsource: product: windows detection: exec_selection: - ParentImage: '*\userinit.exe' + ParentImage|endswith: '\userinit.exe' exec_exclusion1: - Image: '*\explorer.exe' + Image|endswith: '\explorer.exe' exec_exclusion2: CommandLine|contains: - 'netlogon.bat' - 'UsrLogon.cmd' create_keywords_cli: - CommandLine: '*UserInitMprLogonScript*' + CommandLine|contains: 'UserInitMprLogonScript' condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high From 10522becc36d78a97cf68d450049a8d42b3e2a25 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:24:03 -0300 Subject: [PATCH 0522/1335] Update win_apt_apt29_thinktanks.yml --- rules/windows/process_creation/win_apt_apt29_thinktanks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 0e60a088c..9affc088f 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - CommandLine: '*-noni -ep bypass $*' + CommandLine|contains: '-noni -ep bypass $' condition: selection falsepositives: - unknown From ca31849be12b2b7440cc9e2ae97febd8ba3be82a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:24:56 -0300 Subject: [PATCH 0523/1335] Update win_apt_bear_activity_gtr19.yml --- .../process_creation/win_apt_bear_activity_gtr19.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index ec6dbff16..7f687adf7 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection1: - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' + Image|endswith: '\xcopy.exe' + CommandLine|contains: '/S /E /C /Q /H \\' selection2: - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' + Image|endswith: '\adexplorer.exe' + CommandLine|contains: ' -snapshot "" c:\users\\' condition: selection1 or selection2 falsepositives: - unknown From 96ef4733c32107f16d4aac6f9486214bd6aa2808 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:25:17 -0300 Subject: [PATCH 0524/1335] Update win_apt_bluemashroom.yml --- rules/windows/process_creation/win_apt_bluemashroom.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index ba271c720..27a9f18be 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\regsvr32*\AppData\Local\\*' - - '*\AppData\Local\\*,DllEntry*' + CommandLine|contains: + - '\regsvr32*\AppData\Local\\' + - '\AppData\Local\\*,DllEntry' condition: selection falsepositives: - Unlikely From 2cdead8778a3ffa07f890d8a033ef4818b5ba734 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:26:58 -0300 Subject: [PATCH 0525/1335] Update win_apt_chafer_mar18.yml --- .../process_creation/win_apt_chafer_mar18.yml | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 1662eac37..330f26b5c 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -52,13 +52,13 @@ logsource: detection: selection_reg1: EventID: 13 - TargetObject: - - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT' + TargetObject|endswith: + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' EventType: 'SetValue' selection_reg2: EventID: 13 - TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential' + TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential' EventType: 'SetValue' Details: 'DWORD (0x00000001)' --- @@ -67,13 +67,14 @@ logsource: product: windows detection: selection_process1: - CommandLine: - - '*\Service.exe i' - - '*\Service.exe u' - - '*\microsoft\Taskbar\autoit3.exe' - - 'C:\wsc.exe*' + CommandLine|endswith: + - '\Service.exe i' + - '\Service.exe u' + - '\microsoft\Taskbar\autoit3.exe' + CommandLine|startswith: + - 'C:\wsc.exe' selection_process2: - Image: '*\Windows\Temp\DB\\*.exe' + Image|startswith: '\Windows\Temp\DB\\*.exe' selection_process3: - CommandLine: '*\nslookup.exe -q=TXT*' - ParentImage: '*\Autoit*' + CommandLine|contains: '\nslookup.exe -q=TXT' + ParentImage|contains: '\Autoit' From 5eac9e5161b7de20af702e24d78ec2ea58f8eedd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:27:27 -0300 Subject: [PATCH 0526/1335] Update win_apt_cloudhopper.yml --- rules/windows/process_creation/win_apt_cloudhopper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index f6cde4853..940696607 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - Image: '*\cscript.exe' - CommandLine: '*.vbs /shell *' + Image|endswith: '\cscript.exe' + CommandLine|contains: '.vbs /shell ' condition: selection fields: - CommandLine From d074ea110f5f377c5e724f543bbdd37db3a30829 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:27:42 -0300 Subject: [PATCH 0527/1335] Update win_apt_dragonfly.yml --- rules/windows/process_creation/win_apt_dragonfly.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml index 4c1593865..78c99ce92 100755 --- a/rules/windows/process_creation/win_apt_dragonfly.yml +++ b/rules/windows/process_creation/win_apt_dragonfly.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image: - - '*\crackmapexec.exe' + Image|endswith: + - '\crackmapexec.exe' condition: selection falsepositives: - None From 54f1a0c583f4180a1aecd0f37d46c66eb138ddf9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:28:07 -0300 Subject: [PATCH 0528/1335] Update win_apt_elise.yml --- rules/windows/process_creation/win_apt_elise.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index e392bbd7c..3758f698d 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -20,9 +20,9 @@ logsource: detection: selection1: Image: 'C:\Windows\SysWOW64\cmd.exe' - CommandLine: '*\Windows\Caches\NavShExt.dll *' + CommandLine|contains: '\Windows\Caches\NavShExt.dll ' selection2: - CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' + CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' condition: 1 of them falsepositives: - Unknown From 00232982b2357cc0908489cd5633496f83fc8b04 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:28:33 -0300 Subject: [PATCH 0529/1335] Update win_apt_emissarypanda_sep19.yml --- .../windows/process_creation/win_apt_emissarypanda_sep19.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index 06a42220d..aae0f52a5 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\sllauncher.exe' - Image: '*\svchost.exe' + ParentImage|endswith: '\sllauncher.exe' + Image|endswith: '\svchost.exe' condition: selection falsepositives: - Unknown From 8b593aa309ae98cafdad9281d68aa366853e41fa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:29:19 -0300 Subject: [PATCH 0530/1335] Update win_apt_empiremonkey.yml --- .../process_creation/win_apt_empiremonkey.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 4aa084419..55efdc512 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -22,13 +22,13 @@ logsource: product: windows detection: selection_cutil: - CommandLine: - - '*/i:%APPDATA%\logs.txt scrobj.dll' - Image: - - '*\cutil.exe' + CommandLine|endswith: + - '/i:%APPDATA%\logs.txt scrobj.dll' + Image|endswith: + - '\cutil.exe' selection_regsvr32: - CommandLine: - - '*/i:%APPDATA%\logs.txt scrobj.dll' + CommandLine|endswith: + - '/i:%APPDATA%\logs.txt scrobj.dll' Description: - Microsoft(C) Registerserver - \ No newline at end of file + From 0926d7644948e083b4828ff75afdf38f4c62738a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:29:44 -0300 Subject: [PATCH 0531/1335] Update win_apt_equationgroup_dll_u_load.yml --- .../process_creation/win_apt_equationgroup_dll_u_load.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 6eedefb4a..78748faa4 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -18,10 +18,10 @@ logsource: product: windows detection: selection1: - Image: '*\rundll32.exe' - CommandLine: '*,dll_u' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: ',dll_u' selection2: - CommandLine: '* -export dll_u *' + CommandLine|contains: ' -export dll_u ' condition: 1 of them falsepositives: - Unknown From 7f5c75ab3ed3c1ad640829e0400bdecabaae05c0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:30:34 -0300 Subject: [PATCH 0532/1335] Update win_apt_hurricane_panda.yml --- rules/windows/process_creation/win_apt_hurricane_panda.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml index 294a3484d..879954c8d 100755 --- a/rules/windows/process_creation/win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml @@ -15,9 +15,10 @@ logsource: product: windows detection: selection: - CommandLine: - - '* localgroup administrators admin /add' - - '*\Win64.exe*' + CommandLine|endswith: + - ' localgroup administrators admin /add' + CommandLine|contains: + - '\Win64.exe' condition: selection falsepositives: - Unknown From 01bf24b4fcf9cf465384af80ec46ad49fdb6bce0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:31:09 -0300 Subject: [PATCH 0533/1335] Update win_apt_judgement_panda_gtr19.yml --- .../win_apt_judgement_panda_gtr19.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index ca9d2189e..8cd9b5113 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -20,15 +20,15 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\\*' + CommandLine|contains: + - '\ldifde.exe -f -n ' + - '\7za.exe a 1.7z ' + - ' eprod.ldf' + - '\aaaa\procdump64.exe' + - '\aaaa\netsess.exe' + - '\aaaa\7za.exe' + - 'copy .\1.7z \\' + - 'copy \\client\c$\aaaa\\' selection2: Image: C:\Users\Public\7za.exe condition: selection1 or selection2 From a06114d6116d509f928aa522c0f3d3d9091cc61b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:31:50 -0300 Subject: [PATCH 0534/1335] Update win_apt_lazarus_session_highjack.yml --- .../win_apt_lazarus_session_highjack.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index ce5e14cc3..8e8cad6e9 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -15,13 +15,13 @@ logsource: product: windows detection: selection: - Image: - - '*\mstdc.exe' - - '*\gpvc.exe' + Image|endswith: + - '\mstdc.exe' + - '\gpvc.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' + Image|startswith: + - 'C:\Windows\System32\\' + - 'C:\Windows\SysWOW64\\' condition: selection and not filter falsepositives: - unknown From 82fbfed2c2319acd4eefa9dba5d2694de546172a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:33:02 -0300 Subject: [PATCH 0535/1335] Update win_apt_mustangpanda.yml --- .../process_creation/win_apt_mustangpanda.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 28fa66924..252b8ab46 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -13,12 +13,13 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*Temp\wtask.exe /create*' - - '*%windir:~-3,1%%PUBLIC:~-9,1%*' - - '*/E:vbscript * C:\Users\\*.txt" /F' - - '*/tn "Security Script *' - - '*%windir:~-1,1%*' + CommandLine|endswith: + - 'Temp\wtask.exe /create*' + - '%windir:~-3,1%%PUBLIC:~-9,1%*' + - '/tn "Security Script *' + - '%windir:~-1,1%*' + Commandline|startswith: + - '/E:vbscript * C:\Users\\*.txt" /F' selection2: Image: - '*Temp\winwsh.exe' From c547011499923349a819d739f6ec896fb0bd768a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:33:44 -0300 Subject: [PATCH 0536/1335] Update win_apt_mustangpanda.yml --- .../process_creation/win_apt_mustangpanda.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 252b8ab46..cef514b27 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -13,12 +13,12 @@ logsource: product: windows detection: selection1: - CommandLine|endswith: - - 'Temp\wtask.exe /create*' - - '%windir:~-3,1%%PUBLIC:~-9,1%*' - - '/tn "Security Script *' - - '%windir:~-1,1%*' - Commandline|startswith: + CommandLine|contains: + - 'Temp\wtask.exe /create' + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + Commandline|endswith: - '/E:vbscript * C:\Users\\*.txt" /F' selection2: Image: From 3b78c473c827aced5f4c2d5a938a65300074f75a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:35:05 -0300 Subject: [PATCH 0537/1335] Update win_apt_slingshot.yml --- rules/windows/process_creation/win_apt_slingshot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 7a2ecc297..63303b507 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -21,8 +21,8 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*schtasks* /delete *Defrag\ScheduledDefrag*' + CommandLine|contains: + - 'schtasks* /delete *Defrag\ScheduledDefrag' --- logsource: product: windows From 126fc471018f0b8ab79df0308863d55713315718 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:35:41 -0300 Subject: [PATCH 0538/1335] Update win_apt_tropictrooper.yml --- rules/windows/process_creation/win_apt_tropictrooper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 9cfbe54c6..70dcfd75e 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -16,6 +16,6 @@ logsource: product: windows detection: selection: - CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' + CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc' condition: selection level: high From 5e3b9dc8ba1a72ded0a86a60a8cfa454cdadeba9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:36:20 -0300 Subject: [PATCH 0539/1335] Update win_apt_unidentified_nov_18.yml --- .../process_creation/win_apt_unidentified_nov_18.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index b36bd2f40..31c15cc9d 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -22,7 +22,7 @@ logsource: product: windows detection: selection1: - CommandLine: '*cyzfc.dat, PointFunctionCall' + CommandLine|endswith: 'cyzfc.dat, PointFunctionCall' --- # Sysmon: File Creation (ID 11) logsource: @@ -31,5 +31,5 @@ logsource: detection: selection2: EventID: 11 - TargetFilename: - - '*ds7002.lnk*' \ No newline at end of file + TargetFilename|contains: + - 'ds7002.lnk' From 247a4101a766707bbb7c1af81b524f4e0cc87a0a Mon Sep 17 00:00:00 2001 From: uchakin <50711155+400notOK@users.noreply.github.com> Date: Thu, 15 Oct 2020 23:37:11 +0300 Subject: [PATCH 0540/1335] Update sysmon_load_undocumented_autoelevated_com_interface.yml --- .../sysmon_load_undocumented_autoelevated_com_interface.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 3370443a9..85f1f5fb7 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CallTrace|contains: '*editionupgrademanagerobj.dll*' + CallTrace|contains: 'editionupgrademanagerobj.dll' condition: selection fields: - ComputerName From ae95b5e9989c514adbcf882e76da353345c74050 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:38:05 -0300 Subject: [PATCH 0541/1335] Update win_apt_wocao.yml --- rules/windows/process_creation/win_apt_wocao.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml index 20307a723..6ddaacd92 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/win_apt_wocao.yml @@ -32,7 +32,7 @@ detection: selection: EventID: 4799 GroupName: 'Administrators' - ProcessName: '*\checkadmin.exe' + ProcessName|endswith: '\checkadmin.exe' condition: selection --- logsource: @@ -51,4 +51,4 @@ detection: - 'type *keepass\KeePass.config.xml' - 'iie.exe iie.txt' - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\' - condition: selection \ No newline at end of file + condition: selection From afc52e5da5a45b6b944d4f27ed98f9c0e298cd0c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:40:07 -0300 Subject: [PATCH 0542/1335] Update win_apt_zxshell.yml --- rules/windows/process_creation/win_apt_zxshell.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index fc17af95c..527ad2067 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -21,9 +21,12 @@ logsource: detection: selection: CommandLine|contains: - - 'rundll32.exe *,zxFunction*' - - 'rundll32.exe *,RemoteDiskXXXXX' - condition: selection + - 'rundll32.exe' + selection2: + CommandLine|contains: + - 'zxFunction' + - 'RemoteDiskXXXXX' + condition: selection and selection2 fields: - CommandLine - ParentCommandLine From 63dc8ce8375f29b95e9d4a14ab56038920135332 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:41:44 -0300 Subject: [PATCH 0543/1335] Update win_attrib_hiding_files.yml --- .../windows/process_creation/win_attrib_hiding_files.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index 9e403128b..ca50c3bc1 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -10,12 +10,12 @@ logsource: product: windows detection: selection: - Image: '*\attrib.exe' - CommandLine: '* +h *' + Image|endswith: '\attrib.exe' + CommandLine|contains: ' +h ' ini: - CommandLine: '*\desktop.ini *' + CommandLine|contains: '\desktop.ini ' intel: - ParentImage: '*\cmd.exe' + ParentImage|endswith: '\cmd.exe' CommandLine: +R +H +S +A \\*.cui ParentCommandLine: C:\WINDOWS\system32\\*.bat condition: selection and not (ini or intel) From f995f9fa1dfc61ac0aee8545c6bb660636f56230 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:44:51 -0300 Subject: [PATCH 0544/1335] Update win_bypass_squiblytwo.yml Changed selection a bit --- .../process_creation/win_bypass_squiblytwo.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 87c001abf..6cc7c95cd 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -26,17 +26,16 @@ detection: selection1: Image: - '*\wmic.exe' - CommandLine: - - wmic * *format:\"http* - - wmic * /format:'http - - wmic * /format:http* + CommandLine|contains|all: + - wmic + - format + - http selection2: Imphash: - 1B1A3F43BF37B5BFE60751F2EE2F326E - 37777A96245A3C74EB217308F3546F4C - 9D87C9D67CE724033C0B40CC4CA1B206 - CommandLine: - - '* *format:\"http*' - - '* /format:''http' - - '* /format:http*' + CommandLine|contains|all: + - 'format:' + - 'http' condition: 1 of them From 1ea8adea31bac2c7753bafe0ce844af30e9cbefa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:46:14 -0300 Subject: [PATCH 0545/1335] Update win_cmdkey_recon.yml --- rules/windows/process_creation/win_cmdkey_recon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index ca801d0e6..bc9d89c74 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Image: '*\cmdkey.exe' - CommandLine: '* /list *' + Image|endswith: '\cmdkey.exe' + CommandLine|contains: ' /list ' condition: selection fields: - CommandLine From 9d2ae693fc0104d7d69b82b8c1ee7126e527ee5e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:47:25 -0300 Subject: [PATCH 0546/1335] Update win_control_panel_item.yml --- .../process_creation/win_control_panel_item.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index eda30b845..02f827c26 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -21,17 +21,17 @@ logsource: category: process_creation detection: selection1: - CommandLine: '*.cpl' + CommandLine|endswith: '.cpl' filter: - CommandLine: - - '*\System32\\*' - - '*%System%*' + CommandLine|contains: + - '\System32\\' + - '%System%' selection2: - CommandLine: - - '*reg add*' + CommandLine|contains: + - 'reg add' selection3: - CommandLine: - - '*CurrentVersion\\Control Panel\\CPLs*' + CommandLine|contains: + - 'CurrentVersion\\Control Panel\\CPLs' condition: (selection1 and not filter) or (selection2 and selection3) falsepositives: - Unknown From 1f7f0956af2d124e5613ebcc8dd83d1a17b3c489 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:48:37 -0300 Subject: [PATCH 0547/1335] Update win_crime_fireball.yml --- rules/windows/process_creation/win_crime_fireball.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index c21b53e8e..53977514b 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - CommandLine: '*\rundll32.exe *,InstallArcherSvc' + CommandLine|contains|all: + - 'rundll32.exe' + - 'InstallArcherSvc' condition: selection fields: - CommandLine From 9f467f66e6d3aeddb30759f031d233222bf00713 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:49:18 -0300 Subject: [PATCH 0548/1335] Update win_dns_exfiltration_tools_execution.yml --- .../process_creation/win_dns_exfiltration_tools_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 1cd5cc9fb..478b80d63 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - - Image|endswith: '*\iodine.exe' + - Image|endswith: '\iodine.exe' - Image|contains: '\dnscat2' condition: selection falsepositives: From a3f59d6f036967229ac31bca64e546f1d959a275 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:49:36 -0300 Subject: [PATCH 0549/1335] Update win_dnscat2_powershell_implementation.yml --- .../win_dnscat2_powershell_implementation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml index 55bbc427e..fc04df4ce 100644 --- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml +++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml @@ -19,9 +19,9 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '*\powershell.exe' - Image|endswith: '*\nslookup.exe' - CommandLine|endswith: '*\nslookup.exe' + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\nslookup.exe' + CommandLine|endswith: '\nslookup.exe' condition: selection | count(Image) by ParentImage > 100 fields: - Image From 890e256305a7eb9e1bdc0ad553ee5f3dd4839baa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:50:55 -0300 Subject: [PATCH 0550/1335] Update win_exploit_cve_2015_1641.yml --- rules/windows/process_creation/win_exploit_cve_2015_1641.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index c2a463b9d..0a4f43d3b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\MicroScMgmt.exe' + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\MicroScMgmt.exe' condition: selection falsepositives: - Unknown From e163bb18ef0816770519e52ec1d04da82850713a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:51:09 -0300 Subject: [PATCH 0551/1335] Update win_exploit_cve_2017_0261.yml --- rules/windows/process_creation/win_exploit_cve_2017_0261.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 1e17dad10..b96139734 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\FLTLDR.exe*' + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\FLTLDR.exe*' condition: selection falsepositives: - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) From e5506f4de1eef50263ce38d35b9861626b75ebe3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:51:20 -0300 Subject: [PATCH 0552/1335] Update win_exploit_cve_2017_11882.yml --- rules/windows/process_creation/win_exploit_cve_2017_11882.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 02ea83404..a21fcfead 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -21,7 +21,7 @@ logsource: product: windows detection: selection: - ParentImage: '*\EQNEDT32.EXE' + ParentImage|endswith: '\EQNEDT32.EXE' condition: selection fields: - CommandLine From 2b8f770b9041f3b88aba9e7df2d096db0e255c6d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:51:34 -0300 Subject: [PATCH 0553/1335] Update win_exploit_cve_2017_8759.yml --- rules/windows/process_creation/win_exploit_cve_2017_8759.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 337b97c0d..03801e753 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\csc.exe' + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\csc.exe' condition: selection falsepositives: - Unknown From d7b63b8245f4cf38dd092366f73c9859e654180b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:51:58 -0300 Subject: [PATCH 0554/1335] Update win_exploit_cve_2019_1378.yml --- .../win_exploit_cve_2019_1378.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index 33b575a86..0a2837c40 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -19,15 +19,15 @@ logsource: product: windows detection: selection: - ParentCommandLine: - - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' - - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' + ParentCommandLine|endswith: + - '\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' + - '\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\WinSxS\\*' - - 'C:\Windows\Setup\\*' + Image|startswith: + - 'C:\Windows\System32\\' + - 'C:\Windows\SysWOW64\\' + - 'C:\Windows\WinSxS\\' + - 'C:\Windows\Setup\\' condition: selection and not filter falsepositives: - Unknown From febe489c99467e321fee591bce0da4f0316dfda9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:52:40 -0300 Subject: [PATCH 0555/1335] Update win_exploit_cve_2019_1388.yml --- .../windows/process_creation/win_exploit_cve_2019_1388.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index a882d4e9a..ffec6797d 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - ParentImage: '*\consent.exe' - Image: '*\iexplore.exe' - CommandLine: '* http*' + ParentImage|endswith: '\consent.exe' + Image|endswith: '\iexplore.exe' + CommandLine|contains: ' http' rights1: IntegrityLevel: 'System' # for Sysmon users rights2: From 61a2f105c2fbe1b8afd37b21776ff0e122c24bbf Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:52:53 -0300 Subject: [PATCH 0556/1335] Update win_exploit_cve_2020_10189.yml --- .../windows/process_creation/win_exploit_cve_2020_10189.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index c23014f1f..10aaacd2b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -25,9 +25,9 @@ detection: selection: ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe' Image|endswith: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\bitsadmin.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\bitsadmin.exe' condition: selection falsepositives: - Unknown From f44eb6345cfc0fdf2e03301de121eeb680d4f724 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:53:20 -0300 Subject: [PATCH 0557/1335] Update win_grabbing_sensitive_hives_via_reg.yml --- .../process_creation/win_grabbing_sensitive_hives_via_reg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index c49df6bc1..a0ae78a12 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -19,7 +19,7 @@ logsource: product: windows detection: selection_1: - Image: '*\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains: - 'save' - 'export' From 0b52f1463955c55073cefe807c28a8d842ad9731 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:53:44 -0300 Subject: [PATCH 0558/1335] Update win_hack_koadic.yml --- rules/windows/process_creation/win_hack_koadic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 26057c10f..9fd0d7233 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -21,8 +21,8 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*cmd.exe* /q /c chcp *' + CommandLine|contains: + - 'cmd.exe* /q /c chcp ' condition: selection1 fields: - CommandLine From 3cde51f97b36730b9a1e229fb4dc4432384cd4bc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:54:20 -0300 Subject: [PATCH 0559/1335] Update win_hack_rubeus.yml --- .../process_creation/win_hack_rubeus.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 491c60ad3..02f977365 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -18,16 +18,16 @@ logsource: product: windows detection: selection: - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' + CommandLine|contains: + - ' asreproast ' + - ' dump /service:krbtgt ' + - ' kerberoast ' + - ' createnetonly /program:' + - ' ptt /ticket:' + - ' /impersonateuser:' + - ' renew /ticket:' + - ' asktgt /user:' + - ' harvest /interval:' condition: selection falsepositives: - unlikely From d1e447a3fdc0837243c3284692bc89d9f8b8c4ae Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:54:42 -0300 Subject: [PATCH 0560/1335] Update win_hktl_createminidump.yml --- rules/windows/process_creation/win_hktl_createminidump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index e10dfac4e..13239e5f1 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -30,5 +30,5 @@ logsource: detection: selection: EventID: 11 - TargetFilename|contains: '*\lsass.dmp' + TargetFilename|contains: '\lsass.dmp' condition: 1 of them From 9e99832b76f7555224b7dfa65a607f241dfd0d5d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:55:04 -0300 Subject: [PATCH 0561/1335] Update win_hwp_exploits.yml --- rules/windows/process_creation/win_hwp_exploits.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index 206d5ab97..e21047809 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -25,8 +25,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\Hwp.exe' - Image: '*\gbb.exe' + ParentImage|endswith: '\Hwp.exe' + Image|endswith: '\gbb.exe' condition: selection falsepositives: - Unknown From 7c6f6adbcc901f3f55801924f02b64c3d88ec693 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:56:15 -0300 Subject: [PATCH 0562/1335] Update win_impacket_lateralization.yml --- .../win_impacket_lateralization.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index ad6f147c2..e27b18f3d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -32,17 +32,18 @@ detection: # parent is services.exe # example: # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat - ParentImage: - - '*\wmiprvse.exe' # wmiexec - - '*\mmc.exe' # dcomexec MMC - - '*\explorer.exe' # dcomexec ShellBrowserWindow - - '*\services.exe' # smbexec - CommandLine: - - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*' + ParentImage|endswith: + - '\wmiprvse.exe' # wmiexec + - '\mmc.exe' # dcomexec MMC + - '\explorer.exe' # dcomexec ShellBrowserWindow + - '\services.exe' # smbexec + CommandLine|contains: + - 'cmd.exe* /Q /c * \\\\127.0.0.1\\*&1' selection_atexec: - ParentCommandLine: - - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") + ParentCommandLine|endswith: + - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") + ParentCommandLine|startswith: + - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 CommandLine: - 'cmd.exe /C *Windows\\Temp\\*&1' From 326122c7985d2c105f81c4b1b0371ebd003728aa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:57:43 -0300 Subject: [PATCH 0563/1335] Update win_install_reg_debugger_backdoor.yml --- .../win_install_reg_debugger_backdoor.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index b21725e19..351f36687 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -16,14 +16,14 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\CurrentVersion\Image File Execution Options\sethc.exe*' - - '*\CurrentVersion\Image File Execution Options\utilman.exe*' - - '*\CurrentVersion\Image File Execution Options\osk.exe*' - - '*\CurrentVersion\Image File Execution Options\magnify.exe*' - - '*\CurrentVersion\Image File Execution Options\narrator.exe*' - - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' - - '*\CurrentVersion\Image File Execution Options\atbroker.exe*' + CommandLine|contains: + - '\CurrentVersion\Image File Execution Options\sethc.exe' + - '\CurrentVersion\Image File Execution Options\utilman.exe' + - '\CurrentVersion\Image File Execution Options\osk.exe' + - '\CurrentVersion\Image File Execution Options\magnify.exe' + - '\CurrentVersion\Image File Execution Options\narrator.exe' + - '\CurrentVersion\Image File Execution Options\displayswitch.exe' + - '\CurrentVersion\Image File Execution Options\atbroker.exe' condition: selection falsepositives: - Penetration Tests From cc31cf6196d7c7e3fe5842e9de4e8aa2441d29e8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:58:14 -0300 Subject: [PATCH 0564/1335] Update win_lethalhta.yml --- rules/windows/process_creation/win_lethalhta.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 7fb6e101a..f3b83068d 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\svchost.exe' - Image: '*\mshta.exe' + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mshta.exe' condition: selection falsepositives: - Unknown From 3ca298882813d53f91394c314d1799b58bf52e1d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:59:04 -0300 Subject: [PATCH 0565/1335] Update win_mal_adwind.yml --- rules/windows/process_creation/win_mal_adwind.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 574c7e182..a59ca3724 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -23,9 +23,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\AppData\Roaming\Oracle*\java*.exe *' - - '*cscript.exe *Retrive*.vbs *' + CommandLine|contains: + - '\AppData\Roaming\Oracle*\java*.exe ' + - 'cscript.exe *Retrive*.vbs ' --- logsource: product: windows @@ -33,9 +33,9 @@ logsource: detection: selection: EventID: 11 - TargetFilename: - - '*\AppData\Roaming\Oracle\bin\java*.exe' - - '*\Retrive*.vbs' + TargetFilename|endswith: + - '\AppData\Roaming\Oracle\bin\java*.exe' + - '\Retrive*.vbs' --- logsource: product: windows @@ -43,5 +43,5 @@ logsource: detection: selection: EventID: 13 - TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details: '%AppData%\Roaming\Oracle\bin\\*' From 483748c2c3b8a2c998fa69d476ca431d768545f5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:59:24 -0300 Subject: [PATCH 0566/1335] Update win_mal_adwind.yml --- rules/windows/process_creation/win_mal_adwind.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index a59ca3724..f1836a991 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -44,4 +44,4 @@ detection: selection: EventID: 13 TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Details: '%AppData%\Roaming\Oracle\bin\\*' + Details|startswith: '%AppData%\Roaming\Oracle\bin\\' From 885afd7b6006a9b5d523464103f8245fa2893fe6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:59:57 -0300 Subject: [PATCH 0567/1335] Update win_malware_dridex.yml --- rules/windows/process_creation/win_malware_dridex.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 9040595c6..90493846b 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -19,12 +19,12 @@ logsource: product: windows detection: selection1: - CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' + CommandLine|contains: '\svchost.exe C:\Users\\*\Desktop\\' selection2: - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' + ParentImage|contains: '\svchost.exe' + CommandLine|endswith: + - 'whoami.exe /all' + - 'net.exe view' condition: 1 of them falsepositives: - Unlikely From 035cd43e58c22a8c31f45cf18b75bf75978d8179 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:00:12 -0300 Subject: [PATCH 0568/1335] Update win_malware_dtrack.yml --- rules/windows/process_creation/win_malware_dtrack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index 722a2781c..e5e429be7 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - CommandLine: '* echo EEEE > *' + CommandLine|contains: ' echo EEEE > ' condition: selection fields: - CommandLine From d962e5b8442cc6911b55378fb96f237e07101544 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:01:00 -0300 Subject: [PATCH 0569/1335] Update win_malware_emotet.yml --- .../process_creation/win_malware_emotet.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index de9119227..aa1db398b 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -21,15 +21,15 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -e* PAA*' - - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*' # $env:userprofile - - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*' # $env:userprofile - - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*' # $env:userprofile - - '*IgAoACcAKgAnACkAOwAkA*' # "('*');$ - - '*IAKAAnACoAJwApADsAJA*' # "('*');$ - - '*iACgAJwAqACcAKQA7ACQA*' # "('*');$ - - '*JABGAGwAeAByAGgAYwBmAGQ*' + CommandLine|contains: + - ' -e* PAA' + - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile + - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile + - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile + - 'IgAoACcAKgAnACkAOwAkA' # "('*');$ + - 'IAKAAnACoAJwApADsAJA' # "('*');$ + - 'iACgAJwAqACcAKQA7ACQA' # "('*');$ + - 'JABGAGwAeAByAGgAYwBmAGQ' condition: selection fields: - CommandLine From 99451424f6870fe59f3a55079bfe0c1889477041 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:01:21 -0300 Subject: [PATCH 0570/1335] Update win_malware_formbook.yml --- rules/windows/process_creation/win_malware_formbook.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 6f5e41b32..83aad0b77 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -22,10 +22,10 @@ detection: ParentCommandLine: - 'C:\Windows\System32\\*.exe' - 'C:\Windows\SysWOW64\\*.exe' - CommandLine: - - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - - '* /c del "C:\Users\\*\Desktop\\*.exe' - - '* /C type nul > "C:\Users\\*\Desktop\\*.exe' + CommandLine|endswith: + - ' /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' + - ' /c del "C:\Users\\*\Desktop\\*.exe' + - ' /C type nul > "C:\Users\\*\Desktop\\*.exe' condition: selection fields: - CommandLine From da7648f154ac8a0fa91f3d375e2fa066a13fbc1f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:02:08 -0300 Subject: [PATCH 0571/1335] Update win_malware_notpetya.yml --- .../windows/process_creation/win_malware_notpetya.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 6604463a2..8b6b8d3d2 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -24,12 +24,12 @@ logsource: product: windows detection: pipe_com: - CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*' + CommandLine|contains: '\AppData\Local\Temp\\* \\.\pipe\\' rundll32_dash1: - Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' - perfc_keyword: - - '*\perfc.dat*' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '.dat,#1' + perfc_keyword|contains: + - '\perfc.dat' condition: 1 of them fields: - CommandLine From 3152b8f174e3698990ce9405a57d1b0e35c0cccd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:02:35 -0300 Subject: [PATCH 0572/1335] Update win_malware_qbot.yml --- rules/windows/process_creation/win_malware_qbot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index ecd1f0fb1..5af650335 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -18,10 +18,10 @@ logsource: product: windows detection: selection1: - ParentImage: '*\WinRAR.exe' - Image: '*\wscript.exe' + ParentImage|endswith: '\WinRAR.exe' + Image|endswith: '\wscript.exe' selection2: - CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *' + CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' condition: selection1 or selection2 fields: - CommandLine From 11380518d2243618e0cdefcc3e79bf5d70e0e1bb Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:04:48 -0300 Subject: [PATCH 0573/1335] Update win_malware_script_dropper.yml --- .../win_malware_script_dropper.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index d7a8819d3..1469fb9d7 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -16,22 +16,22 @@ logsource: product: windows detection: selection: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '* C:\Users\\*.jse *' - - '* C:\Users\\*.vbe *' - - '* C:\Users\\*.js *' - - '* C:\Users\\*.vba *' - - '* C:\Users\\*.vbs *' - - '* C:\ProgramData\\*.jse *' - - '* C:\ProgramData\\*.vbe *' - - '* C:\ProgramData\\*.js *' - - '* C:\ProgramData\\*.vba *' - - '* C:\ProgramData\\*.vbs *' + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + CommandLine|contains: + - ' C:\Users\\*.jse ' + - ' C:\Users\\*.vbe ' + - ' C:\Users\\*.js ' + - ' C:\Users\\*.vba ' + - ' C:\Users\\*.vbs ' + - ' C:\ProgramData\\*.jse ' + - ' C:\ProgramData\\*.vbe ' + - ' C:\ProgramData\\*.js ' + - ' C:\ProgramData\\*.vba ' + - ' C:\ProgramData\\*.vbs ' falsepositive: - ParentImage: '*\winzip*' + ParentImage|contains: '\winzip' condition: selection and not falsepositive fields: - CommandLine From 0f6edaf3f4d5d62c8497cb35882a5f6b784d0974 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:05:41 -0300 Subject: [PATCH 0574/1335] Update win_malware_trickbot_recon_activity.yml --- .../win_malware_trickbot_recon_activity.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml index 98ac3d2c5..1667e479c 100644 --- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - Image: - - '*\nltest.exe' + Image|endswith: + - '\nltest.exe' CommandLine: - '/domain_trusts /all_trusts' - '/domain_trusts' @@ -26,4 +26,4 @@ fields: - ParentCommandLine falsepositives: - Rare System Admin Activity -level: critical \ No newline at end of file +level: critical From 3e7c770ef9c56dc01e868009b596019272df8611 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:06:22 -0300 Subject: [PATCH 0575/1335] Update win_malware_wannacry.yml --- .../process_creation/win_malware_wannacry.yml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 262ee8eee..1f6356f3a 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -23,25 +23,25 @@ logsource: product: windows detection: selection1: - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\@WanaDecryptor@*' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' - - '*\linuxnew.exe' - - '*\wannacry.exe' + Image|endswith: + - '\tasksche.exe' + - '\mssecsvc.exe' + - '\taskdl.exe' + - '\@WanaDecryptor@*' + - '\WanaDecryptor*' + - '\taskhsvc.exe' + - '\taskse.exe' + - '\111.exe' + - '\lhdfrgui.exe' + - '\diskpart.exe' + - '\linuxnew.exe' + - '\wannacry.exe' selection2: - CommandLine: - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - - '*@Please_Read_Me@.txt*' + CommandLine|contains: + - 'icacls * /grant Everyone:F /T /C /Q' + - 'bcdedit /set {default} recoveryenabled no' + - 'wbadmin delete catalog -quiet' + - '@Please_Read_Me@.txt' condition: 1 of them fields: - CommandLine From 247a85e04adeb2ccc0ac8eb940bffbcd74d3cd4c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:06:51 -0300 Subject: [PATCH 0576/1335] Update win_mavinject_proc_inj.yml --- rules/windows/process_creation/win_mavinject_proc_inj.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index 5fc53cdde..f99d8cfb9 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - CommandLine: '* /INJECTRUNNING *' + CommandLine|contains: ' /INJECTRUNNING ' condition: selection falsepositives: - unknown From e0ff1c09c955ae16969df43e5de40b66936189e8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:08:49 -0300 Subject: [PATCH 0577/1335] Update win_mmc_spawn_shell.yml --- .../process_creation/win_mmc_spawn_shell.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index f5c4ef1a5..3e1938645 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -16,17 +16,17 @@ logsource: product: windows detection: selection: - ParentImage: '*\mmc.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' + ParentImage|endswith: '*\mmc.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - '\BITSADMIN*' condition: selection fields: - CommandLine From 5a0c7f6d1134fc1d6aa07f014ba89dca28f8e712 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:09:27 -0300 Subject: [PATCH 0578/1335] Update win_mmc_spawn_shell.yml --- rules/windows/process_creation/win_mmc_spawn_shell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index 3e1938645..c54953edd 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '*\mmc.exe' + ParentImage|endswith: '\mmc.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' From 143f9d00c56526bf46481c7239c3df4fd6b2b073 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:10:38 -0300 Subject: [PATCH 0579/1335] Update win_mshta_spawn_shell.yml --- .../win_mshta_spawn_shell.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index fca0d99b9..a65dda9bc 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -12,17 +12,17 @@ logsource: product: windows detection: selection: - ParentImage: '*\mshta.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' + ParentImage|endswith: '\mshta.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - '\BITSADMIN*' condition: selection fields: - CommandLine From 7ce7646e4ae3fc4322b8a5afd04e05e0548d9a03 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:11:17 -0300 Subject: [PATCH 0580/1335] Update win_netsh_fw_add.yml --- rules/windows/process_creation/win_netsh_fw_add.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index cc440dc01..727242a37 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*netsh*' + CommandLine|contains: + - 'netsh' selection2: - CommandLine: - - '*firewall add*' + CommandLine|contains: + - 'firewall add' condition: selection1 and selection2 falsepositives: - Legitimate administration From e7f25a61bf81c1f5ae318c96f6a16dec2ef99027 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:12:03 -0300 Subject: [PATCH 0581/1335] Update win_netsh_fw_add_susp_image.yml --- .../win_netsh_fw_add_susp_image.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index 601c36047..bc18f820c 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -28,27 +28,27 @@ detection: - program= susp_image: CommandLine|contains: - - '*%TEMP%*' - - '*:\RECYCLER\\*' - - '*C:\$Recycle.bin\\*' - - '*:\SystemVolumeInformation\\*' - - 'C:\\Windows\\Tasks\\*' - - 'C:\\Windows\\debug\\*' - - 'C:\\Windows\\fonts\\*' - - 'C:\\Windows\\help\\*' - - 'C:\\Windows\\drivers\\*' - - 'C:\\Windows\\addins\\*' - - 'C:\\Windows\\cursors\\*' - - 'C:\\Windows\\system32\tasks\\*' - - '*C:\Windows\Temp\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - '*\Downloads\\*' - - '*\Temporary Internet Files\Content.Outlook\\*' - - '*\Local Settings\Temporary Internet Files\\*' + - '%TEMP%' + - ':\RECYCLER\\' + - 'C:\$Recycle.bin\\' + - ':\SystemVolumeInformation\\' + - 'C:\\Windows\\Tasks\\' + - 'C:\\Windows\\debug\\' + - 'C:\\Windows\\fonts\\' + - 'C:\\Windows\\help\\' + - 'C:\\Windows\\drivers\\' + - 'C:\\Windows\\addins\\' + - 'C:\\Windows\\cursors\\' + - 'C:\\Windows\\system32\tasks\\' + - 'C:\Windows\Temp\\' + - 'C:\Temp\\' + - 'C:\Users\Public\\' + - '%Public%\\' + - 'C:\Users\Default\\' + - 'C:\Users\Desktop\\' + - '\Downloads\\' + - '\Temporary Internet Files\Content.Outlook\\' + - '\Local Settings\Temporary Internet Files\\' condition: (selection1 or selection2) and susp_image falsepositives: - Legitimate administration From 58f6fd4e4fad89fcee0c9383848fe490e7bb83d2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:13:10 -0300 Subject: [PATCH 0582/1335] Update win_office_shell.yml --- .../process_creation/win_office_shell.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index b7a2650fa..1bd5a2433 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -17,33 +17,33 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' - - '*\regsvr32.exe' - - '*\hh.exe' - - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\msiexec.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - - '*\mftrace.exe' - - '*\AppVLP.exe' - - '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + - '\OUTLOOK.EXE' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\scrcons.exe' + - '\schtasks.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html condition: selection fields: - CommandLine From aa728e91dad986e0ebb1960b8ba35859c0fab391 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:13:29 -0300 Subject: [PATCH 0583/1335] Update win_office_spawn_exe_from_users_directory.yml --- .../win_office_spawn_exe_from_users_directory.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index 403ddd8a9..b7d3f1bdd 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -19,13 +19,13 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + - '\OUTLOOK.EXE' Image: - 'C:\users\\*.exe' condition: selection From fec14fa40564bb199735c8afdf890659bc5ee214 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:19:36 -0300 Subject: [PATCH 0584/1335] Update win_plugx_susp_exe_locations.yml --- .../win_plugx_susp_exe_locations.yml | 90 +++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 557ac9154..282920701 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -17,74 +17,74 @@ logsource: product: windows detection: selection_cammute: - Image: '*\CamMute.exe' + Image|endswith: '\CamMute.exe' filter_cammute: - Image: '*\Lenovo\Communication Utility\\*' + Image|contains: '\Lenovo\Communication Utility\\' selection_chrome_frame: - Image: '*\chrome_frame_helper.exe' + Image|endswith: '\chrome_frame_helper.exe' filter_chrome_frame: - Image: '*\Google\Chrome\application\\*' + Image|contains: '\Google\Chrome\application\\' selection_devemu: - Image: '*\dvcemumanager.exe' + Image|endswith: '\dvcemumanager.exe' filter_devemu: - Image: '*\Microsoft Device Emulator\\*' + Image|contains: '\Microsoft Device Emulator\\' selection_gadget: - Image: '*\Gadget.exe' + Image|endswith: '\Gadget.exe' filter_gadget: - Image: '*\Windows Media Player\\*' + Image|contains: '\Windows Media Player\\' selection_hcc: - Image: '*\hcc.exe' + Image|endswith: '\hcc.exe' filter_hcc: - Image: '*\HTML Help Workshop\\*' + Image|contains: '\HTML Help Workshop\\' selection_hkcmd: - Image: '*\hkcmd.exe' + Image|endswith: '\hkcmd.exe' filter_hkcmd: - Image: - - '*\System32\\*' - - '*\SysNative\\*' - - '*\SysWowo64\\*' + Image|contains: + - '\System32\\' + - '\SysNative\\' + - '\SysWowo64\\' selection_mc: - Image: '*\Mc.exe' + Image|endswith: '\Mc.exe' filter_mc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' selection_msmpeng: - Image: '*\MsMpEng.exe' + Image|endswith: '\MsMpEng.exe' filter_msmpeng: - Image: - - '*\Microsoft Security Client\\*' - - '*\Windows Defender\\*' - - '*\AntiMalware\\*' + Image|contains: + - '\Microsoft Security Client\\' + - '\Windows Defender\\' + - '\AntiMalware\\' selection_msseces: - Image: '*\msseces.exe' + Image|endswith: '\msseces.exe' filter_msseces: - Image: - - '*\Microsoft Security Center\\*' - - '*\Microsoft Security Client\\*' - - '*\Microsoft Security Essentials\\*' + Image|contains: + - '\Microsoft Security Center\\' + - '\Microsoft Security Client\\' + - '\Microsoft Security Essentials\\' selection_oinfo: - Image: '*\OInfoP11.exe' + Image|endswith: '\OInfoP11.exe' filter_oinfo: - Image: '*\Common Files\Microsoft Shared\\*' + Image|contains: '\Common Files\Microsoft Shared\\' selection_oleview: - Image: '*\OleView.exe' + Image|endswith: '\OleView.exe' filter_oleview: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' + - '\Windows Resource Kit\\' selection_rc: - Image: '*\rc.exe' + Image|endswith: '\rc.exe' filter_rc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - '*\Microsoft.NET\\*' + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' + - '\Windows Resource Kit\\' + - '\Microsoft.NET\\' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) fields: - CommandLine From 5263212b493f231f76afd96e3af8e697ad888081 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:20:08 -0300 Subject: [PATCH 0585/1335] Update win_powershell_amsi_bypass.yml --- .../process_creation/win_powershell_amsi_bypass.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 3d1100239..23f128415 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*System.Management.Automation.AmsiUtils*' + CommandLine|contains: + - 'System.Management.Automation.AmsiUtils' selection2: - CommandLine: - - '*amsiInitFailed*' + CommandLine|contains: + - 'amsiInitFailed' condition: selection1 and selection2 falsepositives: - Potential Admin Activity From 98d6b37af495f49f6165b8e0aaa5f181f6ca9ade Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:20:29 -0300 Subject: [PATCH 0586/1335] Update win_powershell_b64_shellcode.yml --- .../process_creation/win_powershell_b64_shellcode.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml index 3ae30acca..48b87eab2 100644 --- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -15,11 +15,11 @@ logsource: product: windows detection: selection1: - CommandLine: '*AAAAYInlM*' + CommandLine|contains: 'AAAAYInlM' selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' + CommandLine|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' condition: selection1 and selection2 falsepositives: - Unknown From cb57e08bc0ba3dd0eb0bad82bf1728492b8736a4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:21:05 -0300 Subject: [PATCH 0587/1335] Update win_powershell_dll_execution.yml --- .../win_powershell_dll_execution.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 41dc3294d..f43443167 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -16,15 +16,15 @@ logsource: product: windows detection: selection1: - Image: - - '*\rundll32.exe' + Image|endsswith: + - '\rundll32.exe' selection2: - Description: - - '*Windows-Hostprozess (Rundll32)*' + Description|contains: + - 'Windows-Hostprozess (Rundll32)' selection3: - CommandLine: - - '*Default.GetString*' - - '*FromBase64String*' + CommandLine|contains: + - 'Default.GetString' + - 'FromBase64String' condition: (selection1 or selection2) and selection3 falsepositives: - Unknown From c47fb4708f72d0178063f8c9bbf9bba5828e444b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:21:32 -0300 Subject: [PATCH 0588/1335] Update win_powershell_download.yml --- .../process_creation/win_powershell_download.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index e142a17d2..972f5099c 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -13,12 +13,12 @@ logsource: product: windows detection: selection: - Image: '*\powershell.exe' - CommandLine: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' - - '*new-object net.webclient).downloadfile(*' + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'new-object system.net.webclient).downloadstring(' + - 'new-object system.net.webclient).downloadfile(' + - 'new-object net.webclient).downloadstring(' + - 'new-object net.webclient).downloadfile(' condition: selection fields: - CommandLine From 1f76c1f897d6bbac798aae6c8e3aa91ad8c98b22 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:22:04 -0300 Subject: [PATCH 0589/1335] Update win_powersploit_empire_schtasks.yml --- .../win_powersploit_empire_schtasks.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 4509852b1..b6f33126f 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -13,13 +13,13 @@ logsource: category: process_creation detection: selection: - ParentImage: - - '*\powershell.exe' - CommandLine: - - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*' + ParentImage|endswith: + - '\powershell.exe' + CommandLine|contains: + - 'schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell' + - 'schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell' + - 'schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell' + - 'schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell' condition: selection tags: - attack.execution From 64c63c8d38e042b9e0dace71b5a4a22aa8ffaab9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:23:03 -0300 Subject: [PATCH 0590/1335] Update win_proc_wrong_parent.yml --- .../win_proc_wrong_parent.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index ed200d806..8a1f501d4 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -20,22 +20,22 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - - '*\taskhost.exe' - - '*\lsm.exe' - - '*\lsass.exe' - - '*\services.exe' - - '*\lsaiso.exe' - - '*\csrss.exe' - - '*\wininit.exe' - - '*\winlogon.exe' + Image|endswith: + - '\svchost.exe' + - '\taskhost.exe' + - '\lsm.exe' + - '\lsass.exe' + - '\services.exe' + - '\lsaiso.exe' + - '\csrss.exe' + - '\wininit.exe' + - '\winlogon.exe' filter: - ParentImage: - - '*\System32\\*' - - '*\SysWOW64\\*' - - '*\SavService.exe' - - '*\Windows Defender\\*\MsMpEng.exe' + ParentImage|endswith: + - '\System32\\*' + - '\SysWOW64\\*' + - '\SavService.exe' + - '\Windows Defender\\*\MsMpEng.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null From 72de1326240e9d314b1abc3c8aaa11b02539734f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:23:29 -0300 Subject: [PATCH 0591/1335] Update win_process_creation_bitsadmin_download.yml --- .../win_process_creation_bitsadmin_download.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 96051f6f0..4cbadca4c 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -19,13 +19,13 @@ logsource: product: windows detection: selection1: - Image: - - '*\bitsadmin.exe' - CommandLine: - - '* /transfer *' + Image|endswith: + - '\bitsadmin.exe' + CommandLine|contains: + - ' /transfer ' selection2: - CommandLine: - - '*copy bitsadmin.exe*' + CommandLine|contains: + - 'copy bitsadmin.exe' condition: selection1 or selection2 fields: - CommandLine From aac35341f5c7dd51f27ee50ccf9c78535b3ae8cd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:24:00 -0300 Subject: [PATCH 0592/1335] Update win_renamed_paexec.yml --- rules/windows/process_creation/win_renamed_paexec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 04c1cbb3a..e605a412d 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -31,5 +31,5 @@ detection: - dfd6aa3f7b2b1035b76b718f1ddc689f - 1a6cca4d5460b1710a12dea39e4a592c filter1: - Image: '*paexec*' + Image|contains: 'paexec' condition: (selection1 and selection2) and not filter1 From 57445969f1885ff6940e725de0dc24f883f82036 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:24:16 -0300 Subject: [PATCH 0593/1335] Update win_renamed_powershell.yml --- rules/windows/process_creation/win_renamed_powershell.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 0b42596ed..84ff273fd 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -20,9 +20,9 @@ detection: Description: 'Windows PowerShell' Company: 'Microsoft Corporation' filter: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' condition: selection and not filter falsepositives: - Unknown From 081f5a90fe30621d083781c7d8930c0ff96d856c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:24:32 -0300 Subject: [PATCH 0594/1335] Update win_renamed_procdump.yml --- rules/windows/process_creation/win_renamed_procdump.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index fbcb1d6e5..6a8fe0a84 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -18,9 +18,9 @@ detection: selection: OriginalFileName: 'procdump' filter: - Image: - - '*\procdump.exe' - - '*\procdump64.exe' + Image|endswith: + - '\procdump.exe' + - '\procdump64.exe' condition: selection and not filter falsepositives: - Procdump illegaly bundled with legitimate software From 9751cac1a2ed9d1ca94ce429fea17ce29090a42c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:24:48 -0300 Subject: [PATCH 0595/1335] Update win_renamed_psexec.yml --- rules/windows/process_creation/win_renamed_psexec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 4a1ab2244..d599d6e0e 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -20,9 +20,9 @@ detection: Description: 'Execute processes remotely' Product: 'Sysinternals PsExec' filter: - Image: - - '*\PsExec.exe' - - '*\PsExec64.exe' + Image|endswith: + - '\PsExec.exe' + - '\PsExec64.exe' condition: selection and not filter falsepositives: - Software that illegaly integrates PsExec in a renamed form From 38f460718d90371314796ba15622a73553ef315f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:25:12 -0300 Subject: [PATCH 0596/1335] Update win_sdbinst_shim_persistence.yml --- .../process_creation/win_sdbinst_shim_persistence.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 3abe5ff23..974148ecd 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -17,10 +17,10 @@ logsource: product: windows detection: selection: - Image: - - '*\sdbinst.exe' - CommandLine: - - '*.sdb*' + Image|endswith: + - '\sdbinst.exe' + CommandLine|contains: + - '.sdb' condition: selection falsepositives: - Unknown From b9dedd0d07526167ea2f707c658a85c468db3b45 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:25:59 -0300 Subject: [PATCH 0597/1335] Update win_shell_spawn_susp_program.yml --- .../win_shell_spawn_susp_program.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 326513aee..3dffe6894 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -19,22 +19,22 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\mshta.exe' - - '*\powershell.exe' + ParentImage|endswith: + - '\mshta.exe' + - '\powershell.exe' # - '*\cmd.exe' # too many false positives - - '*\rundll32.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\wmiprvse.exe' - Image: - - '*\schtasks.exe' - - '*\nslookup.exe' - - '*\certutil.exe' - - '*\bitsadmin.exe' - - '*\mshta.exe' + - '\rundll32.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\wmiprvse.exe' + Image|endswith: + - '\schtasks.exe' + - '\nslookup.exe' + - '\certutil.exe' + - '\bitsadmin.exe' + - '\mshta.exe' falsepositives: - CurrentDirectory: '*\ccmcache\\*' + CurrentDirectory|contains: '\ccmcache\\' condition: selection and not falsepositives fields: - CommandLine From 544f015f76ebe0841f97196e2a0c994e18f89b7c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:26:26 -0300 Subject: [PATCH 0598/1335] Update win_spn_enum.yml --- rules/windows/process_creation/win_spn_enum.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 16cf006fd..cc6df2742 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -15,11 +15,11 @@ logsource: product: windows detection: selection_image: - Image: '*\setspn.exe' + Image|endswith: '\setspn.exe' selection_desc: - Description: '*Query or reset the computer* SPN attribute*' + Description|contains: 'Query or reset the computer* SPN attribute' cmd: - CommandLine: '*-q*' + CommandLine|contains: '-q' condition: (selection_image or selection_desc) and cmd falsepositives: - Administrator Activity From 79951ce10405157417d5791f074b1d3421f7239b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:26:44 -0300 Subject: [PATCH 0599/1335] Update win_susp_adfind.yml --- rules/windows/process_creation/win_susp_adfind.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index a7269532b..e7b716009 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -20,8 +20,8 @@ logsource: detection: selection: ProcessCommandline|contains: 'objectcategory' - Image: - - '*\adfind.exe' + Image|endswith: + - '\adfind.exe' condition: selection falsepositives: - Administrative activity From 9152afda20f96a6ae3f8165f4f270ab3e7a60bc8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:28:42 -0300 Subject: [PATCH 0600/1335] Update win_susp_bcdedit.yml --- rules/windows/process_creation/win_susp_bcdedit.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index a852aa98f..f092c4c1d 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -17,10 +17,10 @@ logsource: product: windows detection: selection: - Image: '*\bcdedit.exe' - CommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' + Image|endswith: '\bcdedit.exe' + CommandLine|contains: + - 'delete' + - 'deletevalue' + - 'import' condition: selection level: medium From 4a3bb4b963ef17f70b89034ad3454b640c6e2073 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:29:12 -0300 Subject: [PATCH 0601/1335] Update win_susp_calc.yml --- rules/windows/process_creation/win_susp_calc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml index 01bc71137..b0e6ec94b 100644 --- a/rules/windows/process_creation/win_susp_calc.yml +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -14,11 +14,11 @@ logsource: product: windows detection: selection1: - CommandLine: '*\calc.exe *' + CommandLine|contains: '\calc.exe ' selection2: - Image: '*\calc.exe' + Image|endswith: '\calc.exe' filter2: - Image: '*\Windows\Sys*' + Image|contains: '\Windows\Sys' condition: selection1 or ( selection2 and not filter2 ) falsepositives: - Unknown From 04125cc4c093949352c9e7a3ae8cc459d74f5800 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:29:56 -0300 Subject: [PATCH 0602/1335] Update win_susp_certutil_command.yml --- .../win_susp_certutil_command.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 03d13f669..8caee6d26 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -19,21 +19,21 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -decode *' - - '* /decode *' - - '* -decodehex *' - - '* /decodehex *' - - '* -urlcache *' - - '* /urlcache *' - - '* -verifyctl *' - - '* /verifyctl *' - - '* -encode *' - - '* /encode *' - - '*certutil* -URL*' - - '*certutil* /URL*' - - '*certutil* -ping*' - - '*certutil* /ping*' + CommandLine|contains: + - ' -decode ' + - ' /decode ' + - ' -decodehex ' + - ' /decodehex ' + - ' -urlcache ' + - ' /urlcache ' + - ' -verifyctl ' + - ' /verifyctl ' + - ' -encode ' + - ' /encode ' + - 'certutil* -URL' + - 'certutil* /URL' + - 'certutil* -ping' + - 'certutil* /ping' condition: selection fields: - CommandLine From 1752c614d17d2315069cbefbdfaf3f711001f0f1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:30:25 -0300 Subject: [PATCH 0603/1335] Update win_susp_certutil_encode.yml --- .../process_creation/win_susp_certutil_encode.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index b0d187ed0..836879821 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - CommandLine: - - certutil -f -encode * - - certutil.exe -f -encode * - - certutil -encode -f * - - certutil.exe -encode -f * + CommandLine|startswith: + - certutil -f -encode + - certutil.exe -f -encode + - certutil -encode -f + - certutil.exe -encode -f condition: selection falsepositives: - unknown From ce8d6492755cb1abaccff0d6f39af5dc395cccc8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 18:30:46 -0300 Subject: [PATCH 0604/1335] Update win_susp_cli_escape.yml --- rules/windows/process_creation/win_susp_cli_escape.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index 019d2fcf8..d0efa1072 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -19,10 +19,10 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine|contains: # - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries) - - '*h^t^t^p*' - - '*h"t"t"p*' + - 'h^t^t^p' + - 'h"t"t"p' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From b5a53a43a7fb663a8e87c6ac0437a8b27b6600c3 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 16 Oct 2020 00:44:29 +0300 Subject: [PATCH 0605/1335] Update win_susp_rpcping.yml --- rules/windows/process_creation/win_susp_rpcping.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml index 6400ecba9..f52bb495a 100644 --- a/rules/windows/process_creation/win_susp_rpcping.yml +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -25,8 +25,9 @@ detection: CommandLine|contains: - '-u NTLM' - '/u NTLM' - - 't ncacn_np' + - '-t ncacn_np' + - '/t ncacn_np' condition: use_rpcping and remote_server and ntlm_auth level: medium falsepositives: - - Unlikely \ No newline at end of file + - Unlikely From 475d1e28fb5d59b83f37933d9fa86ae9bce78a3f Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 16 Oct 2020 01:00:19 +0300 Subject: [PATCH 0606/1335] Definition added --- rules/windows/sysmon/sysmon_rasautou_dll_execution.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml index 1cf811960..2169a6976 100644 --- a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml +++ b/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows category: process_creation + definition: Since options '-d' and '-p' removed in Windows 10 this rule is relevant only for windows before 10. ANd as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) detection: use_rasautou: Image|endswith: '\rasautou.exe' @@ -25,4 +26,4 @@ detection: condition: (use_rasautou or remaned_rasautou) and special_keys level: medium falsepositives: - - Unlikely. Options '-d' and '-p' removed in Windows 10. + - Unlikely. From e33694bd988968fdfe78872258b43a19d679a28a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:19:48 -0300 Subject: [PATCH 0607/1335] Update win_susp_compression_params.yml --- .../win_susp_compression_params.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index e42122458..931c16654 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -22,13 +22,13 @@ detection: - '7z*.exe' - '*rar.exe' - '*Command*Line*RAR*' - CommandLine: - - '* -p*' - - '* -ta*' - - '* -tb*' - - '* -sdel*' - - '* -dw*' - - '* -hp*' + CommandLine|contains: + - ' -p' + - ' -ta' + - ' -tb' + - ' -sdel' + - ' -dw' + - ' -hp' falsepositive: ParentImage: 'C:\Program*' condition: selection and not falsepositive From b491f94cfaab4df30203da12ae029912c03f158b Mon Sep 17 00:00:00 2001 From: Yuliya Fomina Date: Fri, 16 Oct 2020 01:20:02 +0300 Subject: [PATCH 0608/1335] file moved to process_creation, - typos --- .../win_rasautou_dll_execution.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/{sysmon/sysmon_rasautou_dll_execution.yml => process_creation/win_rasautou_dll_execution.yml} (69%) diff --git a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml similarity index 69% rename from rules/windows/sysmon/sysmon_rasautou_dll_execution.yml rename to rules/windows/process_creation/win_rasautou_dll_execution.yml index 2169a6976..d078da6c2 100644 --- a/rules/windows/sysmon/sysmon_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: process_creation - definition: Since options '-d' and '-p' removed in Windows 10 this rule is relevant only for windows before 10. ANd as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) detection: use_rasautou: Image|endswith: '\rasautou.exe' From 932dabf7ea050b8b58136615857802dc325439a4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:21:11 -0300 Subject: [PATCH 0609/1335] Update win_susp_comsvcs_procdump.yml --- .../process_creation/win_susp_comsvcs_procdump.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index 56832c754..2879adff8 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -13,13 +13,14 @@ logsource: product: windows detection: rundll_image: - Image: '*\rundll32.exe' + Image|endswith: '\rundll32.exe' rundll_ofn: OriginalFileName: 'RUNDLL32.EXE' selection: - CommandLine: - - '*comsvcs*MiniDump*full*' - - '*comsvcs*MiniDumpW*full*' + CommandLine|contains|all: + - 'comsvcs' + - 'MiniDump' #Matches MiniDump and MinidumpW + - 'full' condition: (rundll_image or rundll_ofn) and selection fields: - CommandLine From fbe27b3b31eddd813b9dc225df6a59fbbdc975e8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:21:41 -0300 Subject: [PATCH 0610/1335] Update win_susp_control_dll_load.yml --- .../windows/process_creation/win_susp_control_dll_load.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 7d8927d85..ed63ad947 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -16,10 +16,10 @@ logsource: product: windows detection: selection: - ParentImage: '*\System32\control.exe' - CommandLine: '*\rundll32.exe *' + ParentImage|endswith: '\System32\control.exe' + CommandLine|contains: '\rundll32.exe ' filter: - CommandLine: '*Shell32.dll*' + CommandLine|contains: 'Shell32.dll' condition: selection and not filter fields: - CommandLine From 30601ab134f4085f5aa5e398f78428d2070bd4b1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:22:49 -0300 Subject: [PATCH 0611/1335] Update win_susp_copy_lateral_movement.yml --- .../process_creation/win_susp_copy_lateral_movement.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 53841c573..a5325820a 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -20,8 +20,10 @@ logsource: detection: selection: CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' + - 'copy' + CommandLine|contains: + - '\c$' + - '\ADMIN$' condition: selection fields: - CommandLine From 5f4df56247f7f2252cbebf38e9147b746fae26da Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:23:58 -0300 Subject: [PATCH 0612/1335] Update win_susp_crackmapexec_execution.yml --- .../win_susp_crackmapexec_execution.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index b72016d49..7f2ca4db2 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -19,17 +19,17 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine|contains: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' + - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:109 (fileless output via share) - - '*cmd.exe /C * > \\\\*\\*\\* 2>&1' + - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:111 (fileless output via share) - - '*cmd.exe /C * > *\\Temp\\* 2>&1' + - 'cmd.exe /C * > *\\Temp\\* 2>&1' # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' + - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) - - '*powershell.exe -noni -nop -w 1 -enc *' + - 'powershell.exe -noni -nop -w 1 -enc ' condition: selection fields: - ComputerName From bc042b576482f9788ab09c221fa6ca8a964b9b32 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:24:30 -0300 Subject: [PATCH 0613/1335] Update win_susp_csc.yml --- rules/windows/process_creation/win_susp_csc.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 60c5139bd..2fb450a31 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -19,11 +19,11 @@ logsource: product: windows detection: selection: - Image: '*\csc.exe*' - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' + Image|contains: '\csc.exe' + ParentImage|endswith: + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' condition: selection falsepositives: - Unkown From 92966098b98e2c8908edef9ab0c06b8edec85931 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:25:38 -0300 Subject: [PATCH 0614/1335] Update win_susp_csc_folder.yml --- rules/windows/process_creation/win_susp_csc_folder.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 3e510c6c1..7f56bff15 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -18,10 +18,10 @@ logsource: product: windows detection: selection: - Image: '*\csc.exe' - CommandLine: - - '*\AppData\\*' - - '*\Windows\Temp\\*' + Image|endsswith: '\csc.exe' + CommandLine|contains: + - '\AppData\\' + - '\Windows\Temp\\' filter: ParentImage: - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897 From f33f7010faaf9c64901d1ba80791514d6f4e8aa8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:27:17 -0300 Subject: [PATCH 0615/1335] Update win_susp_double_extension.yml --- .../win_susp_double_extension.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 3c06ded41..0bd70927f 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -15,18 +15,18 @@ logsource: product: windows detection: selection: - Image: - - '*.doc.exe' - - '*.docx.exe' - - '*.xls.exe' - - '*.xlsx.exe' - - '*.ppt.exe' - - '*.pptx.exe' - - '*.rtf.exe' - - '*.pdf.exe' - - '*.txt.exe' - - '* .exe' - - '*______.exe' + Image|endswith: + - '.doc.exe' + - '.docx.exe' + - '.xls.exe' + - '.xlsx.exe' + - '.ppt.exe' + - '.pptx.exe' + - '.rtf.exe' + - '.pdf.exe' + - '.txt.exe' + - ' .exe' + - '______.exe' condition: selection falsepositives: - Unknown From 9ef41cbc7753f99492aa00b492159adc363c6826 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:28:23 -0300 Subject: [PATCH 0616/1335] Update win_susp_exec_folder.yml --- .../process_creation/win_susp_exec_folder.yml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index f42c4c82d..ea52dab2c 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -18,24 +18,24 @@ logsource: product: windows detection: selection: - Image: - - C:\PerfLogs\\* - - C:\$Recycle.bin\\* - - C:\Intel\Logs\\* - - C:\Users\Default\\* - - C:\Users\Public\\* - - C:\Users\NetworkService\\* - - C:\Windows\Fonts\\* - - C:\Windows\Debug\\* - - C:\Windows\Media\\* - - C:\Windows\Help\\* - - C:\Windows\addins\\* - - C:\Windows\repair\\* - - C:\Windows\security\\* - - '*\RSA\MachineKeys\\*' - - C:\Windows\system32\config\systemprofile\\* - - C:\Windows\Tasks\\* - - C:\Windows\System32\Tasks\\* + Image|startswith: + - C:\PerfLogs\\ + - C:\$Recycle.bin\\ + - C:\Intel\Logs\\ + - C:\Users\Default\\ + - C:\Users\Public\\ + - C:\Users\NetworkService\\ + - C:\Windows\Fonts\\ + - C:\Windows\Debug\\ + - C:\Windows\Media\\ + - C:\Windows\Help\\ + - C:\Windows\addins\\ + - C:\Windows\repair\\ + - C:\Windows\security\\ + - '*\RSA\MachineKeys\\' + - C:\Windows\system32\config\systemprofile\\ + - C:\Windows\Tasks\\ + - C:\Windows\System32\Tasks\\ condition: selection falsepositives: - Unknown From fedc5b88e05f9a5666c5f23ff9e95116714922cc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:29:05 -0300 Subject: [PATCH 0617/1335] Update win_susp_execution_path.yml --- .../win_susp_execution_path.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 9e4136cd9..08423563d 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -12,16 +12,16 @@ logsource: product: windows detection: selection: - Image: - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' + Image|contains: + - '\$Recycle.bin' + - '\Users\All Users\\' + - '\Users\Default\\' + - '\Users\Public\\' + - 'C:\Perflogs\\' + - '\config\systemprofile\\' + - '\Windows\Fonts\\' + - '\Windows\IME\\' + - '\Windows\addins\\' condition: selection fields: - CommandLine From ee8edb1e15e2915b6d0304acad25ec16ac3f995e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:29:46 -0300 Subject: [PATCH 0618/1335] Update win_susp_execution_path_webserver.yml --- .../win_susp_execution_path_webserver.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index bdc9cf05f..6a5363957 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -13,17 +13,17 @@ logsource: product: windows detection: selection: - Image: - - '*\wwwroot\\*' - - '*\wmpub\\*' - - '*\htdocs\\*' + Image|contains: + - '\wwwroot\\' + - '\wmpub\\' + - '\htdocs\\' filter: - Image: - - '*bin\\*' - - '*\Tools\\*' - - '*\SMSComponent\\*' - ParentImage: - - '*\services.exe' + Image|contains: + - 'bin\\' + - '\Tools\\' + - '\SMSComponent\\' + ParentImage|endswith: + - '\services.exe' condition: selection and not filter fields: - CommandLine From ab7bdf6af521b2d93e5dc15eccb66d65f59d1b66 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:30:07 -0300 Subject: [PATCH 0619/1335] Update win_susp_file_characteristics.yml --- .../windows/process_creation/win_susp_file_characteristics.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 81b8fed82..f63de2b82 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -27,7 +27,7 @@ detection: Description: '\?' Company: '\?' folder: - Image: '*\Downloads\\*' + Image|contains: '\Downloads\\' condition: (selection1 or selection2 or selection3) and folder fields: - CommandLine From 985f56c0e93237ff03dcb31a4612afb01cbf9e80 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:30:21 -0300 Subject: [PATCH 0620/1335] Update win_susp_findstr_lnk.yml --- rules/windows/process_creation/win_susp_findstr_lnk.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml index fd192eac2..2c9f39874 100644 --- a/rules/windows/process_creation/win_susp_findstr_lnk.yml +++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - Image: '*\findstr.exe' - CommandLine: '*.lnk' + Image|endswith: '\findstr.exe' + CommandLine|endswith: '.lnk' condition: selection fields: - Image From cd6149bcc3392f3d6233b517ef0eacf20626dbc5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:30:43 -0300 Subject: [PATCH 0621/1335] Update win_susp_gup.yml --- rules/windows/process_creation/win_susp_gup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index aaeacc966..7820af60c 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: '*\GUP.exe' + Image|endswith: '\GUP.exe' filter: Image: - 'C:\Users\\*\AppData\Local\Notepad++\updater\gup.exe' From 0e1ae89a5cab7c459e4188f8883dbc5f0c514b4f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:30:56 -0300 Subject: [PATCH 0622/1335] Update win_susp_iss_module_install.yml --- .../windows/process_creation/win_susp_iss_module_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 28305f82e..79e0debe3 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\APPCMD.EXE install module /name:*' + CommandLine|contains: + - '\APPCMD.EXE install module /name:' condition: selection falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules From e8477c8afaa2c3d53fa9ac85e1b4c9d434f5835a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:31:27 -0300 Subject: [PATCH 0623/1335] Update win_susp_msiexec_cwd.yml --- .../windows/process_creation/win_susp_msiexec_cwd.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 099b8fbd8..54125b4da 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -15,12 +15,12 @@ logsource: product: windows detection: selection: - Image: '*\msiexec.exe' + Image|endswith: '\msiexec.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\WinSxS\\*' + Image|startswith: + - 'C:\Windows\System32\\' + - 'C:\Windows\SysWOW64\\' + - 'C:\Windows\WinSxS\\' condition: selection and not filter falsepositives: - Unknown From 6cd49220ad70cfb2f1b8dab5507b6422dcdf0c5e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:31:44 -0300 Subject: [PATCH 0624/1335] Update win_susp_msiexec_web_install.yml --- .../windows/process_creation/win_susp_msiexec_web_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 1e756bd07..6d02d1374 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - CommandLine: - - '* msiexec*://*' + CommandLine|contains: + - ' msiexec*://' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From ec9f9fd9291050df6734ad8dc6f5c11d31fb8a5c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:32:29 -0300 Subject: [PATCH 0625/1335] Update win_susp_net_execution.yml --- .../win_susp_net_execution.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index a4c3a7711..fea0d6045 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -29,19 +29,19 @@ logsource: product: windows detection: selection: - Image: - - '*\net.exe' - - '*\net1.exe' + Image|endswith: + - '\net.exe' + - '\net1.exe' cmdline: - CommandLine: - - '* group*' - - '* localgroup*' - - '* user*' - - '* view*' - - '* share' - - '* accounts*' - - '* use*' - - '* stop *' + CommandLine|contains: + - ' group' + - ' localgroup' + - ' user' + - ' view' + - ' share' + - ' accounts' + - ' use' + - ' stop ' condition: selection and cmdline fields: - ComputerName From 98ebb4965d366bf665a83d2d30b8aa0482acda98 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:33:10 -0300 Subject: [PATCH 0626/1335] Update win_susp_ntdsutil.yml --- rules/windows/process_creation/win_susp_ntdsutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 979a09213..c38270c4f 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - CommandLine: '*\ntdsutil*' + CommandLine|contains: '\ntdsutil' condition: selection falsepositives: - NTDS maintenance From 60f867b9894fee3376f7b503679d7135218cec1a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:33:33 -0300 Subject: [PATCH 0627/1335] Update win_susp_outlook.yml --- rules/windows/process_creation/win_susp_outlook.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml index c45220166..b35fe972e 100644 --- a/rules/windows/process_creation/win_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: clientMailRules: - CommandLine: '*EnableUnsafeClientMailRules*' + CommandLine|contains: 'EnableUnsafeClientMailRules' outlookExec: - ParentImage: '*\outlook.exe' + ParentImage|endswith: '\outlook.exe' CommandLine: \\\\*\\*.exe condition: clientMailRules or outlookExec falsepositives: From 6bb9f1b3c954b159e212b5c8be9ab5ec0598b89d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:33:45 -0300 Subject: [PATCH 0628/1335] Update win_susp_outlook_temp.yml --- rules/windows/process_creation/win_susp_outlook_temp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 25e0f2d62..f0f708474 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - Image: '*\Temporary Internet Files\Content.Outlook\\*' + Image|contains: '\Temporary Internet Files\Content.Outlook\\' condition: selection fields: - CommandLine From 90d20094acbb91ec504674e640dbcecf416ee56e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:34:00 -0300 Subject: [PATCH 0629/1335] Update win_susp_ping_hex_ip.yml --- rules/windows/process_creation/win_susp_ping_hex_ip.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 966ccfbfd..204c2b0ac 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\ping.exe 0x*' - - '*\ping 0x*' + CommandLine|contains: + - '\ping.exe 0x' + - '\ping 0x' condition: selection fields: - ParentCommandLine From 4485436957db0460c6e6e267b7d77e7d226cc947 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:34:18 -0300 Subject: [PATCH 0630/1335] Update win_susp_powershell_empire_uac_bypass.yml --- .../win_susp_powershell_empire_uac_bypass.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index de818f0f2..f54f9fc6d 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -12,9 +12,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*' - - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*' + CommandLine|contains: + - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' + - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' condition: selection fields: - CommandLine From 3d20aeca6435e69d771e6d090fc4d13f04ecd6b4 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 16 Oct 2020 01:36:16 +0300 Subject: [PATCH 0631/1335] Reference to LOLbas added --- rules/windows/process_creation/win_rasautou_dll_execution.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml index d078da6c2..e05a5d7db 100644 --- a/rules/windows/process_creation/win_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml @@ -3,6 +3,7 @@ id: cd3d1298-eb3b-476c-ac67-12847de55813 description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. status: experimental references: + - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - https://github.com/fireeye/DueDLLigence - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html author: Julia Fomina, oscd.community From 610ae5ddd789ca2c1b2da61b80c0a985848cb096 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:38:47 -0300 Subject: [PATCH 0632/1335] Update win_susp_powershell_enc_cmd.yml --- .../win_susp_powershell_enc_cmd.yml | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index e12289fc3..9f9710909 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -16,27 +16,27 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -en JAB*' - - '* -enc JAB*' - - '* -enc* JAB*' - - '* -w hidden -e* JAB*' - - '* BA^J e-' - - '* -e SUVYI*' - - '* -e aWV4I*' - - '* -e SQBFAFgA*' - - '* -e aQBlAHgA*' - - '* -enc SUVYI*' - - '* -enc aWV4I*' - - '* -enc SQBFAFgA*' - - '* -enc aQBlAHgA*' + CommandLine|contains: + - ' -e' + - ' -en' + - ' -enc' + - ' -w hidden -e' + selection2: + - 'JAB' + selection3: + - '-e' + - '-enc' + selection4: + - ' BA^J' + - 'SUVYI' + - ' aWV4I' + - ' SQBFAFgA' + - ' aQBlAHgA' + - ' SUVYI' + - ' aWV4I' + - ' SQBFAFgA' + - ' aQBlAHgA' falsepositive1: - CommandLine: '* -ExecutionPolicy remotesigned *' - condition: selection and not falsepositive1 + CommandLine|contains: ' -ExecutionPolicy remotesigned ' + condition: (selection and selection2) or (selection3 and selection4) and not falsepositive1 level: high From 7df7d7f48bbc601421c0dd962ff0abceb87e5b60 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:39:11 -0300 Subject: [PATCH 0633/1335] Update win_susp_powershell_enc_cmd.yml --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 9f9710909..69dfbe117 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -28,7 +28,7 @@ detection: - '-enc' selection4: - ' BA^J' - - 'SUVYI' + - ' SUVYI' - ' aWV4I' - ' SQBFAFgA' - ' aQBlAHgA' From 1feba3a12cbbe51b0b391cf63605f9085f4497ef Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:40:23 -0300 Subject: [PATCH 0634/1335] Update win_susp_powershell_hidden_b64_cmd.yml --- .../win_susp_powershell_hidden_b64_cmd.yml | 102 +++++++++--------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index d004c1e13..68771de9d 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -15,58 +15,58 @@ logsource: product: windows detection: encoded: - Image: '*\powershell.exe' - CommandLine: '* hidden *' + Image|endswith: '\powershell.exe' + CommandLine|contains: ' hidden ' selection: - CommandLine: - - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - - '*JGNodW5rX3Npem*' - - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - - '*RjaHVua19zaXpl*' - - '*Y2h1bmtfc2l6Z*' - - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - - '*lPLkNvbXByZXNzaW9u*' - - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - - '*SU8uQ29tcHJlc3Npb2*' - - '*Ty5Db21wcmVzc2lvb*' - - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - - '*lPLk1lbW9yeVN0cmVhb*' - - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - - '*SU8uTWVtb3J5U3RyZWFt*' - - '*Ty5NZW1vcnlTdHJlYW*' - - '*4ARwBlAHQAQwBoAHUAbgBrA*' - - '*5HZXRDaHVua*' - - '*AEcAZQB0AEMAaAB1AG4Aaw*' - - '*LgBHAGUAdABDAGgAdQBuAGsA*' - - '*LkdldENodW5r*' - - '*R2V0Q2h1bm*' - - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - - '*RIUkVBRF9JTkZPNj*' - - '*SFJFQURfSU5GTzY0*' - - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - - '*VEhSRUFEX0lORk82N*' - - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - - '*cmVhdGVSZW1vdGVUaHJlYW*' - - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - - '*0AZQBtAG0AbwB2AGUA*' - - '*1lbW1vdm*' - - '*AGUAbQBtAG8AdgBlA*' - - '*bQBlAG0AbQBvAHYAZQ*' - - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' + CommandLine|contains: + - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA' + - 'aXRzYWRtaW4gL3RyYW5zZmVy' + - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA' + - 'JpdHNhZG1pbiAvdHJhbnNmZX' + - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg' + - 'Yml0c2FkbWluIC90cmFuc2Zlc' + - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA' + - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA' + - 'JGNodW5rX3Npem' + - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ' + - 'RjaHVua19zaXpl' + - 'Y2h1bmtfc2l6Z' + - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A' + - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg' + - 'lPLkNvbXByZXNzaW9u' + - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA' + - 'SU8uQ29tcHJlc3Npb2' + - 'Ty5Db21wcmVzc2lvb' + - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ' + - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA' + - 'lPLk1lbW9yeVN0cmVhb' + - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A' + - 'SU8uTWVtb3J5U3RyZWFt' + - 'Ty5NZW1vcnlTdHJlYW' + - '4ARwBlAHQAQwBoAHUAbgBrA' + - '5HZXRDaHVua' + - 'AEcAZQB0AEMAaAB1AG4Aaw' + - 'LgBHAGUAdABDAGgAdQBuAGsA' + - 'LkdldENodW5r' + - 'R2V0Q2h1bm' + - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A' + - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA' + - 'RIUkVBRF9JTkZPNj' + - 'SFJFQURfSU5GTzY0' + - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA' + - 'VEhSRUFEX0lORk82N' + - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA' + - 'cmVhdGVSZW1vdGVUaHJlYW' + - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA' + - 'NyZWF0ZVJlbW90ZVRocmVhZ' + - 'Q3JlYXRlUmVtb3RlVGhyZWFk' + - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA' + - '0AZQBtAG0AbwB2AGUA' + - '1lbW1vdm' + - 'AGUAbQBtAG8AdgBlA' + - 'bQBlAG0AbQBvAHYAZQ' + - 'bWVtbW92Z' + - 'ZW1tb3Zl' condition: encoded and selection falsepositives: - Penetration tests From c6442bcb4a09ea87357e43437f2a7faea47f2275 Mon Sep 17 00:00:00 2001 From: Vasilisa-L <72190607+Vasilisa-L@users.noreply.github.com> Date: Fri, 16 Oct 2020 01:41:53 +0300 Subject: [PATCH 0635/1335] Spaces are cool but not enough! --- .../process_creation/win_susp_rpcping.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml index f52bb495a..f8656ab4e 100644 --- a/rules/windows/process_creation/win_susp_rpcping.yml +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -3,6 +3,7 @@ id: 93671f99-04eb-4ab4-a161-70d446a84003 description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. status: experimental references: + - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ - https://twitter.com/vysecurity/status/974806438316072960 - https://twitter.com/vysecurity/status/873181705024266241 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) @@ -22,11 +23,18 @@ detection: - '-s' - '/s' ntlm_auth: - CommandLine|contains: - - '-u NTLM' - - '/u NTLM' - - '-t ncacn_np' - - '/t ncacn_np' + - CommandLine|contains|all: + - '-u' + - 'NTLM' + - CommandLine|contains|all: + - '/u' + - 'NTLM' + - CommandLine|contains|all: + - '-t' + - 'ncacn_np' + - CommandLine|contains|all: + - '/t' + - 'ncacn_np' condition: use_rpcping and remote_server and ntlm_auth level: medium falsepositives: From f614ac658f4bc6d94fc94a71157ca1f115516a07 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:42:20 -0300 Subject: [PATCH 0636/1335] Update win_susp_powershell_parent_combo.yml --- .../win_susp_powershell_parent_combo.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 7ddebda00..556e286e1 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -15,13 +15,13 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - Image: - - '*\powershell.exe' - falsepositive: - CurrentDirectory: '*\Health Service State\\*' + ParentImage|endswith: + - '\wscript.exe' + - '\cscript.exe' + Image|endswith: + - '\powershell.exe' + falsepositive|contains: + CurrentDirectory: '\Health Service State\\' condition: selection and not falsepositive fields: - CommandLine From 253014ee6872a840f28d33526801191977dc45ff Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:42:48 -0300 Subject: [PATCH 0637/1335] Update win_susp_procdump.yml --- rules/windows/process_creation/win_susp_procdump.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 9a90a1c77..b2fdbe2ce 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -19,14 +19,14 @@ logsource: product: windows detection: selection1: - CommandLine: - - '* -ma *' + CommandLine|contains: + - ' -ma ' selection2: - CommandLine: - - '* lsass*' + CommandLine|contains: + - ' lsass' selection3: - CommandLine: - - '* -ma ls*' + CommandLine|contains: + - ' -ma ls' condition: ( selection1 and selection2 ) or selection3 falsepositives: - Unlikely, because no one should dump an lsass process memory From 91fb5cdcd01580f39ecb14f0b5810beb9609cac6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:43:19 -0300 Subject: [PATCH 0638/1335] Update win_susp_prog_location_process_starts.yml --- .../win_susp_prog_location_process_starts.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml index fef504ffc..14c137892 100644 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -14,14 +14,14 @@ logsource: product: windows detection: selection: - Image: - - '*\$Recycle.bin' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Windows\debug\\*' + Image|contains: + - '\$Recycle.bin' + - '\Users\Public\\' + - 'C:\Perflogs\\' + - '\Windows\Fonts\\' + - '\Windows\IME\\' + - '\Windows\addins\\' + - '\Windows\debug\\' condition: selection falsepositives: - unknown From cc338507c932e2cb41ae464d7b61065425a8de8a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:43:37 -0300 Subject: [PATCH 0639/1335] Update win_susp_ps_appdata.yml --- rules/windows/process_creation/win_susp_ps_appdata.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index b110943c1..dd8f53802 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '* /c powershell*\AppData\Local\\*' - - '* /c powershell*\AppData\Roaming\\*' + CommandLine|contains: + - ' /c powershell*\AppData\Local\\' + - ' /c powershell*\AppData\Roaming\\' condition: selection falsepositives: - Administrative scripts From 8d471775e0bd9f4433accf7ad0a60b42f1cd21af Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:45:08 -0300 Subject: [PATCH 0640/1335] Update win_susp_regsvr32_anomalies.yml --- .../win_susp_regsvr32_anomalies.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index b4e4cc09b..6760f65c3 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -20,25 +20,25 @@ logsource: product: windows detection: selection1: - Image: '*\regsvr32.exe' - CommandLine: '*\Temp\\*' + Image|endswith: '\regsvr32.exe' + CommandLine|contains: '\Temp\\' selection2: - Image: '*\regsvr32.exe' - ParentImage: '*\powershell.exe' + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: '\powershell.exe' selection3: - Image: '*\regsvr32.exe' - ParentImage: '*\cmd.exe' + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: '\cmd.exe' selection4: - Image: '*\regsvr32.exe' - CommandLine: - - '*/i:http* scrobj.dll' - - '*/i:ftp* scrobj.dll' + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: + - '/i:http* scrobj.dll' + - '/i:ftp* scrobj.dll' selection5: - Image: '*\wscript.exe' - ParentImage: '*\regsvr32.exe' + Image|endswith: '\wscript.exe' + ParentImage|endswith: '\regsvr32.exe' selection6: - Image: '*\EXCEL.EXE' - CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' + Image|endswith: '\EXCEL.EXE' + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' condition: 1 of them fields: - CommandLine From d3f0d25ffb9eeaf74eabd86a3ffba9e28008b69b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:46:54 -0300 Subject: [PATCH 0641/1335] Update win_susp_rundll32_by_ordinal.yml --- .../windows/process_creation/win_susp_rundll32_by_ordinal.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 584e5f49e..64c953780 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -18,7 +18,8 @@ logsource: product: windows detection: selection: - CommandLine: '*\rundll32.exe *,#*' + CommandLine|contains: '\rundll32.exe' + CommandLine|contains: ',#' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 5c7bc4c48a5d16af7c0cd963ec8e83739bd66eb4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:47:15 -0300 Subject: [PATCH 0642/1335] Update win_susp_schtask_creation.yml --- rules/windows/process_creation/win_susp_schtask_creation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 491f18dd0..1647d2f54 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -9,8 +9,8 @@ logsource: product: windows detection: selection: - Image: '*\schtasks.exe' - CommandLine: '* /create *' + Image|endswith: '\schtasks.exe' + CommandLine|contains: ' /create ' filter: User: NT AUTHORITY\SYSTEM condition: selection and not filter From 4c9124952efa03920d10ef395d2fb969c6691f21 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:47:47 -0300 Subject: [PATCH 0643/1335] Update win_susp_svchost.yml --- .../windows/process_creation/win_susp_svchost.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 717a7bea2..39c9ae4cf 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -14,14 +14,14 @@ logsource: product: windows detection: selection: - Image: '*\svchost.exe' + Image|endswith: '\svchost.exe' filter: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - - '*\Mrt.exe' - - '*\rpcnet.exe' - - '*\svchost.exe' + ParentImage|endswith: + - '\services.exe' + - '\MsMpEng.exe' + - '\Mrt.exe' + - '\rpcnet.exe' + - '\svchost.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null From 08a018a2ee68438e5e9ddcff5d87a7fd304e68f8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:49:12 -0300 Subject: [PATCH 0644/1335] Update win_susp_sysprep_appdata.yml --- rules/windows/process_creation/win_susp_sysprep_appdata.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index 68c4260f4..daf98b204 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\sysprep.exe *\AppData\\*' - - sysprep.exe *\AppData\\* + CommandLine|contains|all: + - 'sysprep.exe' + - '\AppData\\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 4543e18e4e69c3955a0a17366ddb1a448fa75a68 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:49:31 -0300 Subject: [PATCH 0645/1335] Update win_susp_sysvol_access.yml --- rules/windows/process_creation/win_susp_sysvol_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 3c8c2be83..1177796f2 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - CommandLine: '*\SYSVOL\\*\policies\\*' + CommandLine|contains: '\SYSVOL\\*\policies\\' condition: selection falsepositives: - administrative activity From dde03e760bb3d5b309a0316be3630dcb5432336c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:49:47 -0300 Subject: [PATCH 0646/1335] Update win_susp_taskmgr_localsystem.yml --- rules/windows/process_creation/win_susp_taskmgr_localsystem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 5e4b331bb..16db23e4d 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -13,7 +13,7 @@ logsource: detection: selection: User: NT AUTHORITY\SYSTEM - Image: '*\taskmgr.exe' + Image|endswith: '\taskmgr.exe' condition: selection falsepositives: - Unkown From 9d8116c4865e77fdf21ced32036a031a31027dc7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:50:04 -0300 Subject: [PATCH 0647/1335] Update win_susp_taskmgr_parent.yml --- .../process_creation/win_susp_taskmgr_parent.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml index 70d852123..f58197239 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -12,12 +12,12 @@ logsource: product: windows detection: selection: - ParentImage: '*\taskmgr.exe' + ParentImage|endswith: '\taskmgr.exe' filter: - Image: - - '*\resmon.exe' - - '*\mmc.exe' - - '*\taskmgr.exe' + Image|endswith: + - '\resmon.exe' + - '\mmc.exe' + - '\taskmgr.exe' condition: selection and not filter fields: - Image From c38ccefc21f98ecbac2905254001117ef25f2935 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:50:14 -0300 Subject: [PATCH 0648/1335] Update win_susp_tscon_localsystem.yml --- rules/windows/process_creation/win_susp_tscon_localsystem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index 6691257e4..b11145b61 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -16,7 +16,7 @@ logsource: detection: selection: User: NT AUTHORITY\SYSTEM - Image: '*\tscon.exe' + Image|endswith: '\tscon.exe' condition: selection falsepositives: - Unknown From 9e7789bb3212134ae6717733f363ee3769f2d928 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 16 Oct 2020 00:50:29 +0200 Subject: [PATCH 0649/1335] Update win_susp_logon_explicit_credentials.yml --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index df8fbcf8a..142c6a7a7 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -7,6 +7,8 @@ references: author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 tags: + - attack.t1078 + - attack.lateral_movement logsource: product: windows service: security From ad8620f729646c83880b53e371e7e5dd0598f644 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:51:05 -0300 Subject: [PATCH 0650/1335] Update win_susp_tscon_rdp_redirect.yml --- rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index 46396f753..40e7efac4 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - CommandLine: '* /dest:rdp-tcp:*' + CommandLine|contains: ' /dest:rdp-tcp:' condition: selection falsepositives: - Unknown From d09dd70695369ff87618966e17d603b0adb112c1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:51:42 -0300 Subject: [PATCH 0651/1335] Update win_susp_userinit_child.yml --- rules/windows/process_creation/win_susp_userinit_child.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index c07a989c6..de93c141c 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -11,11 +11,11 @@ logsource: product: windows detection: selection: - ParentImage: '*\userinit.exe' + ParentImage|endswith: '\userinit.exe' filter1: - CommandLine: '*\\netlogon\\*' + CommandLine|contains: '\\netlogon\\' filter2: - Image: '*\explorer.exe' + Image|endswith: '\explorer.exe' condition: selection and not filter1 and not filter2 fields: - CommandLine From 7b9ec4709fbeeb7b75076f402a7a9efa43a50056 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:51:55 -0300 Subject: [PATCH 0652/1335] Update win_susp_whoami.yml --- rules/windows/process_creation/win_susp_whoami.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 1d3ec9ced..97238db4f 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Image: '*\whoami.exe' + Image|endswith: '\whoami.exe' selection2: OriginalFileName: 'whoami.exe' condition: selection or selection2 From 434c6257f0ba44838847cbc642d60f4ae0520c0c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:52:25 -0300 Subject: [PATCH 0653/1335] Update win_susp_wmi_execution.yml --- .../process_creation/win_susp_wmi_execution.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index b57efa6c4..67f7ce39d 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -13,13 +13,13 @@ logsource: product: windows detection: selection: - Image: - - '*\wmic.exe' - CommandLine: - - '*/NODE:*process call create *' - - '* path AntiVirusProduct get *' - - '* path FirewallProduct get *' - - '* shadowcopy delete *' + Image|endswith: + - '\wmic.exe' + CommandLine|contains: + - '/NODE:*process call create ' + - ' path AntiVirusProduct get ' + - ' path FirewallProduct get ' + - ' shadowcopy delete ' condition: selection fields: - CommandLine From 737fbd161952e7cb886355602bd3e276c663bafe Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:55:57 -0300 Subject: [PATCH 0654/1335] Update win_system_exe_anomaly.yml --- .../win_system_exe_anomaly.yml | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index 809970e8b..1a7f614fb 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -14,39 +14,39 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' + Image|endswith: + - '\svchost.exe' + - '\rundll32.exe' + - '\services.exe' + - '\powershell.exe' + - '\regsvr32.exe' + - '\spoolsv.exe' + - '\lsass.exe' + - '\smss.exe' + - '\csrss.exe' + - '\conhost.exe' + - '\wininit.exe' + - '\lsm.exe' + - '\winlogon.exe' + - '\explorer.exe' + - '\taskhost.exe' + - '\Taskmgr.exe' + - '\sihost.exe' + - '\RuntimeBroker.exe' + - '\smartscreen.exe' + - '\dllhost.exe' + - '\audiodg.exe' + - '\wlanext.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\system32\\*' - - 'C:\Windows\SysWow64\\*' - - 'C:\Windows\SysWOW64\\*' + Image|startswith: + - 'C:\Windows\System32\\' + - 'C:\Windows\system32\\' + - 'C:\Windows\SysWow64\\' + - 'C:\Windows\SysWOW64\\' - 'C:\Windows\explorer.exe' - - 'C:\Windows\winsxs\\*' - - 'C:\Windows\WinSxS\\*' - - '\SystemRoot\System32\\*' + - 'C:\Windows\winsxs\\' + - 'C:\Windows\WinSxS\\' + - '\SystemRoot\System32\\' condition: selection and not filter fields: - ComputerName From d9afa1aec67fd31ed01f80ea391cf1853689e26d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:57:05 -0300 Subject: [PATCH 0655/1335] Update win_termserv_proc_spawn.yml --- .../windows/process_creation/win_termserv_proc_spawn.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml index 0e4767335..f49573a1d 100644 --- a/rules/windows/process_creation/win_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml @@ -18,10 +18,12 @@ logsource: category: process_creation detection: selection: - ParentCommandLine: '*\svchost.exe*termsvcs' + ParentCommandLine|contains|all: + - '\svchost.exe' + - 'termsvcs' filter: - Image: '*\rdpclip.exe' + Image|endswith: '\rdpclip.exe' condition: selection and not filter falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 2d9233d41846f16686743ed81bb072994cf283c3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:57:43 -0300 Subject: [PATCH 0656/1335] Update win_vul_java_remote_debugging.yml --- .../process_creation/win_vul_java_remote_debugging.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 654135a43..06b658f96 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -9,10 +9,10 @@ logsource: product: windows detection: selection: - CommandLine: '*transport=dt_socket,address=*' + CommandLine|contains: 'transport=dt_socket,address=' exclusion: - - CommandLine: '*address=127.0.0.1*' - - CommandLine: '*address=localhost*' + - CommandLine|contains: 'address=127.0.0.1' + - CommandLine|contains: 'address=localhost' condition: selection and not exclusion fields: - CommandLine From e402356e82c6062f845d869e030509bb5d52f989 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:58:37 -0300 Subject: [PATCH 0657/1335] Update win_webshell_detection.yml --- .../win_webshell_detection.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index d55be5887..49f1bdfae 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -16,20 +16,20 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' - CommandLine: - - '*whoami*' - - '*net user *' - - '*ping -n *' - - '*systeminfo' - - '*&cd&echo*' - - '*cd /d*' # https://www.computerhope.com/cdhlp.htm + ParentImage|endswith: + - '\apache*' + - '\tomcat*' + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + CommandLine|contains: + - 'whoami' + - 'net user ' + - 'ping -n ' + - 'systeminfo' + - '&cd&echo' + - 'cd /d' # https://www.computerhope.com/cdhlp.htm condition: selection fields: - CommandLine From 138b8fed06127f20f8ff0bb7fddd8b2d950a8519 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:59:36 -0300 Subject: [PATCH 0658/1335] Update win_webshell_recon_detection.yml --- .../win_webshell_recon_detection.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index ed874a0f6..5ecc3568d 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -17,19 +17,19 @@ logsource: detection: selection: ParentImage|contains: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' + - '\apache' + - '\tomcat' + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' Image|endswith: - - '*\cmd.exe' + - '\cmd.exe' CommandLine|contains: - - '*perl --help*' - - '*python --help*' - - '*wget --help*' - - '*perl -h*' + - 'perl --help' + - 'python --help' + - 'wget --help' + - 'perl -h' condition: selection fields: - Image From 630e92f3c24d348c64ff2b1bbbee1cf7f2e44dca Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 19:59:59 -0300 Subject: [PATCH 0659/1335] Update win_webshell_spawn.yml --- .../process_creation/win_webshell_spawn.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 1135169c9..8f5c95a03 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -10,18 +10,18 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - - '*\php-cgi.exe' - - '*\tomcat.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - - '*\bitsadmin.exe' + ParentImage|endswith: + - '\w3wp.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\tomcat.exe' + Image|endswith: + - '\cmd.exe' + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\bitsadmin.exe' condition: selection fields: - CommandLine From 86ad1f45f5733e16af485c9deddb57f96b76b2e9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:00:13 -0300 Subject: [PATCH 0660/1335] Update win_win10_sched_task_0day.yml --- rules/windows/process_creation/win_win10_sched_task_0day.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 93db4c7d2..42a387ec3 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -13,7 +13,7 @@ logsource: detection: selection: Image|endswith: '\schtasks.exe' - CommandLine: '*/change*/TN*/RU*/RP*' + CommandLine|contains: '/change*/TN*/RU*/RP' condition: selection falsepositives: - Unknown From b2e1b857aeece9136461e22107de2497697d3767 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:00:27 -0300 Subject: [PATCH 0661/1335] Update win_wmi_backdoor_exchange_transport_agent.yml --- .../win_wmi_backdoor_exchange_transport_agent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index ef2451168..4ed71d3f9 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -16,7 +16,7 @@ tags: - attack.t1084 # an old one detection: selection: - ParentImage: '*\EdgeTransport.exe' + ParentImage|endswith: '\EdgeTransport.exe' condition: selection falsepositives: - Unknown From eb9bac761fb4be44a27e0b974d5b9d6f74fb8715 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:00:44 -0300 Subject: [PATCH 0662/1335] Update win_wmi_spwns_powershell.yml --- .../windows/process_creation/win_wmi_spwns_powershell.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index dee9e10d6..61ac32b63 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -19,10 +19,10 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\wmiprvse.exe' - Image: - - '*\powershell.exe' + ParentImage|endswith: + - '\wmiprvse.exe' + Image|endswith: + - '\powershell.exe' condition: selection falsepositives: - AppvClient From 4adf092a251122b0c72ad6de1e6dfaa941a980b5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:00:57 -0300 Subject: [PATCH 0663/1335] Update win_workflow_compiler.yml --- rules/windows/process_creation/win_workflow_compiler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml index 496138fde..9347f2b35 100644 --- a/rules/windows/process_creation/win_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: '*\Microsoft.Workflow.Compiler.exe' + Image|endswith: '\Microsoft.Workflow.Compiler.exe' condition: selection fields: - CommandLine From 337e26a034f95fbadd1f32a2468bb058d086b40b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:02:37 -0300 Subject: [PATCH 0664/1335] Update sysmon_cmstp_execution.yml --- rules/windows/registry_event/sysmon_cmstp_execution.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml index 07b87eccc..d1989a112 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml @@ -29,20 +29,20 @@ logsource: detection: # Registry Object Add selection2: - TargetObject: '*\cmmgr32.exe*' + TargetObject|endswith: '\cmmgr32.exe*' EventType: 'CreateKey' # Registry Object Value Set selection3: - TargetObject: '*\cmmgr32.exe*' + TargetObject|endswith: '\cmmgr32.exe*' # Process Access Call Trace selection4: - CallTrace: '*cmlua.dll*' + CallTrace|contains: 'cmlua.dll' condition: 1 of them --- detection: # CMSTP Spawning Child Process selection1: - ParentImage: '*\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' condition: 1 of them logsource: category: process_creation From bdca2febe930cfb882a999a5aa34a23e18b8ee69 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:02:58 -0300 Subject: [PATCH 0665/1335] Update sysmon_dhcp_calloutdll.yml --- rules/windows/registry_event/sysmon_dhcp_calloutdll.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index c2cff4812..d8b7daf7c 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -19,10 +19,9 @@ logsource: product: windows detection: selection: - - TargetObject: - - '*\Services\DHCPServer\Parameters\CalloutDlls' - - '*\Services\DHCPServer\Parameters\CalloutEnabled' + TargetObject|endswith: + - '\Services\DHCPServer\Parameters\CalloutDlls' + - '\Services\DHCPServer\Parameters\CalloutEnabled' condition: selection falsepositives: - unknown From c4a44e2376ada782a101f57d665c4443c216354b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:03:29 -0300 Subject: [PATCH 0666/1335] Update sysmon_dns_serverlevelplugindll.yml --- .../registry_event/sysmon_dns_serverlevelplugindll.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index 59849ff88..d0acdb6fa 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -30,7 +30,7 @@ logsource: category: registry_event detection: dnsregmod: - TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' + TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: 1 of them --- logsource: @@ -38,5 +38,5 @@ logsource: product: windows detection: dnsadmin: - CommandLine: 'dnscmd.exe /config /serverlevelplugindll *' - condition: 1 of them \ No newline at end of file + CommandLine|startswith 'dnscmd.exe /config /serverlevelplugindll ' + condition: 1 of them From 143e6512ad6eb3af840b3c1e127be7c2d526bf0f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:03:42 -0300 Subject: [PATCH 0667/1335] Update sysmon_dns_serverlevelplugindll.yml --- .../windows/registry_event/sysmon_dns_serverlevelplugindll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index d0acdb6fa..03283b219 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -38,5 +38,5 @@ logsource: product: windows detection: dnsadmin: - CommandLine|startswith 'dnscmd.exe /config /serverlevelplugindll ' + CommandLine|startswith: 'dnscmd.exe /config /serverlevelplugindll ' condition: 1 of them From 51eefbae0cd81f3ebf46b762b19474de86ba82f3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:04:05 -0300 Subject: [PATCH 0668/1335] Update sysmon_logon_scripts_userinitmprlogonscript_reg.yml --- .../sysmon_logon_scripts_userinitmprlogonscript_reg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index 069aaa501..e9ee2839a 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -17,9 +17,9 @@ logsource: product: windows detection: create_keywords_reg: - TargetObject: '*UserInitMprLogonScript*' + TargetObject|contains: 'UserInitMprLogonScript' condition: create_keywords_reg falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high From 4c9cf8b759795be7968dbb381cfb1accdba3f9b2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:04:31 -0300 Subject: [PATCH 0669/1335] Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml --- ...on_new_dll_added_to_appinit_dlls_registry_key.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 86586574a..c398de6f5 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -17,13 +17,13 @@ logsource: product: windows detection: selection: - - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - TargetObject|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - # key rename - NewName: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + NewName|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' condition: selection fields: - EventID From 176b7ce08f90c418cdc064240660a4d386eb6b96 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:04:57 -0300 Subject: [PATCH 0670/1335] Update sysmon_rdp_settings_hijack.yml --- .../windows/registry_event/sysmon_rdp_settings_hijack.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml index 425c550b6..4a9041570 100755 --- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml @@ -11,10 +11,10 @@ logsource: product: windows detection: selection_reg: - TargetObject: - - '*\services\TermService\Parameters\ServiceDll*' - - '*\Control\Terminal Server\fSingleSessionPerUser*' - - '*\Control\Terminal Server\fDenyTSConnections*' + TargetObject|contains: + - '\services\TermService\Parameters\ServiceDll' + - '\Control\Terminal Server\fSingleSessionPerUser' + - '\Control\Terminal Server\fDenyTSConnections' condition: selection_reg tags: - attack.defense_evasion From f101d661f010f6596a3df8ae0b096a486b2e544a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:05:11 -0300 Subject: [PATCH 0671/1335] Update sysmon_reg_office_security.yml --- .../windows/registry_event/sysmon_reg_office_security.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index 8e538be85..fb3975c6a 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -16,9 +16,9 @@ logsource: detection: sec_settings: TargetObject|endswith: - - '*\Security\Trusted Documents\TrustRecords' - - '*\Security\AccessVBOM' - - '*\Security\VBAWarnings' + - '\Security\Trusted Documents\TrustRecords' + - '\Security\AccessVBOM' + - '\Security\VBAWarnings' EventType: - SetValue - DeleteValue @@ -26,4 +26,4 @@ detection: condition: sec_settings falsepositives: - Valid Macros and/or internal documents -level: high \ No newline at end of file +level: high From 03ea1375e2227fba59bcf33af1281f0232e1f41b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:05:46 -0300 Subject: [PATCH 0672/1335] Update sysmon_registry_persistence_search_order.yml --- .../sysmon_registry_persistence_search_order.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index ed0c58392..8d1ff7ad2 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -18,12 +18,12 @@ detection: selection: # Detect new COM servers in the user hive TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' filter: - Details: # Exclude privileged directories and observed FPs - - '%%systemroot%%\system32\\*' - - '%%systemroot%%\SysWow64\\*' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' - - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' + Details|contains: # Exclude privileged directories and observed FPs + - '%%systemroot%%\system32\\' + - '%%systemroot%%\SysWow64\\' + - '\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' + - '\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' + - '\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' condition: selection and not filter falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From 6fc6409c7f173b38d87731ff5901898990d9fe35 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:07:11 -0300 Subject: [PATCH 0673/1335] Update sysmon_stickykey_like_backdoor.yml --- .../sysmon_stickykey_like_backdoor.yml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 06e822d14..85fef1834 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -24,13 +24,13 @@ logsource: product: windows detection: selection_registry: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' + TargetObject|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' EventType: 'SetValue' condition: 1 of them --- @@ -39,13 +39,13 @@ logsource: product: windows detection: selection_process: - ParentImage: - - '*\winlogon.exe' - CommandLine: - - '*cmd.exe sethc.exe *' - - '*cmd.exe utilman.exe *' - - '*cmd.exe osk.exe *' - - '*cmd.exe Magnify.exe *' - - '*cmd.exe Narrator.exe *' - - '*cmd.exe DisplaySwitch.exe *' + ParentImage|endswith: + - '\winlogon.exe' + CommandLine|contains: + - 'cmd.exe sethc.exe ' + - 'cmd.exe utilman.exe ' + - 'cmd.exe osk.exe ' + - 'cmd.exe Magnify.exe ' + - 'cmd.exe Narrator.exe ' + - 'cmd.exe DisplaySwitch.exe ' condition: 1 of them From 17ade8e5f596c1ec48584733dc34cd9410f61aa5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:07:53 -0300 Subject: [PATCH 0674/1335] Update sysmon_susp_download_run_key.yml --- .../registry_event/sysmon_susp_download_run_key.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index 963cbfc92..06e473525 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - Image: - - '*\Downloads\\*' - - '*\Temporary Internet Files\Content.Outlook\\*' - - '*\Local Settings\Temporary Internet Files\\*' - TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + Image|contains: + - '\Downloads\\' + - '\Temporary Internet Files\Content.Outlook\\' + - '\Local Settings\Temporary Internet Files\\' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\' condition: selection falsepositives: - Software installers downloaded and used by users From b55b78c42d81e9df0601e6cba816ea5054d98802 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:08:12 -0300 Subject: [PATCH 0675/1335] Update sysmon_susp_lsass_dll_load.yml --- rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index e7ff37013..d17f68a15 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -13,9 +13,9 @@ logsource: product: windows detection: selection: - TargetObject: - - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' - - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' + TargetObject|contains: + - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' + - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' condition: selection tags: - attack.execution From 45466cf95d9fc93b6e82d2b414ed794f520d55aa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:08:47 -0300 Subject: [PATCH 0676/1335] Update sysmon_susp_reg_persist_explorer_run.yml --- .../sysmon_susp_reg_persist_explorer_run.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 8a84eff4c..e65cd25c1 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -13,14 +13,14 @@ logsource: detection: selection: TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details: - - 'C:\Windows\Temp\\*' - - 'C:\ProgramData\\*' - - '*\AppData\\*' - - 'C:\$Recycle.bin\\*' - - 'C:\Temp\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' + Details|startswith: + - 'C:\Windows\Temp\\' + - 'C:\ProgramData\\' + - '*\AppData\\' + - 'C:\$Recycle.bin\\' + - 'C:\Temp\\' + - 'C:\Users\Public\\' + - 'C:\Users\Default\\' condition: selection tags: - attack.persistence From 33ed01e28570b321050709098cabff5b3add46e3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:09:42 -0300 Subject: [PATCH 0677/1335] Update sysmon_susp_run_key_img_folder.yml --- .../sysmon_susp_run_key_img_folder.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 309d978d8..ec9b79889 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -16,19 +16,19 @@ logsource: product: windows detection: selection: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' - Details: - - '*C:\Windows\Temp\\*' - - '*C:\$Recycle.bin\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - 'wscript*' - - 'cscript*' + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\' + Details|contains: + - 'C:\Windows\Temp\\' + - 'C:\$Recycle.bin\\' + - 'C:\Temp\\' + - 'C:\Users\Public\\' + - '%Public%\\' + - 'C:\Users\Default\\' + - 'C:\Users\Desktop\\' + - 'wscript' + - 'cscript' condition: selection fields: - Image From 9c434eaf04a5246582cb3c51243fe13aac6a74a4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:10:06 -0300 Subject: [PATCH 0678/1335] Update sysmon_susp_service_installed.yml --- .../registry_event/sysmon_susp_service_installed.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 2d302e4f3..d75fe62b9 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -20,10 +20,10 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' selection_2: Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' selection_3: Details|contains: - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS' From 7dfb8f0e990d8f9c1fd4e5362880599cb04f51e6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:10:21 -0300 Subject: [PATCH 0679/1335] Update sysmon_suspicious_keyboard_layout_load.yml --- .../sysmon_suspicious_keyboard_layout_load.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 125d927da..badfbb365 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -14,9 +14,9 @@ logsource: definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: - TargetObject: - - '*\Keyboard Layout\Preload\\*' - - '*\Keyboard Layout\Substitutes\\*' + TargetObject|contains: + - '\Keyboard Layout\Preload\\' + - '\Keyboard Layout\Substitutes\\' Details|contains: - 00000429 # Persian (Iran) - 00050429 # Persian (Iran) From 6ea18efdaf50580cbf8398ae4546c54db6b8ada6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:10:44 -0300 Subject: [PATCH 0680/1335] Update sysmon_sysinternals_eula_accepted.yml --- .../registry_event/sysmon_sysinternals_eula_accepted.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 056d98d40..717e6b93a 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -17,7 +17,7 @@ logsource: category: registry_event detection: selection1: - TargetObject: '*\EulaAccepted' + TargetObject|endswith: '\EulaAccepted' condition: 1 of them --- logsource: @@ -25,5 +25,5 @@ logsource: product: windows detection: selection2: - CommandLine: '* -accepteula*' - condition: 1 of them \ No newline at end of file + CommandLine|contains: ' -accepteula' + condition: 1 of them From 8a52610bf8383dec57e8ef4fa13d25a9f3ea7ecd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:11:11 -0300 Subject: [PATCH 0681/1335] Update sysmon_uac_bypass_eventvwr.yml --- rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index f566bc863..737f18139 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -32,9 +32,9 @@ logsource: product: windows detection: methprocess: - ParentImage: '*\eventvwr.exe' + ParentImage|endswith: '\eventvwr.exe' filterprocess: - Image: '*\mmc.exe' + Image|endswith: '\mmc.exe' condition: methprocess and not filterprocess fields: - CommandLine From 229e57777a9d3d5bd89b81f0176f604181e9cb88 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:11:37 -0300 Subject: [PATCH 0682/1335] Update sysmon_win_reg_persistence.yml --- .../windows/registry_event/sysmon_win_reg_persistence.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 25f5ef43a..8512c9a50 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -11,10 +11,10 @@ logsource: product: windows detection: selection_reg1: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' + TargetObject|startswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' EventType: SetValue condition: selection_reg1 tags: From 457217bfc04fce2526ac8b9d270497eae7f66686 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:11:52 -0300 Subject: [PATCH 0683/1335] Update sysmon_win_reg_persistence.yml --- rules/windows/registry_event/sysmon_win_reg_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 8512c9a50..2268d68fa 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection_reg1: - TargetObject|startswith: + TargetObject|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' From df81f5180df1cb001b77e60e6cfffbf9dc383e3d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:12:54 -0300 Subject: [PATCH 0684/1335] Update sysmon_cactustorch.yml --- rules/windows/sysmon/sysmon_cactustorch.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index 9b8b5ec95..087ba323a 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -14,13 +14,13 @@ logsource: detection: selection: EventID: 8 - SourceImage: - - '*\System32\cscript.exe' - - '*\System32\wscript.exe' - - '*\System32\mshta.exe' - - '*\winword.exe' - - '*\excel.exe' - TargetImage: '*\SysWOW64\\*' + SourceImage|endswith: + - '\System32\cscript.exe' + - '\System32\wscript.exe' + - '\System32\mshta.exe' + - '\winword.exe' + - '\excel.exe' + TargetImage|contains: '\SysWOW64\\' StartModule: null condition: selection tags: From 26b36086c745df0a70436789c52534cdeea2e750 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:13:39 -0300 Subject: [PATCH 0685/1335] Update sysmon_cmstp_execution.yml --- rules/windows/sysmon/sysmon_cmstp_execution.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index 5bf2897cf..735efdf44 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -32,16 +32,16 @@ detection: # Registry Object Add selection2: EventID: 12 - TargetObject: '*\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' EventType: 'CreateKey' # Registry Object Value Set selection3: EventID: 13 - TargetObject: '*\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' # Process Access Call Trace selection4: EventID: 10 - CallTrace: '*cmlua.dll*' + CallTrace|contains: 'cmlua.dll' --- logsource: category: process_creation @@ -49,4 +49,4 @@ logsource: detection: # CMSTP Spawning Child Process selection1: - ParentImage: '*\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' From 92aaeca075c60bc294d087ea884c46e57012747c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:14:23 -0300 Subject: [PATCH 0686/1335] Update sysmon_susp_powershell_rundll32.yml --- rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index 652da06fa..884d2472e 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -12,8 +12,8 @@ logsource: detection: selection: EventID: 8 - SourceImage: '*\powershell.exe' - TargetImage: '*\rundll32.exe' + SourceImage|endswith: '\powershell.exe' + TargetImage|endswith: '\rundll32.exe' condition: selection tags: - attack.defense_evasion From d7eda3fe7e4e2ffda59f6059e0a9d230bb9eb2cb Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:15:22 -0300 Subject: [PATCH 0687/1335] Update sysmon_wmi_susp_scripting.yml --- .../sysmon/sysmon_wmi_susp_scripting.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index e1f150b77..9e75dea5b 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -17,17 +17,17 @@ logsource: detection: selection: EventID: 20 - Destination: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' - - '*new-object net.webclient).downloadfile(*' - - '* iex(*' - - '*WScript.shell*' - - '* -nop *' - - '* -noprofile *' - - '* -decode *' - - '* -enc *' + Destination|contains: + - 'new-object system.net.webclient).downloadstring(' + - 'new-object system.net.webclient).downloadfile(' + - 'new-object net.webclient).downloadstring(' + - 'new-object net.webclient).downloadfile(' + - ' iex(' + - 'WScript.shell' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' condition: selection fields: - CommandLine From 0666d21b0643a961474173f93fc7383346b8991a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:19:06 -0300 Subject: [PATCH 0688/1335] Update win_dcsync.yml --- rules/windows/builtin/win_dcsync.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index b84c54531..2c2ec8d08 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -28,9 +28,10 @@ detection: SubjectUserName|startswith: - 'NT AUTHORITY' - 'MSOL_' + filter3: SubjectUserName|endswith: - '$' - condition: selection and not filter1 and not filter2 + condition: selection and not filter1 and not filter2 and not filter32 falsepositives: - Valid DC Sync that is not covered by the filters; please report level: high From 86ade194a4e622d6e6a4e6fce37dad216818647b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:22:56 -0300 Subject: [PATCH 0689/1335] Fix --- rules/windows/malware/av_password_dumper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 9db6fec0a..74c82aba0 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -20,7 +20,7 @@ detection: - "DumpCreds" - "Mimikatz" - "PWCrack" - - "Tool/WCE" + - "HTool/WCE" - "PSWtool" - "PWDump" - "SecurityTool" From 345c3c6451cd1fba834f0445b0281a81d3bedcc0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:24:31 -0300 Subject: [PATCH 0690/1335] Fix --- rules/windows/malware/av_relevant_files.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index f36bbe501..eb9033e62 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -16,8 +16,8 @@ detection: - 'C:\PerfLogs\\' - 'C:\Users\Public\\' - 'C:\Users\Default\\' - Filename|contains: - - '\\Client\\' + - '*\\Client\\' + selection2: Filename|endswith: - '.ps1' - '.vbs' @@ -38,7 +38,7 @@ detection: - '.vbe' - '.wsf' - '.wsh' - condition: selection + condition: selection or selection2 fields: - Signature - User From 9795c95a9bcc57c71769d7a839293e6ef4631c25 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:25:34 -0300 Subject: [PATCH 0691/1335] Update av_webshell.yml --- rules/windows/malware/av_webshell.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 1dccfdd90..ff04a7971 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -21,8 +21,7 @@ detection: - "Backdoor.PHP" - "Backdoor.JSP" - "Backdoor.ASP" - Signature|contains: - - "Webshell" + - "*Webshell" condition: selection fields: - FileName From 0dfacd1f63c3fc2d86adce1ed82e108844e7af8b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:27:10 -0300 Subject: [PATCH 0692/1335] Fix --- rules/windows/malware/win_mal_flowcloud.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 5cb4a3567..37e315f90 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -21,8 +21,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\\' + - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' condition: selection falsepositives: - Unknown From 1fac65dad0bb70c80cf1211426736177d3d4302d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:29:02 -0300 Subject: [PATCH 0693/1335] Fix --- rules/windows/other/win_pcap_drivers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index 814dab6a6..14257648e 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|constains: + ServiceFileName|contains: - 'pcap' - 'npcap' - 'npf' From 37ee747dfe841dea6f50fa62644226bb4bc5f394 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:30:52 -0300 Subject: [PATCH 0694/1335] Update win_apt_chafer_mar18.yml --- rules/windows/process_creation/win_apt_chafer_mar18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 330f26b5c..4fd4fa101 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -74,7 +74,7 @@ detection: CommandLine|startswith: - 'C:\wsc.exe' selection_process2: - Image|startswith: '\Windows\Temp\DB\\*.exe' + Image|endswith: '\Windows\Temp\DB\\*.exe' selection_process3: CommandLine|contains: '\nslookup.exe -q=TXT' ParentImage|contains: '\Autoit' From 5fc348fd45b1f3f2484628d82d37e31db5e3a3b5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:32:16 -0300 Subject: [PATCH 0695/1335] Fix --- rules/windows/process_creation/win_apt_hurricane_panda.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml index 879954c8d..e613c5909 100755 --- a/rules/windows/process_creation/win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml @@ -15,9 +15,8 @@ logsource: product: windows detection: selection: - CommandLine|endswith: - - ' localgroup administrators admin /add' CommandLine|contains: + - ' localgroup administrators admin /add' - '\Win64.exe' condition: selection falsepositives: From 44c909a4a4c39d99978db868919f85c5bd94ef0b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:33:00 -0300 Subject: [PATCH 0696/1335] Update win_apt_mustangpanda.yml --- rules/windows/process_creation/win_apt_mustangpanda.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index cef514b27..e99b23f35 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -18,11 +18,10 @@ detection: - '%windir:~-3,1%%PUBLIC:~-9,1%' - '/tn "Security Script ' - '%windir:~-1,1%' - Commandline|endswith: - '/E:vbscript * C:\Users\\*.txt" /F' selection2: - Image: - - '*Temp\winwsh.exe' + Image|endswith: + - 'Temp\winwsh.exe' condition: 1 of them fields: - CommandLine From 3566dd15943a5cbd23723c6aa2c604ff26f98df0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:35:50 -0300 Subject: [PATCH 0697/1335] Fix --- rules/windows/process_creation/win_impacket_lateralization.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index e27b18f3d..e12bfe31b 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -40,9 +40,8 @@ detection: CommandLine|contains: - 'cmd.exe* /Q /c * \\\\127.0.0.1\\*&1' selection_atexec: - ParentCommandLine|endswith: + ParentCommandLine|contains: - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - ParentCommandLine|startswith: - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 CommandLine: From f4872118a2838aa274a0a2cb6381493cbc7a6bb3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:38:55 -0300 Subject: [PATCH 0698/1335] Update win_powershell_dll_execution.yml --- rules/windows/process_creation/win_powershell_dll_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index f43443167..4478fccdf 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection1: - Image|endsswith: + Image|endswith: - '\rundll32.exe' selection2: Description|contains: From 1584ddf9180637874c368822566a39c4c3b4676d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:50:42 -0300 Subject: [PATCH 0699/1335] Update sysmon_susp_service_installed.yml --- rules/windows/registry_event/sysmon_susp_service_installed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index d75fe62b9..115dc8569 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -19,7 +19,7 @@ detection: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' selection_2: - Image|contains: + Image|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' From fc6c727c70fdb1c1afda3cc1f8aa01d3294c4665 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 20:59:27 -0300 Subject: [PATCH 0700/1335] Update powershell_malicious_commandlets.yml --- .../powershell/powershell_malicious_commandlets.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 2afaf557c..ad4609d8d 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -8,15 +8,17 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 +modified: 2020/10/11 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message|contains: + EventID: 4104 + ScriptBlockText|contains: - "Invoke-DllInjection" - "Invoke-Shellcode" - "Invoke-WmiCommand" @@ -113,7 +115,9 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + EventID: 4104 + ScriptBlockText|contains: + - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives falsepositives: - Penetration testing From d4603d196bdde771b46c02bafabf26cc916c9a1d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 21:00:15 -0300 Subject: [PATCH 0701/1335] Update win_susp_adfind.yml --- .../process_creation/win_susp_adfind.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index e7b716009..07b234894 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -5,23 +5,28 @@ description: Detects the execution of a AdFind for Active Directory enumeration references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md -author: FPT.EagleEye Team + - https://thedfirreport.com/2020/05/08/adfind-recon/ +author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 +modified: 2020/10/11 tags: - attack.discovery - - attack.t1016 - attack.t1018 + - attack.t1087.002 - attack.t1482 - #- attack.t1069.002 - #- attack.t1087.002 + - attack.t1069.002 logsource: product: windows service: process_creation detection: selection: - ProcessCommandline|contains: 'objectcategory' - Image|endswith: - - '\adfind.exe' + ProcessCommandline|contains: + - 'objectcategory' + - 'trustdmp' + - 'dcmodes' + - 'dclist' + - 'computers_pwdnotreqd' + Image|endswith: '\adfind.exe' condition: selection falsepositives: - Administrative activity From 2332e42e4c2ca96434375da9e4e174ca420d8f5f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 21:01:23 -0300 Subject: [PATCH 0702/1335] Update win_susp_copy_lateral_movement.yml --- .../win_susp_copy_lateral_movement.yml | 38 +++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index a5325820a..3b0611bcf 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -1,30 +1,46 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share +description: Detects a suspicious copy command to or from an Admin share references: - https://twitter.com/SBousseaden/status/1211636381086339073 -author: Florian Roth + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2019/12/30 -modified: 2020/09/05 +modified: 2020/10/05 tags: - attack.lateral_movement + - attack.collection + - attack.exfiltration + - attack.t1039 + - attack.t1105 # an old one + - attack.t1048 - attack.t1021.002 - - attack.command_and_control - - attack.t1105 - - attack.s0106 - - attack.t1077 # an old one logsource: category: process_creation product: windows detection: - selection: + selection1: + Image|endswith: + - '\robocopy.exe' + - '\xcopy.exe' + selection2: + Image|endswith: + - '\cmd.exe' CommandLine|contains: - 'copy' + selection3: + Image|contains: + - '\powershell' CommandLine|contains: - - '\c$' - - '\ADMIN$' - condition: selection + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + selection4: + CommandLine|contains: + - '\\\\*\*$*' + condition: (selection1 or selection2 or selection3) and selection4 fields: - CommandLine - ParentCommandLine From d8a6048492519cf58e9a6decc754751e09e3a660 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Fri, 16 Oct 2020 02:05:22 +0200 Subject: [PATCH 0703/1335] update /macos_create_hidden_account.yml --- rules/linux/macos_create_hidden_account.yml | 23 ++++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 469c19697..3a97aab8e 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -1,7 +1,7 @@ title: Hidden User Creation id: b22a5b36-2431-493a-8be1-0bae56c28ef3 status: experimental -description: Detects creation of a hidden user account on macOS (UserID < 500) +description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option author: Daniil Yugoslavskiy, oscd.community date: 2020/10/10 references: @@ -10,17 +10,24 @@ logsource: category: process_creation product: macos detection: - selection_1: + dscl_create: ProcessName|endswith: '/dscl' + CommandLine|contains: 'create' + id_below_500: + CommandLine|contains: UniqueID + CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})' + ishidden_option_declaration: + CommandLine|contains: 'IsHidden' + ishidden_option_confirmation: CommandLine|contains: - - create - - UniqueID - selection_2: - CommandLine|re: '([1-9]|[1-8][0-9]|9[0-9]|[1-4][0-9]{2}|500)' - condition: selection_1 and selection_2 + - 'true' + - 'yes' + - '1' + condition: dscl_create and id_below_500 or + dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) falsepositives: - Legitimate administration activities level: low tags: - attack.defense_evasion - - attack.t1564.002 + - attack.t1564.002 \ No newline at end of file From b0ddaf5ac986d15ede1142fb22e37d56d047ffa9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:45:30 -0300 Subject: [PATCH 0704/1335] Revert "Changed the rule to download only and not the copy" This reverts commit 1324bc1ad14e1caa1a9ca0d6873de20b44a6baee. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index 9dbdb1e21..d530fec79 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Download operations using Replace.exe. +description: Detect Copy and Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains|all: + CommandLine|contains: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary to download files from a share + - Legitimate use of the binary level: low From 1979906baec53d3dff0aebf5151188669bb3dd5b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:45:33 -0300 Subject: [PATCH 0705/1335] Revert "Create win_susp_replace_lolbin.yml" This reverts commit e6a65496768a460d32de0b7d9742ce969fb4ea5d. --- .../win_susp_replace_lolbin.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml deleted file mode 100644 index d530fec79..000000000 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Ingress Tool Transfer Using Replace.exe -id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Replace -author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/07 -tags: - - attack.command_and_control - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\replace.exe' - CommandLine|contains: - - "\\\\\\\\" - - "/A" - condition: selection -falsepositives: - - Legitimate use of the binary -level: low From 618564044257edebf3fffa06aadbbc0a07402874 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:49:42 -0300 Subject: [PATCH 0706/1335] Update lnx_clamav.yml --- rules/linux/lnx_clamav.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index cd19a25a4..d312a287c 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -10,13 +10,15 @@ logsource: product: linux service: clamav detection: - keywords: - - 'Trojan*FOUND' - - 'VirTool*FOUND' - - 'Webshell*FOUND' - - 'Rootkit*FOUND' - - 'Htran*FOUND' - condition: keywords + keywords|contains: + - 'Trojan' + - 'VirTool' + - 'Webshell' + - 'Rootkit' + - 'Htran' + filter: + - 'FOUND' + condition: keywords and filter falsepositives: - Unknown level: high From 41396636f92fbbf366c76da36567a1f4a5665829 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:53:20 -0300 Subject: [PATCH 0707/1335] Update lnx_file_copy.yml --- rules/linux/lnx_file_copy.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index 028476447..2a0509c6f 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -11,18 +11,20 @@ logsource: detection: keywords: - Scp|contains: - - 'scp * *@*:*' - - 'scp *@*:* *' + - 'scp' - Rsync|contains: - - 'rsync -r *@*:* *' - - 'rsync -r * *@*:*' + - 'rsync -r' - Sftp|contains: - - 'sftp *@*:* *' - condition: keywords + - 'sftp' + filter: + message|contains|all: + - '@' + - ':' + condition: keywords and filter falsepositives: - Legitimate administration activities level: low tags: - attack.command_and_control - attack.lateral_movement - - attack.t1105 \ No newline at end of file + - attack.t1105 From 68ad66f390a6924907f4dd36eb253ddb9b271f20 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:54:27 -0300 Subject: [PATCH 0708/1335] Update lnx_proxy_connection.yml --- rules/linux/lnx_proxy_connection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/lnx_proxy_connection.yml index 2caeba777..827d7ab72 100644 --- a/rules/linux/lnx_proxy_connection.yml +++ b/rules/linux/lnx_proxy_connection.yml @@ -9,9 +9,9 @@ references: logsource: product: linux detection: - keyword: - - 'http_proxy=*' - - 'https_proxy=*' + keyword|startswith: + - 'http_proxy=' + - 'https_proxy=' condition: keyword falsepositives: - Legitimate administration activities From 0ca17e88f64815b59226c13442359e6a4a05f0df Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 22:55:41 -0300 Subject: [PATCH 0709/1335] Update lnx_setgid_setuid.yml --- rules/linux/lnx_setgid_setuid.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/lnx_setgid_setuid.yml index 50fda753c..84472e44f 100644 --- a/rules/linux/lnx_setgid_setuid.yml +++ b/rules/linux/lnx_setgid_setuid.yml @@ -10,12 +10,12 @@ references: logsource: product: linux detection: - selection1: - - '*chown root*' - selection2: - - '* chmod u+s*' - selection3: - - '* chmod g+s*' + selection1|contains: + - 'chown root' + selection2|contains: + - ' chmod u+s' + selection3|contains: + - ' chmod g+s' condition: (selection1 and selection2) or (selection1 and selection3) falsepositives: - Legitimate administration activities From 65c2e5daa4391d76c0cb87157cedc406826c9fbb Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Thu, 15 Oct 2020 21:59:37 -0400 Subject: [PATCH 0710/1335] [OSCD] Always Install Elevated Page 48 from #574 Since the slide showing the usage of correlation of events, it was suggested to add the rules to rules-unsupported. Following suggestion from @yugoslavskiy - https://github.com/Neo23x0/sigma/issues/574#issuecomment-707441823 --- ...stall_elevated_parent_child_correlated.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml new file mode 100644 index 000000000..bcd2772a3 --- /dev/null +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -0,0 +1,42 @@ +title: Always Install Elevated Parent Child Correlated +id: 078235c5-6ec5-48e7-94b2-f8b5474379ea +description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege +#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable +#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + system_integrity: + IntegrityLevel: 'System' + system_user: + User: 'NT AUTHORITY\SYSTEM' + image_1: + Image|contains|all: + - '\Windows\Installer\' + - 'msi' + Image|endswith: + - 'tmp' + image_2: + Image|endswith: '\msiexec.exe' + child_of_suspicious_guid: + ParentProcessGuid: '%suspicious_guid%' + condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert +fields: + - EventID + - IntegrityLevel + - User + - Image + ParentProcessGuid +falsepositives: + - System administrator usage + - Penetration test +level: high \ No newline at end of file From 83bad3de983f0e85d561a7e27ed0042df230e793 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:03:40 -0300 Subject: [PATCH 0711/1335] Update lnx_sudo_cve_2019_14287.yml --- rules/linux/lnx_sudo_cve_2019_14287.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index ff20897bb..d75d4d0f9 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -19,15 +19,11 @@ tags: - attack.privilege_escalation - attack.t1068 - attack.t1169 ---- -detection: - selection_keywords: - - '* -u#*' - condition: selection_keywords ---- detection: + selection_keyword|contains: + - ' -u#' selection_user: USER: - '#-*' - '#*4294967295' - condition: selection_user \ No newline at end of file + condition: selection_keywords or selection_user From d4284e60f9fd16e5f593f4c988b95c7d00143a8e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:04:16 -0300 Subject: [PATCH 0712/1335] Update lnx_susp_named.yml --- rules/linux/lnx_susp_named.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 2fc43980a..6e6709240 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -10,14 +10,14 @@ logsource: product: linux service: syslog detection: - keywords: - - '* dropping source port zero packet from *' - - '* denied AXFR from *' - - '* exiting (due to fatal error)*' + keywords|contains: + - ' dropping source port zero packet from ' + - ' denied AXFR from ' + - ' exiting (due to fatal error)' condition: keywords falsepositives: - Unknown level: high tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 From 8fd768aa66dba79a16b0373f64fb557c57ed2e77 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:05:53 -0300 Subject: [PATCH 0713/1335] Update lnx_susp_ssh.yml --- rules/linux/lnx_susp_ssh.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index b84992387..941033356 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -12,22 +12,22 @@ logsource: product: linux service: sshd detection: - keywords: - - '*unexpected internal error*' - - '*unknown or unsupported key type*' - - '*invalid certificate signing key*' - - '*invalid elliptic curve value*' - - '*incorrect signature*' - - '*error in libcrypto*' - - '*unexpected bytes remain after decoding*' - - '*fatal: buffer_get_string: bad string*' - - '*Local: crc32 compensation attack*' - - '*bad client public DH value*' - - '*Corrupted MAC on input*' + keywords|contains: + - 'unexpected internal error' + - 'unknown or unsupported key type' + - 'invalid certificate signing key' + - 'invalid elliptic curve value' + - 'incorrect signature' + - 'error in libcrypto' + - 'unexpected bytes remain after decoding' + - 'fatal: buffer_get_string: bad string' + - 'Local: crc32 compensation attack' + - 'bad client public DH value' + - 'Corrupted MAC on input' condition: keywords falsepositives: - Unknown level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 From e26e5a1e7e8f95ce9f90d2ea5e911ba0e44edb81 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:07:39 -0300 Subject: [PATCH 0714/1335] Update lnx_auditd_create_account.yml --- rules/linux/auditd/lnx_auditd_create_account.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 872398f62..4c1d6f6ba 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -12,7 +12,7 @@ logsource: detection: selection: type: 'SYSCALL' - exe: '*/useradd' + exe|endswith: '/useradd' condition: selection falsepositives: - Admin activity @@ -20,4 +20,4 @@ level: medium tags: - attack.t1136 # an old one - attack.t1136.001 - - attack.persistence \ No newline at end of file + - attack.persistence From d655ebf092581ddb091f94119f37b0dea906ca4c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:08:08 -0300 Subject: [PATCH 0715/1335] Update lnx_auditd_masquerading_crond.yml --- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 0dfbfe404..c76769bc9 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -16,9 +16,9 @@ detection: a0: 'cp' a1: '-i' a2: '/bin/sh' - a3: '*/crond' + a3|endswith: '/crond' condition: selection level: medium tags: - attack.defense_evasion - - attack.t1036.003 \ No newline at end of file + - attack.t1036.003 From 23358b8db5c7a699a394c9f9d0bbe90fc4a653e5 Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Thu, 15 Oct 2020 22:08:45 -0400 Subject: [PATCH 0716/1335] [OSCD] Always Install Elevated - Slide 50 - Rule 1 Page 50 from #574 Rule 1 Look for msiexec spawning command line or powershell --- ...levated_msi_spawned_cmd_and_powershell.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml new file mode 100644 index 000000000..d90dfdd02 --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -0,0 +1,33 @@ +title: Always Install Elevated MSI Spawned Cmd And Powershell +id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + image: + Image|contains: + - '\cmd.exe' + - '\powershell.exe' + parent_image: + ParentImage|contains|all: + - '\Windows\Installer\' + - 'msi' + ParentImage|endswith: + - 'tmp' + condition: event_id and image and parent_image +fields: + - EventID + - Image + - ParentImage +falsepositives: + - Penetration test +level: medium \ No newline at end of file From 3361b62cc26112c6feabfbb404b67ef7d40fd165 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:09:06 -0300 Subject: [PATCH 0717/1335] Update lnx_auditd_susp_exe_folders.yml --- .../auditd/lnx_auditd_susp_exe_folders.yml | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 64175ef8a..4cbc91f86 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -12,26 +12,26 @@ logsource: detection: selection: type: 'SYSCALL' - exe: + exe|startswith: # Temporary folder - - '/tmp/*' + - '/tmp/' # Web server - - '/var/www/*' # Standard - - '/home/*/public_html/*' # Per-user - - '/usr/local/apache2/*' # Classical Apache - - '/usr/local/httpd/*' # Old SuSE Linux 6.* Apache - - '/var/apache/*' # Solaris Apache - - '/srv/www/*' # SuSE Linux 9.* - - '/home/httpd/html/*' # Redhat 6 or older Apache - - '/srv/http/*' # ArchLinux standard - - '/usr/share/nginx/html/*' # ArchLinux nginx + - '/var/www/' # Standard + - '/home/*/public_html/' # Per-user + - '/usr/local/apache2/' # Classical Apache + - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache + - '/var/apache/' # Solaris Apache + - '/srv/www/' # SuSE Linux 9.* + - '/home/httpd/html/' # Redhat 6 or older Apache + - '/srv/http/' # ArchLinux standard + - '/usr/share/nginx/html/' # ArchLinux nginx # Data dirs of typically exploited services (incomplete list) - - '/var/lib/pgsql/data/*' - - '/usr/local/mysql/data/*' - - '/var/lib/mysql/*' - - '/var/vsftpd/*' - - '/etc/bind/*' - - '/var/named/*' + - '/var/lib/pgsql/data/' + - '/usr/local/mysql/data/' + - '/var/lib/mysql/' + - '/var/vsftpd/' + - '/etc/bind/' + - '/var/named/' condition: selection falsepositives: - Admin activity (especially in /tmp folders) From 28cfda76767fa8775ea479340f61a629d570eb78 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:10:42 -0300 Subject: [PATCH 0718/1335] Update net_mal_dns_cobaltstrike.yml --- rules/network/net_mal_dns_cobaltstrike.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 666f7c72b..ac6cdf56d 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -11,9 +11,9 @@ logsource: category: dns detection: selection: - query: - - 'aaa.stage.*' - - 'post.1*' + query|startswith: + - 'aaa.stage.' + - 'post.1' condition: selection falsepositives: - Unknown From 4b8a47e35f181ad64b0be36fd1e66e8a418a9e24 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:10:57 -0300 Subject: [PATCH 0719/1335] Update net_susp_dns_b64_queries.yml --- rules/network/net_susp_dns_b64_queries.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index 8af84a946..6031ac587 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -11,8 +11,8 @@ logsource: category: dns detection: selection: - query: - - '*==.*' + query|contains: + - '==.' condition: selection falsepositives: - Unknown @@ -23,4 +23,4 @@ tags: - attack.t1048.003 - attack.command_and_control - attack.t1071 # an old one - - attack.t1071.004 \ No newline at end of file + - attack.t1071.004 From aeb3218dfb84e7a7b8fd79034f4db16e453c4976 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:11:16 -0300 Subject: [PATCH 0720/1335] Update net_susp_dns_txt_exec_strings.yml --- rules/network/net_susp_dns_txt_exec_strings.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 7632d31f3..4e97c3493 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -13,10 +13,10 @@ logsource: detection: selection: record_type: 'TXT' - answer: - - '*IEX*' - - '*Invoke-Expression*' - - '*cmd.exe*' + answer|contains: + - 'IEX' + - 'Invoke-Expression' + - 'cmd.exe' condition: selection falsepositives: - Unknown @@ -24,4 +24,4 @@ level: high tags: - attack.command_and_control - attack.t1071 # an old one - - attack.t1071.004 \ No newline at end of file + - attack.t1071.004 From 50abab7f113677ddb04b8c3991079b478832fd5f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:13:20 -0300 Subject: [PATCH 0721/1335] Update zeek_http_executable_download_from_webdav.yml --- .../zeek/zeek_http_executable_download_from_webdav.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index a625e2078..9fe207555 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -15,11 +15,11 @@ date: 2020/05/01 modified: 2020/09/02 detection: selection_webdav: - - c-useragent: '*WebDAV*' - - c-uri: '*webdav*' + - c-useragent|contains: 'WebDAV' + - c-uri|contains: 'webdav' selection_executable: - - resp_mime_types: '*dosexec*' - - c-uri: '*.exe' + - resp_mime_types|contains: 'dosexec' + - c-uri|endswith: '.exe' condition: selection_webdav AND selection_executable falsepositives: - unknown From 3e600dab82f98a7a09ecf88c9c57027a94170a5c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:13:47 -0300 Subject: [PATCH 0722/1335] Update zeek_smb_converted_win_impacket_secretdump.yml --- .../network/zeek/zeek_smb_converted_win_impacket_secretdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 48a607a55..f7ee7e2b5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -17,7 +17,7 @@ logsource: detection: selection: path: '\\*ADMIN$' - name: '*SYSTEM32\\*.tmp' + name|endswith: 'SYSTEM32\\*.tmp' condition: selection falsepositives: - 'unknown' From de29d778a525c86d58d79fe419510fdf06e01490 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:14:15 -0300 Subject: [PATCH 0723/1335] Update zeek_smb_converted_win_susp_psexec.yml --- .../zeek/zeek_smb_converted_win_susp_psexec.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 2f29807f8..be8707fc1 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -15,13 +15,13 @@ logsource: detection: selection1: path: \\*\IPC$ - name: - - '*-stdin' - - '*-stdout' - - '*-stderr' + name|endswith: + - '-stdin' + - '-stdout' + - '-stderr' selection2: name: \\*\IPC$ - path: 'PSEXESVC*' + path|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: - nothing observed so far From f04394467bab6cda9816c068a0a66cd212a61958 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:14:34 -0300 Subject: [PATCH 0724/1335] Update zeek_smb_converted_win_susp_raccess_sensitive_fext.yml --- ...verted_win_susp_raccess_sensitive_fext.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 7e5880e00..5604b7171 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -12,19 +12,19 @@ logsource: service: smb_files detection: selection: - name: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' + name|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' condition: selection fields: - ComputerName From 05e0dd1ae683cd89d7a4eed784be97b8c67de53e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:15:23 -0300 Subject: [PATCH 0725/1335] Update zeek_susp_kerberos_rc4.yml --- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 75c4cc801..c5b85768e 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -17,7 +17,7 @@ detection: request_type: 'TGS' cipher: 'rc4-hmac' computer_acct: - service: '$*' + service|startswith: '$' condition: selection and not computer_acct falsepositives: - normal enterprise SPN requests activity From 68d8a903afd6c68267f682e2dcda4f83c028740a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:16:17 -0300 Subject: [PATCH 0726/1335] Update proxy_chafer_malware.yml --- rules/proxy/proxy_chafer_malware.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 9a4e0ecd0..5fd9a8641 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -10,7 +10,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/asp.asp?ui=*' + c-uri|contains: '/asp.asp?ui=' condition: selection fields: - ClientIP @@ -22,4 +22,4 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one From 60b7e1caff412e1b38e402836c1b08670e431b95 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:19:39 -0300 Subject: [PATCH 0727/1335] Update proxy_cobalt_amazon.yml --- rules/proxy/proxy_cobalt_amazon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 9bbaedc7e..e604589b8 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -16,7 +16,7 @@ detection: cs-method: 'GET' c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' cs-host: 'www.amazon.com' - cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' selection2: c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" cs-method: 'POST' @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one From 39787da1282bb4c828d58cfddde6772cb9fa926c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:19:56 -0300 Subject: [PATCH 0728/1335] Update proxy_cobalt_ocsp.yml --- rules/proxy/proxy_cobalt_ocsp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index e57a85e6a..d657963aa 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -16,7 +16,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/oscp/*' + c-uri|contains: '/oscp/' cs-host: 'ocsp.verisign.com' condition: selection From 2049e5285b0d710513c284e6d347c0bbbef2d301 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:20:21 -0300 Subject: [PATCH 0729/1335] Update proxy_cobalt_onedrive.yml --- rules/proxy/proxy_cobalt_onedrive.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 08457c817..6967944c5 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -12,10 +12,10 @@ logsource: detection: selection: cs-method: 'GET' - c-uri: '*?manifest=wac' + c-uri|endswith: '?manifest=wac' cs-host: 'onedrive.live.com' filter: - c-uri: 'http*://onedrive.live.com/*' + c-uri|startswith: 'http*://onedrive.live.com/' condition: selection and not filter falsepositives: - Unknown @@ -24,4 +24,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one From 5615173540d8cd6eb9c894baaa4bdfb8a0d8cd23 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:21:25 -0300 Subject: [PATCH 0730/1335] Update proxy_download_susp_dyndns.yml --- rules/proxy/proxy_download_susp_dyndns.yml | 144 ++++++++++----------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 708beca24..4a73e87b4 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -30,77 +30,77 @@ detection: - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns: - - '*.hopto.org' - - '*.no-ip.org' - - '*.no-ip.info' - - '*.no-ip.biz' - - '*.no-ip.com' - - '*.noip.com' - - '*.ddns.name' - - '*.myftp.org' - - '*.myftp.biz' - - '*.serveblog.net' - - '*.servebeer.com' - - '*.servemp3.com' - - '*.serveftp.com' - - '*.servequake.com' - - '*.servehalflife.com' - - '*.servehttp.com' - - '*.servegame.com' - - '*.servepics.com' - - '*.myvnc.com' - - '*.ignorelist.com' - - '*.jkub.com' - - '*.dlinkddns.com' - - '*.jumpingcrab.com' - - '*.ddns.info' - - '*.mooo.com' - - '*.dns-dns.com' - - '*.strangled.net' - - '*.adultdns.net' - - '*.craftx.biz' - - '*.ddns01.com' - - '*.dns53.biz' - - '*.dnsapi.info' - - '*.dnsd.info' - - '*.dnsdynamic.com' - - '*.dnsdynamic.net' - - '*.dnsget.org' - - '*.fe100.net' - - '*.flashserv.net' - - '*.ftp21.net' - - '*.http01.com' - - '*.http80.info' - - '*.https443.com' - - '*.imap01.com' - - '*.kadm5.com' - - '*.mysq1.net' - - '*.ns360.info' - - '*.ntdll.net' - - '*.ole32.com' - - '*.proxy8080.com' - - '*.sql01.com' - - '*.ssh01.com' - - '*.ssh22.net' - - '*.tempors.com' - - '*.tftpd.net' - - '*.ttl60.com' - - '*.ttl60.org' - - '*.user32.com' - - '*.voip01.com' - - '*.wow64.net' - - '*.x64.me' - - '*.xns01.com' - - '*.dyndns.org' - - '*.dyndns.info' - - '*.dyndns.tv' - - '*.dyndns-at-home.com' - - '*.dnsomatic.com' - - '*.zapto.org' - - '*.webhop.net' - - '*.25u.com' - - '*.slyip.net' + r-dns|endswith: + - '.hopto.org' + - '.no-ip.org' + - '.no-ip.info' + - '.no-ip.biz' + - '.no-ip.com' + - '.noip.com' + - '.ddns.name' + - '.myftp.org' + - '.myftp.biz' + - '.serveblog.net' + - '.servebeer.com' + - '.servemp3.com' + - '.serveftp.com' + - '.servequake.com' + - '.servehalflife.com' + - '.servehttp.com' + - '.servegame.com' + - '.servepics.com' + - '.myvnc.com' + - '.ignorelist.com' + - '.jkub.com' + - '.dlinkddns.com' + - '.jumpingcrab.com' + - '.ddns.info' + - '.mooo.com' + - '.dns-dns.com' + - '.strangled.net' + - '.adultdns.net' + - '.craftx.biz' + - '.ddns01.com' + - '.dns53.biz' + - '.dnsapi.info' + - '.dnsd.info' + - '.dnsdynamic.com' + - '.dnsdynamic.net' + - '.dnsget.org' + - '.fe100.net' + - '.flashserv.net' + - '.ftp21.net' + - '.http01.com' + - '.http80.info' + - '.https443.com' + - '.imap01.com' + - '.kadm5.com' + - '.mysq1.net' + - '.ns360.info' + - '.ntdll.net' + - '.ole32.com' + - '.proxy8080.com' + - '.sql01.com' + - '.ssh01.com' + - '.ssh22.net' + - '.tempors.com' + - '.tftpd.net' + - '.ttl60.com' + - '.ttl60.org' + - '.user32.com' + - '.voip01.com' + - '.wow64.net' + - '.x64.me' + - '.xns01.com' + - '.dyndns.org' + - '.dyndns.info' + - '.dyndns.tv' + - '.dyndns-at-home.com' + - '.dnsomatic.com' + - '.zapto.org' + - '.webhop.net' + - '.25u.com' + - '.slyip.net' condition: selection fields: - cs-ip @@ -112,4 +112,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1105 - - attack.t1568 \ No newline at end of file + - attack.t1568 From be5360b8be1a2a7b481c68f8b3a4efea65737f0a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:22:17 -0300 Subject: [PATCH 0731/1335] Update proxy_download_susp_tlds_blacklist.yml --- .../proxy_download_susp_tlds_blacklist.yml | 126 +++++++++--------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 26fb1c0eb..76081c8d8 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -33,73 +33,73 @@ detection: - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns: + r-dns|endswith: # Symantec / Chris Larsen analysis - - '*.country' - - '*.stream' - - '*.gdn' - - '*.mom' - - '*.xin' - - '*.kim' - - '*.men' - - '*.loan' - - '*.download' - - '*.racing' - - '*.online' - - '*.science' - - '*.ren' - - '*.gb' - - '*.win' - - '*.top' - - '*.review' - - '*.vip' - - '*.party' - - '*.tech' - - '*.xyz' - - '*.date' - - '*.faith' - - '*.zip' - - '*.cricket' - - '*.space' + - '.country' + - '.stream' + - '.gdn' + - '.mom' + - '.xin' + - '.kim' + - '.men' + - '.loan' + - '.download' + - '.racing' + - '.online' + - '.science' + - '.ren' + - '.gb' + - '.win' + - '.top' + - '.review' + - '.vip' + - '.party' + - '.tech' + - '.xyz' + - '.date' + - '.faith' + - '.zip' + - '.cricket' + - '.space' # McAfee report - - '*.info' - - '*.vn' - - '*.cm' - - '*.am' - - '*.cc' - - '*.asia' - - '*.ws' - - '*.tk' - - '*.biz' - - '*.su' - - '*.st' - - '*.ro' - - '*.ge' - - '*.ms' - - '*.pk' - - '*.nu' - - '*.me' - - '*.ph' - - '*.to' - - '*.tt' - - '*.name' - - '*.tv' - - '*.kz' - - '*.tc' - - '*.mobi' + - '.info' + - '.vn' + - '.cm' + - '.am' + - '.cc' + - '.asia' + - '.ws' + - '.tk' + - '.biz' + - '.su' + - '.st' + - '.ro' + - '.ge' + - '.ms' + - '.pk' + - '.nu' + - '.me' + - '.ph' + - '.to' + - '.tt' + - '.name' + - '.tv' + - '.kz' + - '.tc' + - '.mobi' # Spamhaus - - '*.study' - - '*.click' - - '*.link' - - '*.trade' - - '*.accountant' + - '.study' + - '.click' + - '.link' + - '.trade' + - '.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - - '*.cf' - - '*.gq' - - '*.ml' - - '*.ga' + - '.cf' + - '.gq' + - '.ml' + - '.ga' # Custom - - '*.pw' + - '.pw' condition: selection fields: - ClientIP @@ -113,4 +113,4 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one \ No newline at end of file + - attack.t1204 # an old one From ff8e3cdb2272b5a9058e6a5f12785b3f1ae006d8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:22:57 -0300 Subject: [PATCH 0732/1335] Update proxy_download_susp_tlds_whitelist.yml --- .../proxy_download_susp_tlds_whitelist.yml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index 9b66a43ad..9b9200c5d 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -29,25 +29,25 @@ detection: - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ filter: - r-dns: - - '*.com' - - '*.org' - - '*.net' - - '*.edu' - - '*.gov' - - '*.uk' - - '*.ca' - - '*.de' - - '*.jp' - - '*.fr' - - '*.au' - - '*.us' - - '*.ch' - - '*.it' - - '*.nl' - - '*.se' - - '*.no' - - '*.es' + r-dns|endswith: + - '.com' + - '.org' + - '.net' + - '.edu' + - '.gov' + - '.uk' + - '.ca' + - '.de' + - '.jp' + - '.fr' + - '.au' + - '.us' + - '.ch' + - '.it' + - '.nl' + - '.se' + - '.no' + - '.es' # Extend this list as needed condition: selection and not filter fields: From 34bda9b09e5b1fc0619045ab75fc57cbcbe77ad4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:23:17 -0300 Subject: [PATCH 0733/1335] Update proxy_downloadcradle_webdav.yml --- rules/proxy/proxy_downloadcradle_webdav.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index 472ec041d..c1a8bf30f 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-useragent: 'Microsoft-WebDAV-MiniRedir/*' + c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' cs-method: 'GET' condition: selection fields: @@ -27,4 +27,4 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one From d816fa49e7b74b274601ff566f36ccf3598267c7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:23:52 -0300 Subject: [PATCH 0734/1335] Update proxy_ios_implant.yml --- rules/proxy/proxy_ios_implant.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 9501f8f1f..a1f1ee1a0 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -12,7 +12,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/list/suc?name=*' + c-uri|contains: '/list/suc?name=' condition: selection fields: - ClientIP @@ -30,4 +30,4 @@ tags: - attack.credential_access - attack.t1528 - attack.t1552.001 - - attack.t1081 # an old one \ No newline at end of file + - attack.t1081 # an old one From 990ae166d1eb6fc79b8fbd1d50083c0015af9d56 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:24:06 -0300 Subject: [PATCH 0735/1335] Update proxy_powershell_ua.yml --- rules/proxy/proxy_powershell_ua.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index c03e2182a..f3d91771e 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-useragent: '* WindowsPowerShell/*' + c-useragent|contains: ' WindowsPowerShell/' condition: selection fields: - ClientIP @@ -24,4 +24,4 @@ level: medium tags: - attack.defense_evasion - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 From 641c27fbe188c9820e4e7ba5aa5ae8d7d4b53cc5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:24:54 -0300 Subject: [PATCH 0736/1335] Update proxy_susp_flash_download_loc.yml --- rules/proxy/proxy_susp_flash_download_loc.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 402bcb514..dc9f44869 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -10,11 +10,11 @@ logsource: category: proxy detection: selection: - c-uri-query: - - '*/install_flash_player.exe' - - '*/flash_install.php*' + c-uri-query|contains: + - '/install_flash_player.exe' + - '/flash_install.php' filter: - c-uri-stem: '*.adobe.com/*' + c-uri-stem|contains: '.adobe.com/' condition: selection and not filter falsepositives: - Unknown flash download locations @@ -27,4 +27,4 @@ tags: - attack.t1204 # an old one - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one \ No newline at end of file + - attack.t1036 # an old one From a1d3c8c3ff549b8644d8d874e124a26c20ebb0ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:25:19 -0300 Subject: [PATCH 0737/1335] Update proxy_telegram_api.yml --- rules/proxy/proxy_telegram_api.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index a4a79014f..eda3a5ef9 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -16,10 +16,10 @@ detection: r-dns: - 'api.telegram.org' # Often used by Bots filter: - c-useragent: + c-useragent|contains: # Used https://core.telegram.org/bots/samples for this list - - '*Telegram*' - - '*Bot*' + - 'Telegram' + - 'Bot' condition: selection and not filter fields: - ClientIP From 229cda76c3310324f3ecf33962117b73f14fd350 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:26:08 -0300 Subject: [PATCH 0738/1335] Update proxy_ua_bitsadmin_susp_tld.yml --- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index f31994036..d0c169d4e 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -9,13 +9,13 @@ logsource: category: proxy detection: selection: - c-useragent: - - 'Microsoft BITS/*' + c-useragent|startswith: + - 'Microsoft BITS/' falsepositives: - r-dns: - - '*.com' - - '*.net' - - '*.org' + r-dns|endswith: + - '.com' + - '.net' + - '.org' condition: selection and not falsepositives fields: - ClientIP @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1197 - - attack.s0190 \ No newline at end of file + - attack.s0190 From 4d4661064576e621fbf175acfaa08dc9912f888f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:26:31 -0300 Subject: [PATCH 0739/1335] Update proxy_ua_cryptominer.yml --- rules/proxy/proxy_ua_cryptominer.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index d1d0b763d..ea4a3bd26 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -12,11 +12,11 @@ logsource: category: proxy detection: selection: - c-useragent: + c-useragent|startswith: # XMRig - - 'XMRig *' + - 'XMRig ' # CCMiner - - 'ccminer*' + - 'ccminer' condition: selection fields: - ClientIP @@ -27,4 +27,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 From 557135722beb320568de8beb417cc073ea7bc654 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:28:12 -0300 Subject: [PATCH 0740/1335] Update proxy_ua_hacktool.yml --- rules/proxy/proxy_ua_hacktool.yml | 90 +++++++++++++++---------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index e39c0d2ef..5740a3d3f 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -12,54 +12,54 @@ logsource: category: proxy detection: selection: - c-useragent: + c-useragent|contains: # Vulnerbility scanner and brute force tools - - '*(hydra)*' - - '* arachni/*' - - '* BFAC *' - - '* brutus *' - - '* cgichk *' - - '*core-project/1.0*' - - '* crimscanner/*' - - '*datacha0s*' - - '*dirbuster*' - - '*domino hunter*' - - '*dotdotpwn*' + - '(hydra)' + - ' arachni/' + - ' BFAC ' + - ' brutus ' + - ' cgichk ' + - 'core-project/1.0' + - ' crimscanner/' + - 'datacha0s' + - 'dirbuster' + - 'domino hunter' + - 'dotdotpwn' - 'FHScan Core' - - '*floodgate*' - - '*get-minimal*' - - '*gootkit auto-rooter scanner*' - - '*grendel-scan*' - - '* inspath *' - - '*internet ninja*' - - '*jaascois*' - - '* zmeu *' - - '*masscan*' - - '* metis *' - - '*morfeus fucking scanner*' - - '*n-stealth*' - - '*nsauditor*' - - '*pmafind*' - - '*security scan*' - - '*springenwerk*' - - '*teh forest lobster*' - - '*toata dragostea*' - - '* vega/*' - - '*voideye*' - - '*webshag*' - - '*webvulnscan*' - - '* whcc/*' + - 'floodgate' + - 'get-minimal' + - 'gootkit auto-rooter scanner' + - 'grendel-scan' + - ' inspath ' + - 'internet ninja' + - 'jaascois' + - ' zmeu ' + - 'masscan' + - ' metis ' + - 'morfeus fucking scanner' + - 'n-stealth' + - 'nsauditor' + - 'pmafind' + - 'security scan' + - 'springenwerk' + - 'teh forest lobster' + - 'toata dragostea' + - ' vega/' + - 'voideye' + - 'webshag' + - 'webvulnscan' + - ' whcc/' # SQL Injection - - '* Havij' - - '*absinthe*' - - '*bsqlbf*' - - '*mysqloit*' - - '*pangolin*' - - '*sql power injector*' - - '*sqlmap*' - - '*sqlninja*' - - '*uil2pn*' + - ' Havij' + - 'absinthe' + - 'bsqlbf' + - 'mysqloit' + - 'pangolin' + - 'sql power injector' + - 'sqlmap' + - 'sqlninja' + - 'uil2pn' # Hack tool - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ @@ -76,4 +76,4 @@ tags: - attack.initial_access - attack.t1190 - attack.credential_access - - attack.t1110 \ No newline at end of file + - attack.t1110 From ef5fee93f55a24dbeb5ec93866977a78fa17b816 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:30:07 -0300 Subject: [PATCH 0741/1335] Update proxy_ursnif_malware.yml --- rules/proxy/proxy_ursnif_malware.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml index 682ff4b72..09bf0edac 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/*.php?l=*.cab' + c-uri|endswith: '/*.php?l=*.cab' sc-status: 200 condition: selection fields: @@ -32,13 +32,13 @@ logsource: category: proxy detection: b64encoding: - c-uri: - - "*_2f*" - - "*_2b*" + c-uri|contains: + - "_2f" + - "_2b" urlpatterns: - c-uri|all: - - "*.avi" - - "*/images/*" + c-uri|contains|all: + - ".avi" + - "/images/" condition: b64encoding and urlpatterns fields: - c-ip @@ -56,4 +56,4 @@ tags: - attack.t1204.002 - attack.t1204 # an old one - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 From 56dd924fc30dd38f455ca568cd72e229ca61d679 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 23:31:55 -0300 Subject: [PATCH 0742/1335] Update aws_ec2_vm_export_failure.yml --- rules/cloud/aws_ec2_vm_export_failure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml index 2d5a32657..dff7a078e 100644 --- a/rules/cloud/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws_ec2_vm_export_failure.yml @@ -18,7 +18,7 @@ detection: errorCode: '*' filter3: eventName: 'ConsoleLogin' - responseElements: '*Failure*' + responseElements|contains: 'Failure' condition: selection and (filter1 or filter2 or filter3) level: low tags: From 9b2268a19219c17201ce50e0a396379b72ca4982 Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Thu, 15 Oct 2020 22:36:28 -0400 Subject: [PATCH 0743/1335] [OSCD] Always Install Elevated - Slide 50 - Rule 2 Page 50 from #574 Rule 2 Look for msiexec spawning command line or powershell then it spawns other processes using enrichment as suggested by @yugoslavskiy --- ...d_cmd_and_powershell_spawned_processes.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml new file mode 100644 index 000000000..a6b989713 --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -0,0 +1,36 @@ +title: Always Install Elevated MSI Spawned Cmd And Powershell Spawned Processes +id: 38cf8340-461b-4857-bf99-23a41f772b18 +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + parent_image: + ParentImage|contains: + - '\cmd.exe' + - '\powershell.exe' + parent_of_parent_image: + ParentOfParentImage|contains|all: + - '\Windows\Installer\' + - 'msi' + ParentOfParentImage|endswith: + - 'tmp' + condition: event_id and parent_image and parent_of_parent_image +fields: + - EventID + - ParentImage + - ParentOfParentImage +falsepositives: + - Penetration test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l \ No newline at end of file From d2184aee5ef8c23c93e58c817c85e5f282b529dd Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Fri, 16 Oct 2020 09:58:59 +0300 Subject: [PATCH 0744/1335] Update powershell_cmdline_special_characters.yml --- .../powershell/powershell_cmdline_special_characters.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index 319d5175f..f8e665c15 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' filter: Image|endswith: '\powershell.exe' condition: selection and filter From 700ed134bc169db486e5d4466db825a7a9a059a1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Fri, 16 Oct 2020 10:18:37 +0300 Subject: [PATCH 0745/1335] Update powershell_cmdline_special_characters.yml --- .../powershell_cmdline_special_characters.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml index f8e665c15..ec328a9a2 100644 --- a/rules/windows/powershell/powershell_cmdline_special_characters.yml +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -15,11 +15,22 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - filter: + selection1: Image|endswith: '\powershell.exe' - condition: selection and filter + CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + selection2: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + selection3: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*{.*{.*{.*{.*{.*' + selection4: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*^.*^.*^.*^.*^.*' + selection5: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*`.*`.*`.*`.*`.*' + condition: selection1 or selection2 or selection3 or selection4 or selection5 falsepositives: - Unlikely level: high From 46e887ef38927ee1f0c8ebcf91ca5253effa6bad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:32:25 +0300 Subject: [PATCH 0746/1335] Update lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index d914293bb..057fb4702 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -8,6 +8,7 @@ references: - https://attack.mitre.org/techniques/T1070/002/ logsource: product: linux + category: process_creation detection: keywords: - Commands|contains: @@ -15,6 +16,8 @@ detection: - 'shred -u /var/log*' - 'echo * > /var/log*' - 'rmdir * /var/log*' + - 'rm * /private/var/audit/*' + - 'rm * /private/var/log/system.log*' condition: keywords falsepositives: - Legitimate administration activities From f1a6e980e5cf21e0744b84d40695bc814517366c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:33:50 +0300 Subject: [PATCH 0747/1335] added category --- rules/linux/lnx_file_deletion.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index 9ab0804dd..55336e93d 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -8,6 +8,7 @@ references: - https://attack.mitre.org/techniques/T1070/004/ logsource: product: linux + category: process_creation detection: keywords: - Commands|contains: From 38c7cb74068200b932378ad9da955fb2ff369856 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:38:36 +0300 Subject: [PATCH 0748/1335] Update lnx_password_policy_discovery.yml --- rules/linux/lnx_password_policy_discovery.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml index 47987dd39..5acb7efb4 100644 --- a/rules/linux/lnx_password_policy_discovery.yml +++ b/rules/linux/lnx_password_policy_discovery.yml @@ -7,10 +7,11 @@ date: 2020/10/08 references: - https://attack.mitre.org/techniques/T1201/ logsource: - product: linux + service: auditd detection: selection: - CommandLine|contains: + type: 'PATH' + name: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' From 78644305d6632fc2421271fa8f4735af060ca882 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 16 Oct 2020 10:39:56 +0300 Subject: [PATCH 0749/1335] '-s' is working too. --- rules/windows/process_creation/win_susp_diskshadow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index 1e129b19b..40e0f2027 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -18,6 +18,7 @@ detection: Image|endswith: '\diskshadow.exe' CommandLine|contains: - '/s' + - '-s' condition: selection fields: - CommandLine From a51eec1a79d93da1bfd693b26d66011da5fd8655 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Fri, 16 Oct 2020 10:44:59 +0300 Subject: [PATCH 0750/1335] fixed image and commandline search --- .../process_creation/win_susp_Register_cimprovider.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index 249e9eea5..a8d2134d4 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -16,11 +16,8 @@ logsource: definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: - Image: - - 'c:\windows\system32\register-cimprovider.exe' - - 'c:\windows\syswow64\register-cimprovider.exe' + Image|endswith: '\register-cimprovider.exe' CommandLine|contains|all: - - 'register-cimprovider' - '-path' - 'dll' condition: selection From 68e843f0d37b14f8607f910ca6ca77620ff7f3ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:48:36 +0300 Subject: [PATCH 0751/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 69be33b13..2768bb6c4 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -17,7 +17,19 @@ detection: - 'hostname' - '/etc/issue' - 'uptime' - condition: selection + - 'lspci' + - 'dmidecode' + - 'lscpu' + - 'lsmod' + selection2: + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + condition: selection or selection2 falsepositives: - Legitimate administration activities level: low From 27dcad8ffe96d64955b9c038d07a34f128e82690 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:52:54 +0300 Subject: [PATCH 0752/1335] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 850c97dae..061e30bda 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -9,11 +9,11 @@ references: logsource: product: linux detection: - keywords: - - commands|contains: + selection: + - CommandLine|contains: - 'ps ' - 'top' - condition: keywords + condition: selection falsepositives: - Legitimate administration activities level: low From 373c637e667bad083995619c7188df7b39cc5e1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:55:31 +0300 Subject: [PATCH 0753/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index f4e5f724b..c6e9be9a2 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -1,8 +1,6 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee description: Detects installed new certificate -references: - - https://attack.mitre.org/techniques/T1553/004/ author: Ömer Günal, oscd.community date: 2020/10/05 tags: @@ -12,11 +10,16 @@ level: low logsource: product: linux detection: - keywords: - - keys|contains|all: + selection: + - CommandLine|contains|all: - 'mv ' - '/usr/local/share/ca-certificates' - 'update-ca-certificates' - condition: keywords + selection2: + - CommandLine|contains|all: + - 'cp ' + - 'rootCA.crt' + - 'update-ca-trust' + condition: selection or selection2 falsepositives: - Legitimate administration activities From 0b30835b7b837fdf20175fea1cc173a6cf56c6db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:56:06 +0300 Subject: [PATCH 0754/1335] Update at_command.yml --- rules/linux/at_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml index 3f0316c56..d032a5838 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/at_command.yml @@ -5,7 +5,7 @@ description: Detects the use of at/atd author: Ömer Günal, oscd.community date: 2020/10/06 references: - - https://attack.mitre.org/techniques/T1053/001/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md logsource: product: linux detection: From 5c34e69fc9a01e92228bda9ab2a34993a082792f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:58:51 +0300 Subject: [PATCH 0755/1335] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 061e30bda..5ca621ead 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -5,7 +5,7 @@ description: Detects process discovery commands author: Ömer Günal, oscd.community date: 2020/10/06 references: - - https://attack.mitre.org/techniques/T1057/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md logsource: product: linux detection: From 94f60acb7fa442ab102cf4903a80abcfe090ac35 Mon Sep 17 00:00:00 2001 From: "unclep@sk" Date: Fri, 16 Oct 2020 12:09:46 +0300 Subject: [PATCH 0756/1335] The author field escape char fixed --- rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 5590472d5..2a90f98cd 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -11,7 +11,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: 'Agro (@agro_sev)' oscd.community +author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 logsource: category: process_creation From dc554af97042646f446d333e12ab0843f342b333 Mon Sep 17 00:00:00 2001 From: "unclep@sk" Date: Fri, 16 Oct 2020 12:49:27 +0300 Subject: [PATCH 0757/1335] The author field and FP filter fix applied --- .../win_susp_use_of_vsjitdebugger_bin.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 863a47e5f..3b1377c61 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 tags: - attack.t1218 -author: 'Agro (@agro_sev)' oscd.community +author: 'Agro (@agro_sev) oscd.community' date: 2020/10/14 logsource: category: process_creation @@ -16,7 +16,11 @@ logsource: detection: selection: ParentImage|endswith: '\vsjitdebugger.exe' - condition: selection + reduction1: + ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' + reduction2: + ChildImage|endswith: '\devenv.exe' + condition: selection and not (reduction1 or reduction2) falsepositives: - the process spawned by vsjitdebugger.exe is uncommon. level: medium From 27bbbf3398df4d9cbedd8fb812df7880d564e2a9 Mon Sep 17 00:00:00 2001 From: "unclep@sk" Date: Fri, 16 Oct 2020 12:51:59 +0300 Subject: [PATCH 0758/1335] The author field escape char fixed --- .../windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index 9091c9a2e..1f240db80 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -10,7 +10,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 -author: 'Agro (@agro_sev)' oscd.community +author: 'Agro (@agro_sev) oscd.communitly' date: 2020/10/13 logsource: category: process_creation From aa2cd4bdce9a41f1111d881f6247020843ea928d Mon Sep 17 00:00:00 2001 From: "unclep@sk" Date: Fri, 16 Oct 2020 13:02:40 +0300 Subject: [PATCH 0759/1335] The author field escape char fixed --- rules/windows/process_creation/win_susp_use_of_te_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index 75f31427d..0dd232895 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ tags: - attack.t1218 -author: 'Agro (@agro_sev)' oscd.community +author: 'Agro (@agro_sev) oscd.community' date: 2020/10/13 logsource: category: process_creation From 9a5c166bb25ff2ac3bb514d82137d7f2892ec981 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 07:35:59 -0300 Subject: [PATCH 0760/1335] Fix filter --- rules/windows/builtin/win_dcsync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index 2c2ec8d08..2020946e1 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -31,7 +31,7 @@ detection: filter3: SubjectUserName|endswith: - '$' - condition: selection and not filter1 and not filter2 and not filter32 + condition: selection and not filter1 and not filter2 and not filter3 falsepositives: - Valid DC Sync that is not covered by the filters; please report level: high From 5e9c80c8b16c0c92afd23316eff949675b3e0a14 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 09:10:45 -0300 Subject: [PATCH 0761/1335] Revert "Changed the rule to download only and not the copy" This reverts commit 1324bc1ad14e1caa1a9ca0d6873de20b44a6baee. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index 9dbdb1e21..d530fec79 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Download operations using Replace.exe. +description: Detect Copy and Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains|all: + CommandLine|contains: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary to download files from a share + - Legitimate use of the binary level: low From e47bee2d4eb5e639a26cdee95a78f0593044f43e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 09:10:48 -0300 Subject: [PATCH 0762/1335] Revert "Create win_susp_replace_lolbin.yml" This reverts commit e6a65496768a460d32de0b7d9742ce969fb4ea5d. --- .../win_susp_replace_lolbin.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml deleted file mode 100644 index d530fec79..000000000 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Ingress Tool Transfer Using Replace.exe -id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Replace -author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/07 -tags: - - attack.command_and_control - - attack.t1105 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: - - '\replace.exe' - CommandLine|contains: - - "\\\\\\\\" - - "/A" - condition: selection -falsepositives: - - Legitimate use of the binary -level: low From 2f7b44964cbd8a0752d32dbf6aec2acb9b7c5133 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 09:30:09 -0300 Subject: [PATCH 0763/1335] Create win_susp_service_dacl_modification.yml --- .../win_susp_service_dacl_modification.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_service_dacl_modification.yml diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml new file mode 100644 index 000000000..eaa1529af --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml @@ -0,0 +1,33 @@ +title: Suspicious Service DACL Modification +id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 +description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable +author: Jonhnathan Ribeiro +status: experimental +date: 2020/10/16 +references: + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +tags: + - attack.persistence + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\sc.exe' + CommandLine|contains|all: + - 'sdset' + - 'D;;' + sids: + CommandLine|contains: + - ';;;IU' + - ';;;SU' + - ';;;BA' + - ';;;SY' + - ';;;WD' + condition: selection and sids +falsepositives: + - Unknown +level: high From 832c1d4b1a43fe8fc01b0a06def3287e32c0bcdb Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Fri, 16 Oct 2020 08:59:07 -0400 Subject: [PATCH 0764/1335] Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml --- ...evated_msi_spawned_cmd_and_powershell_spawned_processes.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index a6b989713..5847206e2 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -23,9 +23,8 @@ detection: - 'msi' ParentOfParentImage|endswith: - 'tmp' - condition: event_id and parent_image and parent_of_parent_image + condition: parent_image and parent_of_parent_image fields: - - EventID - ParentImage - ParentOfParentImage falsepositives: From c4ddd5693137b341c2f5cc3832f68f569efb5d8f Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Fri, 16 Oct 2020 09:30:20 -0400 Subject: [PATCH 0765/1335] Update sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml --- ..._always_install_elevated_msi_spawned_cmd_and_powershell.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index d90dfdd02..56efab11b 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -23,9 +23,8 @@ detection: - 'msi' ParentImage|endswith: - 'tmp' - condition: event_id and image and parent_image + condition: image and parent_image fields: - - EventID - Image - ParentImage falsepositives: From b4663a15352aa7887d764158e5a01224ac146f34 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:03:10 -0300 Subject: [PATCH 0766/1335] Revert "Revert "Create win_susp_replace_lolbin.yml"" This reverts commit e47bee2d4eb5e639a26cdee95a78f0593044f43e. --- .../win_susp_replace_lolbin.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml new file mode 100644 index 000000000..d530fec79 --- /dev/null +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -0,0 +1,25 @@ +title: Ingress Tool Transfer Using Replace.exe +id: 6ccf0c00-1061-4195-a724-6d9c0058b036 +description: Detect Copy and Download operations using Replace.exe. +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Replace +author: Jonhnathan Ribeiro, oscd.community +date: 2020/10/07 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\replace.exe' + CommandLine|contains: + - "\\\\\\\\" + - "/A" + condition: selection +falsepositives: + - Legitimate use of the binary +level: low From b190c1dbba3b534330c73211b1ade668910ff539 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:03:18 -0300 Subject: [PATCH 0767/1335] Revert "Revert "Changed the rule to download only and not the copy"" This reverts commit 5e9c80c8b16c0c92afd23316eff949675b3e0a14. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index d530fec79..9dbdb1e21 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. +description: Detect Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains: + CommandLine|contains|all: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary + - Legitimate use of the binary to download files from a share level: low From ec32341e894fb8a59d981c8d9a3dbc7c177f3824 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:04:55 -0300 Subject: [PATCH 0768/1335] Revert "Revert "Create win_susp_replace_lolbin.yml"" This reverts commit 1979906baec53d3dff0aebf5151188669bb3dd5b. --- .../win_susp_replace_lolbin.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml new file mode 100644 index 000000000..d530fec79 --- /dev/null +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -0,0 +1,25 @@ +title: Ingress Tool Transfer Using Replace.exe +id: 6ccf0c00-1061-4195-a724-6d9c0058b036 +description: Detect Copy and Download operations using Replace.exe. +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Replace +author: Jonhnathan Ribeiro, oscd.community +date: 2020/10/07 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\replace.exe' + CommandLine|contains: + - "\\\\\\\\" + - "/A" + condition: selection +falsepositives: + - Legitimate use of the binary +level: low From eee2ace2c6f00f0195cdda04770ff2083950bf98 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:05:03 -0300 Subject: [PATCH 0769/1335] Revert "Revert "Changed the rule to download only and not the copy"" This reverts commit b0ddaf5ac986d15ede1142fb22e37d56d047ffa9. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index d530fec79..9dbdb1e21 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. +description: Detect Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains: + CommandLine|contains|all: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary + - Legitimate use of the binary to download files from a share level: low From 0734274dfab00c5bffe41d3df1f8b8f67d032203 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:05:40 -0300 Subject: [PATCH 0770/1335] Revert "Revert "Create win_susp_replace_lolbin.yml"" This reverts commit fdd9234acc0a4d3d30c270b14ce3381ef5653e55. --- .../win_susp_replace_lolbin.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml new file mode 100644 index 000000000..d530fec79 --- /dev/null +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -0,0 +1,25 @@ +title: Ingress Tool Transfer Using Replace.exe +id: 6ccf0c00-1061-4195-a724-6d9c0058b036 +description: Detect Copy and Download operations using Replace.exe. +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Replace +author: Jonhnathan Ribeiro, oscd.community +date: 2020/10/07 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\replace.exe' + CommandLine|contains: + - "\\\\\\\\" + - "/A" + condition: selection +falsepositives: + - Legitimate use of the binary +level: low From 3f23aa56c062ecae0242cc78648a8728e2905db6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:05:51 -0300 Subject: [PATCH 0771/1335] Revert "Revert "Changed the rule to download only and not the copy"" This reverts commit 17e7eee3a6bb856bc638cd34c5d250b73f153c9a. --- rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml index d530fec79..9dbdb1e21 100644 --- a/rules/windows/process_creation/win_susp_replace_lolbin.yml +++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml @@ -1,6 +1,6 @@ title: Ingress Tool Transfer Using Replace.exe id: 6ccf0c00-1061-4195-a724-6d9c0058b036 -description: Detect Copy and Download operations using Replace.exe. +description: Detect Download operations using Replace.exe. status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Replace @@ -16,10 +16,10 @@ detection: selection: Image|endswith: - '\replace.exe' - CommandLine|contains: + CommandLine|contains|all: - "\\\\\\\\" - "/A" condition: selection falsepositives: - - Legitimate use of the binary + - Legitimate use of the binary to download files from a share level: low From 89bbee65944203520d0dbe96c3c5ed2ca84841ac Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 16 Oct 2020 11:57:54 -0300 Subject: [PATCH 0772/1335] Update win_susp_service_dacl_modification.yml --- .../process_creation/win_susp_service_dacl_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml index eaa1529af..82f5e0f35 100644 --- a/rules/windows/process_creation/win_susp_service_dacl_modification.yml +++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml @@ -1,7 +1,7 @@ title: Suspicious Service DACL Modification id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable -author: Jonhnathan Ribeiro +author: Jonhnathan Ribeiro, oscd.community status: experimental date: 2020/10/16 references: From bca3c80f43a98636c17fe07b84bf23bceb0a3c1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 20:39:26 +0300 Subject: [PATCH 0773/1335] Update lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index 057fb4702..cc1b9fcb3 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -18,6 +18,7 @@ detection: - 'rmdir * /var/log*' - 'rm * /private/var/audit/*' - 'rm * /private/var/log/system.log*' + - 'echo * /var/spool/mail/*' condition: keywords falsepositives: - Legitimate administration activities From 2fa700836390a9a47a817621de77d530edb977d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 20:42:12 +0300 Subject: [PATCH 0774/1335] change reference --- rules/linux/lnx_file_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index 55336e93d..a35f14015 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -5,7 +5,7 @@ description: Detects file deletion commands author: Ömer Günal, oscd.community date: 2020/10/07 references: - - https://attack.mitre.org/techniques/T1070/004/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md logsource: product: linux category: process_creation From 30ce1ff2689b8f529bf3a9247a63c226c34162a4 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Fri, 16 Oct 2020 20:44:08 +0300 Subject: [PATCH 0775/1335] Detected Windows Software Discovery --- .../builtin/win_software_discovery.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_software_discovery.yml diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml new file mode 100644 index 000000000..c6274d324 --- /dev/null +++ b/rules/windows/builtin/win_software_discovery.yml @@ -0,0 +1,42 @@ +action: global +title: Detected Windows Software Discovery +id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/16 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md + - https://attack.mitre.org/techniques/T1518/ +tags: + - attack.discovery + - attack.t1518 +level: medium +falsepositives: + - Legitimate administration activities +detection: + condition: 1 of them +--- +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize + - 'get-itemProperty' + - '*\software\*' + - 'select-object' + - 'format-table' +--- +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion + CommandLine|contains|all: + - 'query' + - '*\software\*' + - '/v' + - 'svcversion' From 6e2b8991280284457a023bc9fb658bf9e11ef38d Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Fri, 16 Oct 2020 13:51:02 -0400 Subject: [PATCH 0776/1335] Adding oscd.community to authors --- rules/windows/process_creation/win_nltest_query.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 60476cda7..276c1d351 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -9,7 +9,7 @@ tags: - attack.credential_access - attack.t1003 status: experimental -author: Craig Young +author: Craig Young, oscd.community logsource: category: process_creation product: windows From f7fbfda7940dab6942a3455eeb529fa0079b294b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 20:53:00 +0300 Subject: [PATCH 0777/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 2768bb6c4..f1afc953c 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -1,3 +1,4 @@ +action: global title: System Information Discovery id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable @@ -5,9 +6,11 @@ description: Detects system information discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 references: - - https://attack.mitre.org/techniques/T1082/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +--- logsource: product: linux + categories: process_creation detection: selection: CommandLine|contains: @@ -21,7 +24,13 @@ detection: - 'dmidecode' - 'lscpu' - 'lsmod' - selection2: + condition: selection +--- +logsource: + product: linux + categories: file_event +detection: + selection: type: 'PATH' name: - '/sys/class/dmi/id/bios_version' @@ -29,7 +38,7 @@ detection: - '/sys/class/dmi/id/chassis_vendor' - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - condition: selection or selection2 + condition: selection falsepositives: - Legitimate administration activities level: low From e9953b5a82d5f01143d6d807f73ff8f94d8e3142 Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Fri, 16 Oct 2020 13:56:41 -0400 Subject: [PATCH 0778/1335] Utilize Image|endswith for efficiency Rather than searching all command lines, it is more efficient to consider first the Image name. --- rules/windows/process_creation/win_nltest_query.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 276c1d351..07f66c8cb 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -15,8 +15,9 @@ logsource: product: windows detection: selection: + Image|endswith: + - '/nltest.exe' CommandLine|contains|all: - - nltest - \query condition: selection falsepositives: From 85e309929731e1b959a364b3c92ba6246c9f8017 Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Fri, 16 Oct 2020 13:58:59 -0400 Subject: [PATCH 0779/1335] Added LOLBAS URL --- rules/windows/process_creation/win_nltest_query.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 07f66c8cb..497d7b6ad 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -3,6 +3,7 @@ id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 description: Detects nltest query commands which may leak credential hashes references: - https://twitter.com/sysopfb/status/986799053668139009 + - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml date: 2018/04/18 modified: 2020/10/06 tags: From cc3674bd12f30653f86374e6c9332f2317efc5df Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Fri, 16 Oct 2020 21:03:11 +0300 Subject: [PATCH 0780/1335] Create win_susp_multiple_files_renamed.yml It is not the task of the OSCD sprint#2 but I decide to include this rule here :-) --- .../win_susp_multiple_files_renamed.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/win_susp_multiple_files_renamed.yml diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml new file mode 100644 index 000000000..e0e82577c --- /dev/null +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -0,0 +1,27 @@ +title: Suspicious Multiple File Rename Occurred +id: 97919310-06a7-482c-9639-92b67ed63cf8 +author: Vasiliy Burov, oscd.community +date: 2020/10/16 +description: Detects multiple file rename events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. +status: experimental +references: + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +tags: + - attack.impact + - attack.t1486 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' +detection: + selection: + EventID: 4663 + ObjectType: 'File' + SubjectLogonId: '*' + AccessList: '%%1537' + Keywords: '0x8020000000000000' + timeframe: 30s + condition: selection | count() by SubjectLogonId > 20 +falsepositives: + - Unlikely +level: high From 723df2f15b6b5a965350f69c6f9cbbb22cad58f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 21:08:01 +0300 Subject: [PATCH 0781/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f1afc953c..aafdfbdf0 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -7,6 +7,12 @@ author: Ömer Günal, oscd.community date: 2020/10/08 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1082 --- logsource: product: linux @@ -39,9 +45,3 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1082 From 192bca814bed8035cb766e217ba878be0aa2ba91 Mon Sep 17 00:00:00 2001 From: Craig Young <7906955+cy1337@users.noreply.github.com> Date: Fri, 16 Oct 2020 15:46:51 -0400 Subject: [PATCH 0782/1335] Remove `all` modifier --- rules/windows/process_creation/win_nltest_query.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 497d7b6ad..071ea68e2 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -18,7 +18,7 @@ detection: selection: Image|endswith: - '/nltest.exe' - CommandLine|contains|all: + CommandLine|contains: - \query condition: selection falsepositives: From bf12c7311885f9fa6bebbacea41410d7ba063f71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 22:49:40 +0300 Subject: [PATCH 0783/1335] Update at_command.yml --- rules/linux/at_command.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml index d032a5838..81e3802ea 100644 --- a/rules/linux/at_command.yml +++ b/rules/linux/at_command.yml @@ -8,15 +8,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md logsource: product: linux + category: process_creation detection: selection: - CommandLine|contains: - - ' at ' - - ' atd ' - - 'which atd' - - 'which at' - - 'systemctl status atd' - - 'service atd status ' + ProcessName|endswith: + - '/at' + - '/atd' condition: selection falsepositives: - Legitimate administration activities From a01c04018c323125062dc202ae8d3ea59c559e88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 22:52:15 +0300 Subject: [PATCH 0784/1335] Update lnx_password_policy_discovery.yml --- rules/linux/lnx_password_policy_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml index 5acb7efb4..eccbff04f 100644 --- a/rules/linux/lnx_password_policy_discovery.yml +++ b/rules/linux/lnx_password_policy_discovery.yml @@ -5,7 +5,7 @@ description: Detects password policy discovery commands author: Ömer Günal, oscd.community date: 2020/10/08 references: - - https://attack.mitre.org/techniques/T1201/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md logsource: service: auditd detection: From 26bb43eaf6f364214055ad3777491ce0863afb3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 23:00:44 +0300 Subject: [PATCH 0785/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index aafdfbdf0..df9a1cc80 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -21,10 +21,7 @@ detection: selection: CommandLine|contains: - 'uname' - - '/proc/version' - - '/etc/*-release' - 'hostname' - - '/etc/issue' - 'uptime' - 'lspci' - 'dmidecode' @@ -44,4 +41,7 @@ detection: - '/sys/class/dmi/id/chassis_vendor' - '/proc/scsi/scsi' - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/redhat-release' + - '/etc/issue' condition: selection From 69bde540c76ed977966747047df0efb5276b3ebd Mon Sep 17 00:00:00 2001 From: Alexey Lednyov Date: Sat, 17 Oct 2020 00:45:39 +0300 Subject: [PATCH 0786/1335] Added a rule to detect the use windows telemetry mechanism for persistence --- .../sysmon_win_reg_telemetry_persistence.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml new file mode 100644 index 000000000..63c33251a --- /dev/null +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -0,0 +1,29 @@ +title: Registry persistence mechanism via windows telemetry +id: 73a883d0-0348-4be4-a8d8-51031c2564f8 +description: Detects persistence method using windows telemetry +status: experimental +date: 2020/10/16 +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +author: Lednyov Alexey, oscd.community +tags: + - attack.persistence +logsource: + category: registry_event + product: windows + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' +detection: + selection: + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + - '\Command' + Details|contains: '.exe' + EventType: 'SetValue' + filter: + Details|contains: + - '\system32\CompatTelRunner.exe' + - '\system32\DeviceCensus.exe' + condition: selection and not filter +falsepositives: + - unknown +level: critical From 761bebfecef526dff8e1f9b6ea8254ec0bb79e9c Mon Sep 17 00:00:00 2001 From: Alexey Lednyov Date: Sat, 17 Oct 2020 01:10:47 +0300 Subject: [PATCH 0787/1335] Fix title --- .../registry_event/sysmon_win_reg_telemetry_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 63c33251a..4a87d0fda 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -1,4 +1,4 @@ -title: Registry persistence mechanism via windows telemetry +title: Registry Persistence Mechanism via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 description: Detects persistence method using windows telemetry status: experimental From dbb18b89dc1b1922f3f010fb7f8e8408ec638230 Mon Sep 17 00:00:00 2001 From: Alexander Akhremchik Date: Sat, 17 Oct 2020 00:05:49 +0300 Subject: [PATCH 0788/1335] add zerologon rule --- .../builtin/win_privesc_cve_2020_1472.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/builtin/win_privesc_cve_2020_1472.yml diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml new file mode 100644 index 000000000..2d8c1d34e --- /dev/null +++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml @@ -0,0 +1,28 @@ +title: 'Possible Zerologon (CVE-2020-1472) exploitation' +id: dd7876d8-0f09-11eb-adc1-0242ac120002 +status: experimental +description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) +references: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 + - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ +author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community' +date: 2020/10/15 +tags: + - attack.t1068 + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + SourceUserName: 'ANONYMOUS LOGON' + TargetUserName: '%DC-MACHINE-NAME$%' # DC machine account name that ends with '$' + filter: + ChangedAttributes|contains: + - 'Password Last Set: -' + condition: selection and not filter +falsepositives: + - automatic DC computer account password change + - legitimate DC computer account password change +level: high From 860dc24e4b484357dafa1ceb05236ab3d8c78277 Mon Sep 17 00:00:00 2001 From: Alexander Akhremchik Date: Sat, 17 Oct 2020 01:13:57 +0300 Subject: [PATCH 0789/1335] add zerologon rule --- rules/windows/builtin/win_privesc_cve_2020_1472.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml index 2d8c1d34e..8eb85313f 100644 --- a/rules/windows/builtin/win_privesc_cve_2020_1472.yml +++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 4742 SourceUserName: 'ANONYMOUS LOGON' - TargetUserName: '%DC-MACHINE-NAME$%' # DC machine account name that ends with '$' + TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$' filter: ChangedAttributes|contains: - 'Password Last Set: -' From 451187bfbd197cf0625692517596169968ff1082 Mon Sep 17 00:00:00 2001 From: Alexander Akhremchik Date: Sat, 17 Oct 2020 01:26:02 +0300 Subject: [PATCH 0790/1335] fixed title capitalization --- rules/windows/builtin/win_privesc_cve_2020_1472.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml index 8eb85313f..25f9d8143 100644 --- a/rules/windows/builtin/win_privesc_cve_2020_1472.yml +++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml @@ -1,4 +1,4 @@ -title: 'Possible Zerologon (CVE-2020-1472) exploitation' +title: 'Possible Zerologon (CVE-2020-1472) Exploitation' id: dd7876d8-0f09-11eb-adc1-0242ac120002 status: experimental description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) From 9b568df527544b4288c91d51c492b1aa53d34383 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sat, 17 Oct 2020 02:06:01 +0300 Subject: [PATCH 0791/1335] Lin/Mac T1552.003 --- rules/linux/lnx_susp_histfile_operations.yml | 41 +++++++++++++++++++ .../linux/macos_susp_histfile_operations.yml | 29 +++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 rules/linux/lnx_susp_histfile_operations.yml create mode 100644 rules/linux/macos_susp_histfile_operations.yml diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml new file mode 100644 index 000000000..f9efda06d --- /dev/null +++ b/rules/linux/lnx_susp_histfile_operations.yml @@ -0,0 +1,41 @@ +title: 'Suspicious history file operations' +id: eae8ce9f-bde9-47a6-8e79-f20d18419910 +status: experimental +description: 'Detects commandline operations on shell history files' + # Rule detects presence of various shell history files in process commandline + # Normally user expected to view own history with dedicated 'history' command and not some other tools + # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Mikhail Larin, oscd.community' +date: 2020/10/17 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + keywords|contains: + - '.bash_history' + - '.zsh_history' + - '.history' + - '.sh_history' + - 'fish_history' + condition: selection +fields: + - a0 + - a1 + - a2 + - a3 + - key +falsepositives: + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml new file mode 100644 index 000000000..27130a79b --- /dev/null +++ b/rules/linux/macos_susp_histfile_operations.yml @@ -0,0 +1,29 @@ +title: 'Suspicious history file operations' +id: 508a9374-ad52-4789-b568-fc358def2c65 +status: experimental +description: 'Detects commandline operations on shell history files' + # Rule detects presence of various shell history files in process commandline + # Normally user expected to view own history with dedicated 'history' command and not some other tools + # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Mikhail Larin, oscd.community' +date: 2020/10/17 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +logsource: + product: macos + category: process_creation +detection: + selection: + CommandLine|contains: + - '.bash_history' + - '.zsh_history' + condition: selection +falsepositives: + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' +level: medium +tags: + - attack.credential_access + - attack.t1552.003 From fb3bee0cadaa1aae03d39c14bd2446621edcc6e6 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sat, 17 Oct 2020 02:17:40 +0300 Subject: [PATCH 0792/1335] title fix --- rules/linux/lnx_susp_histfile_operations.yml | 2 +- rules/linux/macos_susp_histfile_operations.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml index f9efda06d..b5a6e690b 100644 --- a/rules/linux/lnx_susp_histfile_operations.yml +++ b/rules/linux/lnx_susp_histfile_operations.yml @@ -1,4 +1,4 @@ -title: 'Suspicious history file operations' +title: 'Suspicious History File Operations' id: eae8ce9f-bde9-47a6-8e79-f20d18419910 status: experimental description: 'Detects commandline operations on shell history files' diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml index 27130a79b..19bec9c54 100644 --- a/rules/linux/macos_susp_histfile_operations.yml +++ b/rules/linux/macos_susp_histfile_operations.yml @@ -1,4 +1,4 @@ -title: 'Suspicious history file operations' +title: 'Suspicious History File Operations' id: 508a9374-ad52-4789-b568-fc358def2c65 status: experimental description: 'Detects commandline operations on shell history files' From 65854752a9c7cd8d8d66b41aa3d4adc76fd60926 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sat, 17 Oct 2020 02:33:32 +0300 Subject: [PATCH 0793/1335] additional shells for both rules fix --- rules/linux/lnx_susp_histfile_operations.yml | 1 + rules/linux/macos_susp_histfile_operations.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml index b5a6e690b..453bad916 100644 --- a/rules/linux/lnx_susp_histfile_operations.yml +++ b/rules/linux/lnx_susp_histfile_operations.yml @@ -22,6 +22,7 @@ detection: keywords|contains: - '.bash_history' - '.zsh_history' + - '.zhistory' - '.history' - '.sh_history' - 'fish_history' diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml index 19bec9c54..21538d346 100644 --- a/rules/linux/macos_susp_histfile_operations.yml +++ b/rules/linux/macos_susp_histfile_operations.yml @@ -19,6 +19,9 @@ detection: CommandLine|contains: - '.bash_history' - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' condition: selection falsepositives: - 'Legitimate administrative activity' From 29f2f1acfe24200433ec1f61942cb0663380847e Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sat, 17 Oct 2020 02:37:21 +0300 Subject: [PATCH 0794/1335] added fish to macos rule --- rules/linux/macos_susp_histfile_operations.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml index 21538d346..b643bfbb3 100644 --- a/rules/linux/macos_susp_histfile_operations.yml +++ b/rules/linux/macos_susp_histfile_operations.yml @@ -22,6 +22,7 @@ detection: - '.zhistory' - '.history' - '.sh_history' + - 'fish_history' condition: selection falsepositives: - 'Legitimate administrative activity' From e955d38f0a96e5f0020a37a33e821f35f1658d22 Mon Sep 17 00:00:00 2001 From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com> Date: Fri, 16 Oct 2020 21:35:53 -0400 Subject: [PATCH 0795/1335] [OSCD] Always Install Elevated Alternative Page 48 from #574 Alternative to #1195 because it is on the unsupported folder. Following suggestion from @yugoslavskiy - #574 (comment) --- ...ays_install_elevated_windows_installer.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml new file mode 100644 index 000000000..30cb9b428 --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -0,0 +1,37 @@ +title: Always Install Elevated Windows Installer +id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 +description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + integrity_level: + IntegrityLevel: 'System' + user: + User: 'NT AUTHORITY\SYSTEM' + image_1: + Image|contains|all: + - '\Windows\Installer\' + - 'msi' + Image|endswith: + - 'tmp' + image_2: + Image|endswith: + - '\msiexec.exe' + condition: (image_1 and user) or (image_2 and user and integrity_level) +fields: + - IntegrityLevel + - User + - Image +falsepositives: + - System administrator Usage + - Penetration test +level: high \ No newline at end of file From ffde8b020828ba9d149884b674788db3074c201f Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 21:54:41 -0500 Subject: [PATCH 0796/1335] Update to handle different file locations --- rules/linux/lnx_system_network_discovery.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 937ab7509..a19cecb73 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -11,14 +11,14 @@ logsource: product: unix detection: selection: - ProcessName: - - '/usr/bin/firewall-cmd' - - '/usr/sbin/ufw' - - '/usr/sbin/iptables' - - '/usr/bin/netstat' - - '/usr/bin/ss' - - '/usr/sbin/ip' - - '/usr/sbin/ifconfig' + ProcessName|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' condition: selection falsepositives: - Legitimate administration activities From 8f6ce25bab4cb137d469e63339ec1a8616a01f06 Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 22:01:44 -0500 Subject: [PATCH 0797/1335] Merge changes from pull 1084 with this one https://github.com/Neo23x0/sigma/pull/1084 includes some commands I missed. This merges both and creates an OR selection condition to match both possible conditions. --- rules/linux/lnx_system_network_discovery.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index a19cecb73..cc7a1cf4b 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -10,7 +10,7 @@ logsource: category: process_creation product: unix detection: - selection: + selection1: ProcessName|endswith: - '/firewall-cmd' - '/ufw' @@ -19,7 +19,11 @@ detection: - '/ss' - '/ip' - '/ifconfig' - condition: selection + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: selection1 or selection2 falsepositives: - Legitimate administration activities level: low From 48cabeafe5ca5a05ec89bd54324504243b88cac9 Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 22:02:58 -0500 Subject: [PATCH 0798/1335] Updated author section --- rules/linux/lnx_system_network_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index cc7a1cf4b..af22539c4 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -2,7 +2,7 @@ title: System Network Discovery - Linux id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa status: experimental description: Detects enumeration of local network configuration -author: remotephone, oscd.community +author: Ömer Günal and remotephone, oscd.community date: 2020/10/06 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md From 1a0e2b3c8e005aca8a4ce48ca867846c1624901a Mon Sep 17 00:00:00 2001 From: Alexey Lednyov Date: Sat, 17 Oct 2020 08:46:57 +0300 Subject: [PATCH 0799/1335] Add a technique tag --- .../registry_event/sysmon_win_reg_telemetry_persistence.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 4a87d0fda..67963ff93 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -8,6 +8,7 @@ references: author: Lednyov Alexey, oscd.community tags: - attack.persistence + - attack.t1053.005 logsource: category: registry_event product: windows From ff8485280386500317a54f63ec2e2f3dd7e3d4bd Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Sat, 17 Oct 2020 09:36:25 -0400 Subject: [PATCH 0801/1335] Replace start of paths with placeholders --- .../win_access_fake_files_with_stored_credentials.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename {rules/windows/builtin => rules-unsupported}/win_access_fake_files_with_stored_credentials.yml (84%) diff --git a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml similarity index 84% rename from rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml rename to rules-unsupported/win_access_fake_files_with_stored_credentials.yml index ab2533ba9..c8f95ed78 100644 --- a/rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml +++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml @@ -17,8 +17,8 @@ detection: EventID: 4663 AccessList|contains: '%%4416' ObjectName|endswith: - - '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml' - - '\Panther\Unattend.xml' + - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml' + - '\%FOLDER_NAME%\Unattend.xml' condition: selection fields: - EventID From 782a55b8e5134455cd3e6eea49f86fb4669b6ee6 Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Sat, 17 Oct 2020 10:42:24 -0400 Subject: [PATCH 0802/1335] Add Files Dropped to Program Files by Non-Priviledged Process Rule --- .../sysmon_non_priv_program_files_move.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/file_event/sysmon_non_priv_program_files_move.yml diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml new file mode 100644 index 000000000..51af9b500 --- /dev/null +++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml @@ -0,0 +1,30 @@ +title: Files Dropped to Program Files by Non-Priviledged Process +id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1 +description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/17 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1574 + - attack.t1574.010 +logsource: + category: file_event + product: windows +detection: + integrity: + IntegrityLevel: 'Medium' + program_files: + - TargetFilename|contains: + - '\Program Files\' + - '\Program Files (x86)\' + - TargetFilename|startswith: '\Windows\' + temp: + TargetFilename|contains: 'temp' + condition: integrity and (program_files or temp) +falsepositives: + - Unknown +level: medium From 20450d74f1884da65b68ec8dce2f7a122440721e Mon Sep 17 00:00:00 2001 From: aw350m3 Date: Sat, 17 Oct 2020 15:50:55 +0000 Subject: [PATCH 0803/1335] Added a rule to detect the launch of a PowerShell with redirection of the input stream. --- ...un_powershell_script_from_input_stream.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml new file mode 100644 index 000000000..6beb56104 --- /dev/null +++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml @@ -0,0 +1,25 @@ +title: Run PowerShell Script from Redirected Input Stream +id: c83bf4b5-cdf0-437c-90fa-43d734f7c476 +status: experimental +description: Detects PowerShell script execution via input stream redirection +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml + - https://twitter.com/Moriarty_Meng/status/984380793383370752 +author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +date: 2020/10/17 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + powershell_started: + Image|endswith: '\powershell.exe' + redirect_to_input_stream: + CommandLine|re: '\s-\s*<' + condition: powershell_started and redirect_to_input_stream +falsepositives: + - Unknown +level: high From acf87f927c330a688ffea84da17eca588f000a15 Mon Sep 17 00:00:00 2001 From: aw350m3 Date: Sat, 17 Oct 2020 16:03:49 +0000 Subject: [PATCH 0804/1335] fix tabs --- .../win_run_powershell_script_from_input_stream.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml index 6beb56104..6f25badfd 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml @@ -1,16 +1,16 @@ title: Run PowerShell Script from Redirected Input Stream id: c83bf4b5-cdf0-437c-90fa-43d734f7c476 status: experimental -description: Detects PowerShell script execution via input stream redirection +description: Detects PowerShell script execution via input stream redirect references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml - - https://twitter.com/Moriarty_Meng/status/984380793383370752 + - https://twitter.com/Moriarty_Meng/status/984380793383370752 author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community date: 2020/10/17 tags: - attack.defense_evasion - - attack.execution - - attack.t1059 + - attack.execution + - attack.t1059 logsource: category: process_creation product: windows From 18c2a107c701559adaf6276e8b061cf7cc739f21 Mon Sep 17 00:00:00 2001 From: aw350m3 Date: Sat, 17 Oct 2020 16:07:40 +0000 Subject: [PATCH 0805/1335] fix tabs... again... --- .../win_run_powershell_script_from_input_stream.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml index 6f25badfd..e8bda9dfc 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml @@ -17,7 +17,7 @@ logsource: detection: powershell_started: Image|endswith: '\powershell.exe' - redirect_to_input_stream: + redirect_to_input_stream: CommandLine|re: '\s-\s*<' condition: powershell_started and redirect_to_input_stream falsepositives: From ae30660556a3e48b3e623861289a0dbc8132f6d2 Mon Sep 17 00:00:00 2001 From: grikos Date: Sat, 17 Oct 2020 22:22:24 +0300 Subject: [PATCH 0807/1335] suspicious csi.exe (rcsi.exe) LOLBAS detection rule --- .../windows/process_creation/win_susp_csi.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_csi.yml diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml new file mode 100644 index 000000000..3ee5127aa --- /dev/null +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -0,0 +1,39 @@ +title: Suspicious Csi.exe Usage +id: 40b95d31-1afc-469e-8d34-9a3a667d058e +description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. + It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility + provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/17 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml + - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ + - https://twitter.com/Z3Jpa29z/status/1317545798981324801 +tags: + - attack.execution + - attack.t1072 + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + basic: + - Image|endswith: '\csi.exe' + - Image|endswith: '\rcsi.exe' + renamed: + - OriginalFilename: 'csi.exe' + - OriginalFilename: 'rcsi.exe' + selection: + Company: 'Microsoft Corporation' + condition: (basic or renamed) and selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate usage by software developers +level: medium \ No newline at end of file From e7e5ed69239810a5d46a53a171645f03029d17aa Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 17 Oct 2020 21:27:50 +0200 Subject: [PATCH 0808/1335] Update win_rasautou_dll_execution.yml to trigger a test --- rules/windows/process_creation/win_rasautou_dll_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml index e05a5d7db..fef616b20 100644 --- a/rules/windows/process_creation/win_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml @@ -27,4 +27,4 @@ detection: condition: (use_rasautou or remaned_rasautou) and special_keys level: medium falsepositives: - - Unlikely. + - Unlikely From aa87772ee75cb49f6bbad9da64dee1a121aa92fa Mon Sep 17 00:00:00 2001 From: grikos Date: Sat, 17 Oct 2020 22:29:49 +0300 Subject: [PATCH 0809/1335] empty line at the end of file added & del extra spaces after hyphen --- rules/windows/process_creation/win_susp_csi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index 3ee5127aa..a5dcf04ff 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -35,5 +35,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate usage by software developers -level: medium \ No newline at end of file + - Legitimate usage by software developers +level: medium From fc3e7c37ab158d137dbad3da372c1a984f0d6ce8 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 17 Oct 2020 21:35:44 +0200 Subject: [PATCH 0810/1335] Update sysmon_uac_bypass_via_dism.yml to execute the test --- rules/windows/image_load/sysmon_uac_bypass_via_dism.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml index 7c336fd06..f339f382e 100644 --- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -1,7 +1,7 @@ title: UAC Bypass With Fake DLL id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 status: experimental -description: Attempts to load dismcore.dll after dropping it. +description: Attempts to load dismcore.dll after dropping it references: - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility tags: @@ -28,4 +28,4 @@ detection: falsepositives: - Pentests - Actions of a legitimate telnet client -level: high \ No newline at end of file +level: high From b75126f5808f11c52a00405d3d7b453b0d1f9165 Mon Sep 17 00:00:00 2001 From: grikos <51186173+grikos@users.noreply.github.com> Date: Sat, 17 Oct 2020 22:48:40 +0300 Subject: [PATCH 0811/1335] merged the description into one line --- rules/windows/process_creation/win_susp_csi.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index a5dcf04ff..6599c02b5 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -1,8 +1,6 @@ title: Suspicious Csi.exe Usage id: 40b95d31-1afc-469e-8d34-9a3a667d058e -description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. - It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility - provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 From d6b64f2caf1eb4fa1e563ddad1794b53cf1fbc72 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 17 Oct 2020 22:22:20 +0200 Subject: [PATCH 0813/1335] Update lnx_schedule_task_job_cron.yml to trigger a test --- rules/linux/lnx_schedule_task_job_cron.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml index dc37f2270..3c0acd950 100644 --- a/rules/linux/lnx_schedule_task_job_cron.yml +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -12,7 +12,7 @@ logsource: detection: selection: ProcessName|endswith: - - 'crontab' + - '/crontab' CommandLine|contains: - '/tmp/' condition: selection From cb8cbf5a17a968cf15f52f2e573d733860aff7c7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 17 Oct 2020 22:25:52 +0200 Subject: [PATCH 0817/1335] Update lnx_schedule_task_job_cron.yml to trigger a test once again) --- rules/linux/lnx_schedule_task_job_cron.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml index 3c0acd950..dc37f2270 100644 --- a/rules/linux/lnx_schedule_task_job_cron.yml +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -12,7 +12,7 @@ logsource: detection: selection: ProcessName|endswith: - - '/crontab' + - 'crontab' CommandLine|contains: - '/tmp/' condition: selection From 198add2229c99a8e10711296405a3ef51f38751a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 17 Oct 2020 22:28:10 +0200 Subject: [PATCH 0821/1335] Update win_wmi_persistence.yml to trigger a test --- rules/windows/other/win_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 346f81b4b..5ffcb0df8 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,7 @@ action: global title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 modified: 2020/10/13 From 3aff4836ca1f11696457fd5ab9b0139072714da9 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Sun, 18 Oct 2020 00:19:27 +0300 Subject: [PATCH 0822/1335] Update sysmon_wab_dllpath_reg_change.yml --- .../windows/registry_event/sysmon_wab_dllpath_reg_change.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 50b0b9ba8..63a654317 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -1,6 +1,6 @@ -title: Modification of HKLM\Software\Microsoft\WAB\DLLPath +title: Execution DLL of Choice Using WAB.EXE id: fc014922-5def-4da9-a0fc-28c973f41bfb -description: Detects modification of HKLM\Software\Microsoft\WAB\DLLPath Registry Key that may indicate an attempt to execute a malicious library through WAB.exe +description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. status: experimental references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml From 8d1b8631823ec73524c13ae18604d69978a1a899 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Sun, 18 Oct 2020 01:16:11 +0300 Subject: [PATCH 0823/1335] Update sysmon_in_memory_powershell.yml --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index cd0e9acbe..d4f1dcd25 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -2,7 +2,7 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community +author: Tom Kern, oscd.community, Natalia Shornikova date: 2019/11/14 modified: 2020/10/12 references: From 789e7227bee26c54b1da82a4551693b8eedd932a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Sun, 18 Oct 2020 02:16:11 +0300 Subject: [PATCH 0824/1335] Splitting into two --- ...powershell_script_installed_as_service.yml | 38 ++++++++++--------- .../sysmon_powershell_as_service.yml | 24 ++++++++++++ 2 files changed, 45 insertions(+), 17 deletions(-) create mode 100644 rules/windows/registry_event/sysmon_powershell_as_service.yml diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index e37c984bb..1cda78017 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -1,3 +1,4 @@ +action: global title: PowerShell Scripts Installed as Services id: a2e5019d-a658-4c6a-92bf-7197b54e2cae description: Detects powershell script installed as a Service @@ -6,25 +7,28 @@ author: oscd.community, Natalia Shornikova date: 2020/10/06 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tag: +tags: - attack.execution - attack.t1569.002 -logsource: - product: windows detection: - selection1: - EventID: - - 7045 - - 4697 - ServiceFileName|contains: - - 'powershell' - - 'pwsh' - selection2: - EventID: 13 - TargetObject: '*\Services\*\ImagePath' - Details|contains: - - 'powershell' - - 'pwsh' - condition: selection1 or selection2 + powershell_as_service: + ServiceFileName|contains: + - 'powershell' + - 'pwsh' + condition: service_creation and powershell_as_service falsepositives: Unknown level: high +--- +logsource: + product: windows + service: system +detection: + service_creation: + EventID: 7045 +--- +logsource: + product: windows + service: security +detection: + service_creation: + EventID: 4697 diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml new file mode 100644 index 000000000..a26556cb7 --- /dev/null +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -0,0 +1,24 @@ +title: PowerShell as a Service in Registry +id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d +description: Detects that a powershell code is written to the registry as a service. +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\Services\' + TargetObject|endswith: '\ImagePath' + Details|contains: + - 'powershell' + - 'pwsh' + condition: selection +falsepositives: Unknown +level: high From 30970903bc719ebe4df33ac627aa7fd0b5b985f2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 18 Oct 2020 01:32:07 +0200 Subject: [PATCH 0825/1335] Update win_powershell_script_installed_as_service.yml --- .../builtin/win_powershell_script_installed_as_service.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 1cda78017..1f5a7e419 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -26,6 +26,13 @@ detection: service_creation: EventID: 7045 --- +logsource: + product: windows + service: sysmon +detection: + service_creation: + EventID: 6 +--- logsource: product: windows service: security From a6f00d6acc57ec9f41c6dd9f5fe86778aeda47e7 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Sun, 18 Oct 2020 02:48:21 +0300 Subject: [PATCH 0827/1335] Update powershell_CL_Invocation_LOLScript.yml --- .../powershell/powershell_CL_Invocation_LOLScript.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3a97e90fb..c7e482c88 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -26,10 +26,10 @@ detection: - 'SyncInvoke' timeframe: 1m condition: - - selection + - selection or (selection2 | count(ScriptBlockText) by Computer > 2) # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe - - selection2 | count(ScriptBlockText) by Computer > 2 + # or # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe falsepositives: Unknown -level: high \ No newline at end of file +level: high From 31ad3fcd6b6d2d394447dec56913b70b4bcde62d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sun, 18 Oct 2020 08:08:25 +0530 Subject: [PATCH 0828/1335] Mitre tags changed --- .../windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index c01972ae7..d6b7569ed 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -3,6 +3,10 @@ id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +tags: + - t1127.001 + - tA0002 + - t1127 status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From b69e56539ed0cbc6f7f9a506afa7f64f9ab6ba28 Mon Sep 17 00:00:00 2001 From: "unclep@sk" Date: Sun, 18 Oct 2020 09:22:29 +0300 Subject: [PATCH 0829/1335] tags fixed --- .../process_creation/win_susp_use_of_vsjitdebugger_bin.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 3b1377c61..e78117439 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 tags: - attack.t1218 + - attack.defense_evasion author: 'Agro (@agro_sev) oscd.community' date: 2020/10/14 logsource: From 3aa2a73ba73a32f7b8875a572ab9b410fb4f19e0 Mon Sep 17 00:00:00 2001 From: nsaddler Date: Sun, 18 Oct 2020 10:38:40 +0300 Subject: [PATCH 0830/1335] Update powershell_CL_Invocation_LOLScript.yml --- .../windows/powershell/powershell_CL_Invocation_LOLScript.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index c7e482c88..7c1fc3063 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -26,7 +26,8 @@ detection: - 'SyncInvoke' timeframe: 1m condition: - - selection or (selection2 | count(ScriptBlockText) by Computer > 2) + - selection + - selection2 | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe # or # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 From 3bddff4d521ee7f608a824fc8f43ade129261650 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 18 Oct 2020 11:52:34 +0300 Subject: [PATCH 0831/1335] Update win_susp_multiple_files_renamed.yml --- rules/windows/file_event/win_susp_multiple_files_renamed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml index e0e82577c..40e145f9b 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 4663 ObjectType: 'File' - SubjectLogonId: '*' + SubjectLogonId: not null AccessList: '%%1537' Keywords: '0x8020000000000000' timeframe: 30s From ca09ae5039f5a75a7d35a2c736abdd83e9b4c0e9 Mon Sep 17 00:00:00 2001 From: OpalSec <33176069+OpalSec@users.noreply.github.com> Date: Sun, 18 Oct 2020 21:15:43 +1100 Subject: [PATCH 0832/1335] Modification of search logic per advice from @zinint Edited suggested searches to improve performance: VAR+ 16ms: .*cmd.*(?:\/c|\/r).*set.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\" 6ms: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\" STDIN+ 7ms: .*cmd.*(?:\/c|\/r).*powershell.+(?:\$\{?input}?|noexit).*\" 3ms: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\" CLIP+ 28ms: .*cmd.*(?:\/c|\/r).*\|.*clip(?:\.exe)?.*&&.*clipboard]::\(\s\\\"\{\d\}.*\-f.*\" 11ms: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\" --- .../builtin/win_invoke_obfuscation_clip+_services.yml | 2 +- .../builtin/win_invoke_obfuscation_stdin+_services.yml | 2 +- .../builtin/win_invoke_obfuscation_var+_services.yml | 3 +-- .../powershell/powershell_invoke_obfuscation_clip+.yml | 4 ++-- .../powershell/powershell_invoke_obfuscation_stdin+.yml | 4 ++-- .../powershell/powershell_invoke_obfuscation_var+.yml | 6 ++---- .../process_creation/win_invoke_obfuscation_clip+.yml | 2 +- .../process_creation/win_invoke_obfuscation_stdin+.yml | 2 +- .../process_creation/win_invoke_obfuscation_var+.yml | 3 +-- 9 files changed, 12 insertions(+), 16 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index dad1ab836..95d562295 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -17,7 +17,7 @@ falsepositives: level: high detection: selection_1: - - ImagePath|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection and selection_1 --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 2f1d86338..ae5bf974b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -17,7 +17,7 @@ falsepositives: level: high detection: selection_1: - - ImagePath|re: 'powershell.+(\$\{?input|noexit)' + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection and selection_1 --- logsource: diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index d583e05d3..cd893f908 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -17,8 +17,7 @@ falsepositives: level: high detection: selection_1: - - ImagePath|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' - - ImagePath|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection and selection_1 --- logsource: diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index b6072659b..a6e7e1743 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -18,11 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' selection_3: EventID: 4103 selection_4: - - Payload|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index 0e081caa7..c73b781b5 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -18,11 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: 'powershell.+(\$\{?input|noexit)' + - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' selection_3: EventID: 4103 selection_4: - - Payload|re: 'powershell.+(\$\{?input|noexit)' + - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 1434326e0..c6c6bceec 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -18,13 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' - - ScriptBlockText|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' selection_3: EventID: 4103 selection_4: - - Payload|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' - - Payload|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml index 65be1cc7a..57469abe2 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.+clip(.exe|)(\s|)&&.*clipboard]::\(\s\\\"\{\d\}.+' + - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml index dcbc79456..18ac9ca90 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: 'powershell.+(\$\{?input|noexit)' + - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml index 52422dd0c..531fed7c7 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: 'set\s[a-zA-Z]{3,6}=Invoke-Expression' - - CommandLine|re: '(\"(?:\{\d\}){1,7}\\){1,5}' + - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection falsepositives: - Unknown From 38061960715931b0cc5f1323003d29b76549fa25 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 14:57:22 +0300 Subject: [PATCH 0833/1335] Create win_mshta_invoke_html.yml --- .../win_mshta_invoke_html.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_mshta_invoke_html.yml diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml new file mode 100644 index 000000000..098b35b0e --- /dev/null +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -0,0 +1,31 @@ +status: experimental +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml + - https://twitter.com/pabraeken/status/998567549670477824 + - https://windows10dll.nirsoft.net/mshtml_dll.html +tags: + - attack.execution + - attack.t1085 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains|all: + - 'Mshtml.dll' + - 'PrintHTML' + Image|endswith:: + - '\rundll32.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From 91692e49cd65ed481f4b17c909d9e6bbeff243ca Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:02:03 +0300 Subject: [PATCH 0834/1335] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 098b35b0e..ee9570572 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains|all: + ProcessCommandline|contains|all: - 'Mshtml.dll' - 'PrintHTML' - Image|endswith:: + Image|endswith: - '\rundll32.exe' condition: selection fields: From 5b35991cdde23214035659d7fbbfcfe375ae81d0 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:05:01 +0300 Subject: [PATCH 0835/1335] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index ee9570572..6daa3e92f 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -4,8 +4,8 @@ date: 2020/10/18 description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml - - https://twitter.com/pabraeken/status/998567549670477824 - - https://windows10dll.nirsoft.net/mshtml_dll.html + - https://twitter.com/pabraeken/status/998567549670477824 + - https://windows10dll.nirsoft.net/mshtml_dll.html tags: - attack.execution - attack.t1085 From ad11fc7b0e4eaaea2723d49bb8bdda28cca0addb Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:14:13 +0300 Subject: [PATCH 0836/1335] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 6daa3e92f..b7a74e7d1 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,4 +1,5 @@ status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community date: 2020/10/18 description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). From 6b39f7bb6e4a272bbadd473002769bc5f760fc85 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:19:58 +0300 Subject: [PATCH 0837/1335] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index b7a74e7d1..669c89af1 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,3 +1,4 @@ +title: invoke html via mshta status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community @@ -18,6 +19,7 @@ detection: ProcessCommandline|contains|all: - 'Mshtml.dll' - 'PrintHTML' + - '.hta' Image|endswith: - '\rundll32.exe' condition: selection From 468fd40dda0b60fa79483a8c6a16a0af54531acf Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:23:44 +0300 Subject: [PATCH 0838/1335] Update win_mshta_invoke_html.yml --- rules/windows/process_creation/win_mshta_invoke_html.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml index 669c89af1..2e5fdcebd 100644 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ b/rules/windows/process_creation/win_mshta_invoke_html.yml @@ -1,4 +1,4 @@ -title: invoke html via mshta +title: 'invoke html via mshta' status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community From fabf2a03fe8587e6fe7d6e886976eab4b7af488d Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 15:29:43 +0300 Subject: [PATCH 0839/1335] Delete win_mshta_invoke_html.yml --- .../win_mshta_invoke_html.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/process_creation/win_mshta_invoke_html.yml diff --git a/rules/windows/process_creation/win_mshta_invoke_html.yml b/rules/windows/process_creation/win_mshta_invoke_html.yml deleted file mode 100644 index 2e5fdcebd..000000000 --- a/rules/windows/process_creation/win_mshta_invoke_html.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: 'invoke html via mshta' -status: experimental -id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 -author: Beyu Denis, oscd.community -date: 2020/10/18 -description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Mshtml.yml - - https://twitter.com/pabraeken/status/998567549670477824 - - https://windows10dll.nirsoft.net/mshtml_dll.html -tags: - - attack.execution - - attack.t1085 -logsource: - category: process_creation - product: windows -detection: - selection: - ProcessCommandline|contains|all: - - 'Mshtml.dll' - - 'PrintHTML' - - '.hta' - Image|endswith: - - '\rundll32.exe' - condition: selection -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine -falsepositives: - - System administrator Usage - - Penetration test -level: medium \ No newline at end of file From e7c9ead4693fe1a8875ed2f007490ddb166262c5 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:06:09 +0300 Subject: [PATCH 0840/1335] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code --- .../process_creation_dotnet.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_dotnet.yml diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml new file mode 100644 index 000000000..552f357f8 --- /dev/null +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -0,0 +1,33 @@ +title: dotnet.exe exec dll and execute unsigned code LOLBIN +status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: dotnet.exe will execute any DLL and execute unsigned code +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml + - https://twitter.com/_felamos/status/1204705548668555264 + - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains: + - '*.dll' + - '*.csproj' + Image|endswith: + - '\dotnet.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From 744d27d8928b67a19182027ca4becd27e36dd31c Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:08:52 +0300 Subject: [PATCH 0841/1335] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code --- rules/windows/process_creation/process_creation_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 552f357f8..86f10b43d 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -18,7 +18,7 @@ detection: selection: ProcessCommandline|contains: - '*.dll' - - '*.csproj' + - '*.csproj' Image|endswith: - '\dotnet.exe' condition: selection From 2b731300fb098b345899ecc1ac6d06dbbeaabbb7 Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:13:41 +0300 Subject: [PATCH 0842/1335] [OSCD] LOLBIN dotnet.exe exec dll and execute unsigned code =/ --- rules/windows/process_creation/process_creation_dotnet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 86f10b43d..90659e7be 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -1,4 +1,4 @@ -title: dotnet.exe exec dll and execute unsigned code LOLBIN +title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community From 54b75b73b269fcd8908e565ac9501973b3837d5a Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 18 Oct 2020 17:37:14 +0300 Subject: [PATCH 0843/1335] [OSCD] process_creation_msdeploy --- .../process_creation_msdeploy.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_msdeploy.yml diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml new file mode 100644 index 000000000..263ff5bb2 --- /dev/null +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -0,0 +1,34 @@ +title: Msdeploy.exe LOLBIN +status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: launch binary via msdeploy.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml + - https://twitter.com/pabraeken/status/995837734379032576 + - https://twitter.com/pabraeken/status/999090532839313408 +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandline|contains|all: + - 'verb:sync' + - '-source:RunCommand' + - '-dest:runCommand' + Image|endswith: + - '\msdeploy.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file From eee01f6a86452aa9a0a8118270d50aeaa5406d07 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:51:51 +0300 Subject: [PATCH 0844/1335] Add powershell_invoke_obfuscation_via_rundll.yml --- ...wershell_invoke_obfuscation_via_rundll.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml new file mode 100644 index 000000000..4da0768f1 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + selection_2: + EventID: 4103 + Payload|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection_1 or selection_2 +falsepositives: + - Unknown +level: high \ No newline at end of file From 1bde40a98d6e219da072ab27bc15ec650f336b0e Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:52:25 +0300 Subject: [PATCH 0845/1335] Add win_invoke_obfuscation_via_rundll_services.yml --- ...invoke_obfuscation_via_rundll_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml new file mode 100644 index 000000000..7a92e9653 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection_1: + - ImagePath|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file From 683c4cfc0a0e2133b81cb3e9f8813da91370ef10 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:53:17 +0300 Subject: [PATCH 0846/1335] Add win_invoke_obfuscation_via_rundll.yml --- .../win_invoke_obfuscation_via_rundll.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml new file mode 100644 index 000000000..a21a4e10b --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 98febd2101ab5701f934f20059f53d8f81ccef6f Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:54:06 +0300 Subject: [PATCH 0847/1335] Update win_invoke_obfuscation_via_rundll_services.yml --- .../builtin/win_invoke_obfuscation_via_rundll_services.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 7a92e9653..cf69f3f69 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -14,7 +14,7 @@ tags: - attack.t1059.001 falsepositives: - Unknown -level: high +level: medium detection: selection_1: - ImagePath|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' @@ -39,4 +39,4 @@ detection: service: security detection: selection: - EventID: 4697 \ No newline at end of file + EventID: 4697 From 0c934ea455e2fa5f13ed4309dc1bc0af8a7b9d26 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:54:31 +0300 Subject: [PATCH 0848/1335] Update win_invoke_obfuscation_via_rundll.yml --- .../process_creation/win_invoke_obfuscation_via_rundll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml index a21a4e10b..80b0a0253 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: medium From 35a9a7d46cceeac9f45e0a47038e266f5aaf8fd5 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 18:54:59 +0300 Subject: [PATCH 0849/1335] Update powershell_invoke_obfuscation_via_rundll.yml --- .../powershell/powershell_invoke_obfuscation_via_rundll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index 4da0768f1..486b35025 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -24,4 +24,4 @@ detection: condition: selection_1 or selection_2 falsepositives: - Unknown -level: high \ No newline at end of file +level: medium From 07d3a6f3406869045cc181b99f2471d669e18357 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 19:57:30 +0400 Subject: [PATCH 0850/1335] Removed rules to have 1 pull request 1 rule --- ...p_file_download_via_gfxdownloadwrapper.yml | 24 ----------------- .../win_susp_runscripthelper.yml | 27 ------------------- .../win_verclsid_runs_com.yml | 27 ------------------- .../process_creation/win_winword_dll_load.yml | 25 ----------------- 4 files changed, 103 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml delete mode 100644 rules/windows/process_creation/win_susp_runscripthelper.yml delete mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml delete mode 100644 rules/windows/process_creation/win_winword_dll_load.yml diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml deleted file mode 100644 index 89b4418df..000000000 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: GfxDownloadWrapper.exe Downloads File from Suspicious URL -id: eee00933-a761-4cd0-be70-c42fe91731e7 -status: experimental -description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml -author: Victor Sergeev, oscd.community -date: 2020/10/09 -logsource: - category: process_creation - product: windows -detection: - image_path: - Image|endswith: 'GfxDownloadWrapper.exe' - cmd: - CommandLine|contains: 'gameplayapi.intel.com' - cmd_null: - CommandLine: '' - condition: image_path and not cmd and not cmd_null -fields: - - CommandLine -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml deleted file mode 100644 index b5ac43167..000000000 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious Runscripthelper.exe -id: eca49c87-8a75-4f13-9c73-a5a29e845f03 -status: experimental -description: Detects execution of powershell scripts via Runscripthelper.exe -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml -author: Victor Sergeev, oscd.community -date: 2020/10/09 -logsource: - category: process_creation - product: windows -detection: - image_path: - Image|endswith: 'Runscripthelper.exe' - cmd: - CommandLine|contains: 'surfacecheck' - condition: image_path and cmd -fields: - - CommandLine -tags: - - attack.execution - - attack.t1059 - - attack.defense_evasion - - attack.t1202 -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml deleted file mode 100644 index 50a10d0d8..000000000 --- a/rules/windows/process_creation/win_verclsid_runs_com.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Verclsid.exe Runs COM Object -id: d06be4b9-8045-428b-a567-740a26d9db25 -status: experimental -description: Detects when verclsid.exe is used to run COM object via GUID -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml - - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ -author: Victor Sergeev, oscd.community -date: 2020/10/09 -logsource: - category: process_creation - product: windows -detection: - image_path: - Image|endswith: 'verclsid.exe' - cmd_s: - CommandLine|contains: '/S' - - cmd_c: - CommandLine|contains: '/C' - condition: image_path and cmd_c and cmd_s -fields: - - CommandLine -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml deleted file mode 100644 index e9b9226bd..000000000 --- a/rules/windows/process_creation/win_winword_dll_load.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Winword.exe Loads Suspicious DLL -id: 2621b3a6-3840-4810-ac14-a02426086171 -status: experimental -description: Detects Winword.exe loading of custmom dll via /l cmd switch -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml -author: Victor Sergeev, oscd.community -date: 2020/10/09 -logsource: - category: process_creation - product: windows -detection: - image_path: - Image|endswith: 'winword.exe' - cmd: - CommandLine|contains: '/l' - condition: image_path and cmd -fields: - - CommandLine -tags: - - attack.defense_evasion - - attack.t1202 -falsepositives: - - Unknown -level: medium From 7e4a958cc5a857b822da52babbb9f489ad05007b Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:02:34 +0400 Subject: [PATCH 0851/1335] Create win_verclsid_runs_com.yml --- .../win_verclsid_runs_com.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml new file mode 100644 index 000000000..50a10d0d8 --- /dev/null +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -0,0 +1,27 @@ +title: Verclsid.exe Runs COM Object +id: d06be4b9-8045-428b-a567-740a26d9db25 +status: experimental +description: Detects when verclsid.exe is used to run COM object via GUID +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml + - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'verclsid.exe' + cmd_s: + CommandLine|contains: '/S' + + cmd_c: + CommandLine|contains: '/C' + condition: image_path and cmd_c and cmd_s +fields: + - CommandLine +falsepositives: + - Unknown +level: medium From 39bac712c32e0cf39bd58ef92cb71d20f3be3567 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:05:09 +0300 Subject: [PATCH 0852/1335] Update win_invoke_obfuscation_via_rundll_services.yml --- .../builtin/win_invoke_obfuscation_via_rundll_services.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index cf69f3f69..3bad01d92 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -17,7 +17,7 @@ falsepositives: level: medium detection: selection_1: - - ImagePath|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection and selection_1 --- logsource: From eb2af704e70ce8442253b92bee0ca66d584881c4 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:05:27 +0300 Subject: [PATCH 0853/1335] Update powershell_invoke_obfuscation_via_rundll.yml --- .../powershell/powershell_invoke_obfuscation_via_rundll.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index 486b35025..4dc879bcc 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -17,10 +17,10 @@ logsource: detection: selection_1: EventID: 4104 - ScriptBlockText|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' selection_2: EventID: 4103 - Payload|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection_1 or selection_2 falsepositives: - Unknown From d84281936b622d10a9de1d73f9cd2c7d97d5726d Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:05:40 +0300 Subject: [PATCH 0854/1335] Update win_invoke_obfuscation_via_rundll.yml --- .../process_creation/win_invoke_obfuscation_via_rundll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml index 80b0a0253..4883f3265 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection falsepositives: - Unknown From 8e820d441a88254c099a6b7f473ac5b094bb0b7b Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:10:21 +0400 Subject: [PATCH 0855/1335] Revert "Create win_verclsid_runs_com.yml" This reverts commit 7e4a958cc5a857b822da52babbb9f489ad05007b. --- .../win_verclsid_runs_com.yml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml deleted file mode 100644 index 50a10d0d8..000000000 --- a/rules/windows/process_creation/win_verclsid_runs_com.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Verclsid.exe Runs COM Object -id: d06be4b9-8045-428b-a567-740a26d9db25 -status: experimental -description: Detects when verclsid.exe is used to run COM object via GUID -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml - - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ -author: Victor Sergeev, oscd.community -date: 2020/10/09 -logsource: - category: process_creation - product: windows -detection: - image_path: - Image|endswith: 'verclsid.exe' - cmd_s: - CommandLine|contains: '/S' - - cmd_c: - CommandLine|contains: '/C' - condition: image_path and cmd_c and cmd_s -fields: - - CommandLine -falsepositives: - - Unknown -level: medium From 5ae052b66572b493c549400f751f157da5b4487a Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:10:29 +0400 Subject: [PATCH 0856/1335] Revert "Revert "Create win_verclsid_runs_com.yml"" This reverts commit 8e820d441a88254c099a6b7f473ac5b094bb0b7b. --- .../win_verclsid_runs_com.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml new file mode 100644 index 000000000..50a10d0d8 --- /dev/null +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -0,0 +1,27 @@ +title: Verclsid.exe Runs COM Object +id: d06be4b9-8045-428b-a567-740a26d9db25 +status: experimental +description: Detects when verclsid.exe is used to run COM object via GUID +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml + - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'verclsid.exe' + cmd_s: + CommandLine|contains: '/S' + + cmd_c: + CommandLine|contains: '/C' + condition: image_path and cmd_c and cmd_s +fields: + - CommandLine +falsepositives: + - Unknown +level: medium From 5cb76ef7d430ea3ae4d46147bca087b9d59fb72d Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:29:39 +0400 Subject: [PATCH 0857/1335] Create win_winword_dll_load.yml --- .../process_creation/win_winword_dll_load.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_winword_dll_load.yml diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml new file mode 100644 index 000000000..e9b9226bd --- /dev/null +++ b/rules/windows/process_creation/win_winword_dll_load.yml @@ -0,0 +1,25 @@ +title: Winword.exe Loads Suspicious DLL +id: 2621b3a6-3840-4810-ac14-a02426086171 +status: experimental +description: Detects Winword.exe loading of custmom dll via /l cmd switch +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'winword.exe' + cmd: + CommandLine|contains: '/l' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium From a6d99e441823b937f3186de872bc580a9abbcb4d Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:37:53 +0400 Subject: [PATCH 0858/1335] Create win_susp_runscripthelper.yml --- .../win_susp_runscripthelper.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_runscripthelper.yml diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml new file mode 100644 index 000000000..b5ac43167 --- /dev/null +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -0,0 +1,27 @@ +title: Suspicious Runscripthelper.exe +id: eca49c87-8a75-4f13-9c73-a5a29e845f03 +status: experimental +description: Detects execution of powershell scripts via Runscripthelper.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'Runscripthelper.exe' + cmd: + CommandLine|contains: 'surfacecheck' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium From 65fc9686584163b86fd77a267dbf30680dd9947a Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sun, 18 Oct 2020 20:40:23 +0400 Subject: [PATCH 0859/1335] Create win_susp_file_download_via_gfxdownloadwrapper.yml --- ...p_file_download_via_gfxdownloadwrapper.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml new file mode 100644 index 000000000..89b4418df --- /dev/null +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -0,0 +1,24 @@ +title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +id: eee00933-a761-4cd0-be70-c42fe91731e7 +status: experimental +description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: 'GfxDownloadWrapper.exe' + cmd: + CommandLine|contains: 'gameplayapi.intel.com' + cmd_null: + CommandLine: '' + condition: image_path and not cmd and not cmd_null +fields: + - CommandLine +falsepositives: + - Unknown +level: medium From 30f7dad9015af42780c406742250fd3a009d815f Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:50:30 +0300 Subject: [PATCH 0860/1335] Add win_invoke_obfuscation_via_compress_services.yml --- ...voke_obfuscation_via_compress_services.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml new file mode 100644 index 000000000..e15561a51 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 175997c5-803c-4b08-8bb0-70b099f47595 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - unknown +level: medium +detection: + selection_1: + - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection and selection_1 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file From 8b255ab959acbb71be0fc6d8c5aa6ea16fea5112 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:50:58 +0300 Subject: [PATCH 0861/1335] Add powershell_invoke_obfuscation_via_compress.yml --- ...rshell_invoke_obfuscation_via_compress.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml new file mode 100644 index 000000000..bb6ba2b99 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + selection_2: + EventID: 4103 + Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection_1 or selection_2 +falsepositives: + - unknown +level: medium \ No newline at end of file From 0d5b03342a19ec1bf25a12f9ae732257521b8493 Mon Sep 17 00:00:00 2001 From: Timur Zinniatullin Date: Sun, 18 Oct 2020 19:51:20 +0300 Subject: [PATCH 0862/1335] Add win_invoke_obfuscation_via_compress.yml --- .../win_invoke_obfuscation_via_compress.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml new file mode 100644 index 000000000..00527484d --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file From 4619e98602020e8bc4791a7bd9ab7cf7130f6542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ensar=20=C5=9Eamil?= Date: Sun, 18 Oct 2020 20:08:29 +0300 Subject: [PATCH 0863/1335] Update win_pe_exec_vsjitdebugger.yml --- rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml b/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml index a5721277f..99cbcbf56 100644 --- a/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml +++ b/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the execution of Vsjitdebugger tool as parent process which is utilized like proxy for other PE files executions. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/08 tags: - attack.defense_evasion @@ -18,4 +18,4 @@ detection: condition: selection falsepositives: - Legitimate usage of software developer/tester -level: medium \ No newline at end of file +level: medium From 439f88f75ace5a78e8d53cdb6a1f6088743b5776 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 18 Oct 2020 20:25:37 +0300 Subject: [PATCH 0864/1335] Create win_mal_lockergoga.yml --- rules/windows/malware/win_mal_lockergoga.yml | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/malware/win_mal_lockergoga.yml diff --git a/rules/windows/malware/win_mal_lockergoga.yml b/rules/windows/malware/win_mal_lockergoga.yml new file mode 100644 index 000000000..c22d83ab7 --- /dev/null +++ b/rules/windows/malware/win_mal_lockergoga.yml @@ -0,0 +1,23 @@ +title: LockerGoga Ransomware +id: 74db3488-fd28-480a-95aa-b7af626de068 +author: Vasiliy Burov, oscd.community +date: 2020/10/18 +description: Detects LockerGoga Ransomware command line. +status: experimental +references: + - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a + - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ + - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: '-i SM-tgytutrc -s' + condition: selection +falsepositives: + - Unlikely +level: critical From 8a43dec5a3bb692fcb9b15dd094d3c5ece4f0edf Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 18 Oct 2020 20:28:55 +0200 Subject: [PATCH 0865/1335] =?UTF-8?q?Adding=20=C3=96mer=20as=20the=20leadi?= =?UTF-8?q?ng=20author?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/linux/macos_local_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index 3441c43d5..e914d3326 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -2,7 +2,7 @@ title: Local Groups Discovery id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 status: experimental description: Detects enumeration of local system groups -author: Alejandro Ortuno, oscd.community +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/10/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md From 41f5d7e87600047479c5d3fa48c9c1840d8d8dad Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 18 Oct 2020 20:30:32 +0200 Subject: [PATCH 0866/1335] =?UTF-8?q?Adding=20=C3=96mer=20as=20leading=20a?= =?UTF-8?q?uthor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/linux/lnx_local_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml index 7bdb042a7..3ca19f538 100644 --- a/rules/linux/lnx_local_groups.yml +++ b/rules/linux/lnx_local_groups.yml @@ -2,7 +2,7 @@ title: Local Groups Discovery id: 676381a6-15ca-4d73-a9c8-6a22e970b90d status: experimental description: Detects enumeration of local system groups -author: Alejandro Ortuno, oscd.community +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/10/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md From 755a714884087cce5ab6d3f3c317d44f497c3160 Mon Sep 17 00:00:00 2001 From: v3t0 Date: Sun, 18 Oct 2020 19:35:57 -0400 Subject: [PATCH 0867/1335] [OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments --- .../win_susp_tracker_execution.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_tracker_execution.yml diff --git a/rules/windows/process_creation/win_susp_tracker_execution.yml b/rules/windows/process_creation/win_susp_tracker_execution.yml new file mode 100644 index 000000000..08ef303cc --- /dev/null +++ b/rules/windows/process_creation/win_susp_tracker_execution.yml @@ -0,0 +1,31 @@ +title: DLL Injection with Tracker.exe +id: 148431ce-4b70-403d-8525-fcc2993f29ea +description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/10/18 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml +tags: + - attack.defense_evasion + - attack.t1055.001 +logsource: + category: process_creation + product: windows +detection: + process_name: + Image|endswith: + - '\tracker.exe' + process_description: + Description: + - 'Tracker' + commandline_param1: + CommandLine|contains: + - ' /d ' + commandline_param2: + CommandLine|contains: + - ' /c ' + condition: (process_name or process_description) and commandline_param1 and commandline_param2 +falsepositives: + - Unknown +level: medium From 3a550af9f75353e44288380988d245bcc7516eef Mon Sep 17 00:00:00 2001 From: v3t0 Date: Sun, 18 Oct 2020 22:38:13 -0400 Subject: [PATCH 0868/1335] [OSCD] Added a rule to detect execution of runonce with suspicious parameters --- .../win_susp_runonce_execution.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_runonce_execution.yml diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml new file mode 100644 index 000000000..1f4b7f1b9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_runonce_execution.yml @@ -0,0 +1,29 @@ +title: Run Once Task Execution as Configured in Registry +id: 198effb6-6c98-4d0c-9ea3-451fa143c45c +description: This rule detects the execution of Run Once task as configured in the registry +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/10/18 +references: + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: process_creation +detection: + process_name: + Image|endswith: + - '\runonce.exe' + process_description: + Description: + - 'Run Once Wrapper' + command_line: + CommandLine|contains: + - ' /AlternateShellStartup' + condition: (process_name or process_description) and command_line +falsepositives: + - Unknown +level: medium From 654bd7bdbae546e5f95a6cb3d69bff8db7dfe4eb Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Mon, 19 Oct 2020 11:05:45 +0300 Subject: [PATCH 0869/1335] Update win_software_discovery.yml Add edits --- rules/windows/builtin/win_software_discovery.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml index c6274d324..d1c815ee1 100644 --- a/rules/windows/builtin/win_software_discovery.yml +++ b/rules/windows/builtin/win_software_discovery.yml @@ -7,7 +7,6 @@ author: Nikita Nazarov, oscd.community date: 2020/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md - - https://attack.mitre.org/techniques/T1518/ tags: - attack.discovery - attack.t1518 @@ -25,7 +24,7 @@ detection: EventID: 4104 ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize - 'get-itemProperty' - - '*\software\*' + - '\software\' - 'select-object' - 'format-table' --- @@ -37,6 +36,6 @@ detection: Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion CommandLine|contains|all: - 'query' - - '*\software\*' + - '\software\' - '/v' - 'svcversion' From c9ca0a79b629113392ead066226e07a4f64c8455 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:17:04 +0300 Subject: [PATCH 0870/1335] t1070.006 for lin/macos --- rules/linux/lnx_binary_padding.yml | 35 ++++++++++++++++++++++++++++ rules/linux/macos_binary_padding.yml | 31 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 rules/linux/lnx_binary_padding.yml create mode 100644 rules/linux/macos_binary_padding.yml diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml new file mode 100644 index 000000000..b0806ace2 --- /dev/null +++ b/rules/linux/lnx_binary_padding.yml @@ -0,0 +1,35 @@ +title: 'Binary Padding' +id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains|all: + - 'truncate' + - '-s' + selection2: + type: 'EXECVE' + keywords|contains|all: + - 'dd' + - 'if=' + filter: + keywords|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml new file mode 100644 index 000000000..d95f6c38f --- /dev/null +++ b/rules/linux/macos_binary_padding.yml @@ -0,0 +1,31 @@ +title: 'Binary Padding' +id: 95361ce5-c891-4b0a-87ca-e24607884a96 +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains|all: + - 'truncate' + - '-s' + selection2: + CommandLine|contains|all: + - 'dd' + - 'if=' + filter: + keywords|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 From d9fba92adf367d2f5a82366b534294cf7181c4fa Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:25:31 +0300 Subject: [PATCH 0871/1335] t1030 for lin/macos --- rules/linux/lnx_split_file_into_pieces.yml | 26 ++++++++++++++++++++ rules/linux/macos_split_file_into_pieces.yml | 23 +++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 rules/linux/lnx_split_file_into_pieces.yml create mode 100644 rules/linux/macos_split_file_into_pieces.yml diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml new file mode 100644 index 000000000..c0a2a14f6 --- /dev/null +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -0,0 +1,26 @@ +title: 'Split A File Into Pieces' +id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.defense_exfiltration + - attack.t1030 diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml new file mode 100644 index 000000000..aecda4342 --- /dev/null +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -0,0 +1,23 @@ +title: 'Split A File Into Pieces' +id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: macos + category: process_creation +detection: + selection: + ProcessName|endswith: '/split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.defense_exfiltration + - attack.t1030 From d7e8a802bd6eac7cde6d1d95ac69a4617ac81139 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:28:43 +0300 Subject: [PATCH 0872/1335] t1552.001 for Lin/macOS --- rules/linux/lnx_system_shutdown_reboot.yml | 40 ++++++++++++++++++++ rules/linux/macos_system_shutdown_reboot.yml | 27 +++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 rules/linux/lnx_system_shutdown_reboot.yml create mode 100644 rules/linux/macos_system_shutdown_reboot.yml diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml new file mode 100644 index 000000000..3cbec19d6 --- /dev/null +++ b/rules/linux/lnx_system_shutdown_reboot.yml @@ -0,0 +1,40 @@ +title: 'System Shutdown/Reboot' +id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + selection2: + type: 'EXECVE' + keywords|contains: + - 'init' + - 'telinit' + selection3: + type: 'EXECVE' + keywords|contains: + - '0' + - '6' + condition: selection1 or (selection2 and selection3) +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.impact + - attack.t1529 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml new file mode 100644 index 000000000..9827711c4 --- /dev/null +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -0,0 +1,27 @@ +title: 'System Shutdown/Reboot' +id: 40b1fbe2-18ea-4ee7-be47-0294285811de +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: macos + category: process_creation +detection: + selection: + ProcessName|endswith: + - '/shutdown' + - '/reboot' + - '/halt' + - '/poweroff' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.impact + - attack.t1529 From c460dcf5de8e19c2b723bc1c05427d452fdccd29 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:32:01 +0300 Subject: [PATCH 0873/1335] t1552.001 for lin/macos --- rules/linux/lnx_change_file_time_attr.yml | 33 +++++++++++++++++++++ rules/linux/macos_change_file_time_attr.yml | 29 ++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 rules/linux/lnx_change_file_time_attr.yml create mode 100644 rules/linux/macos_change_file_time_attr.yml diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml new file mode 100644 index 000000000..7f7cd5a3d --- /dev/null +++ b/rules/linux/lnx_change_file_time_attr.yml @@ -0,0 +1,33 @@ +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'touch' + selection2: + type: 'EXECVE' + keywords|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml new file mode 100644 index 000000000..2737887fc --- /dev/null +++ b/rules/linux/macos_change_file_time_attr.yml @@ -0,0 +1,29 @@ +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains: 'touch' + selection2: + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 From dc320e5be260ec1b68de6a0da0d6f17e1f0d8c9f Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:34:13 +0300 Subject: [PATCH 0874/1335] t1552.001 for lin/macOS --- rules/linux/lnx_find_cred_in_files.yml | 29 ++++++++++++++++++++++++ rules/linux/macos_find_cred_in_files.yml | 27 ++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 rules/linux/lnx_find_cred_in_files.yml create mode 100644 rules/linux/macos_find_cred_in_files.yml diff --git a/rules/linux/lnx_find_cred_in_files.yml b/rules/linux/lnx_find_cred_in_files.yml new file mode 100644 index 000000000..5751a9db4 --- /dev/null +++ b/rules/linux/lnx_find_cred_in_files.yml @@ -0,0 +1,29 @@ +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: experimental +description: 'Detecting attempts to extract passwords with grep' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'grep' + selection2: + type: 'EXECVE' + keywords|contains: 'password' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml new file mode 100644 index 000000000..742a79efd --- /dev/null +++ b/rules/linux/macos_find_cred_in_files.yml @@ -0,0 +1,27 @@ +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: experimental +description: 'Detecting attempts to extract passwords with grep and laZagne' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains|all: + - 'grep' + - 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: selection1 or selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 From 058c77f6a6b920f815064463e96e5f3ab172c64a Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:39:41 +0300 Subject: [PATCH 0875/1335] fix newlines --- rules/linux/lnx_binary_padding.yml | 70 ++++++++++++++-------------- rules/linux/macos_binary_padding.yml | 62 ++++++++++++------------ 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml index b0806ace2..09357e0f1 100644 --- a/rules/linux/lnx_binary_padding.yml +++ b/rules/linux/lnx_binary_padding.yml @@ -1,35 +1,35 @@ -title: 'Binary Padding' -id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba -status: experimental -description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' - # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve -author: 'Igor Fits, oscd.community' -date: 2020/10/13 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md -logsource: - product: linux - service: auditd -detection: - selection1: - type: 'EXECVE' - keywords|contains|all: - - 'truncate' - - '-s' - selection2: - type: 'EXECVE' - keywords|contains|all: - - 'dd' - - 'if=' - filter: - keywords|contains: 'of=' - condition: selection1 or (selection2 and not filter) -falsepositives: - - 'Legitimate script work' -level: high -tags: - - attack.defense_evasion - - attack.t1027.001 +title: 'Binary Padding' +id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains|all: + - 'truncate' + - '-s' + selection2: + type: 'EXECVE' + keywords|contains|all: + - 'dd' + - 'if=' + filter: + keywords|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml index d95f6c38f..f004c15d3 100644 --- a/rules/linux/macos_binary_padding.yml +++ b/rules/linux/macos_binary_padding.yml @@ -1,31 +1,31 @@ -title: 'Binary Padding' -id: 95361ce5-c891-4b0a-87ca-e24607884a96 -status: experimental -description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing -author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md -logsource: - product: macos - category: process_creation -detection: - selection1: - CommandLine|contains|all: - - 'truncate' - - '-s' - selection2: - CommandLine|contains|all: - - 'dd' - - 'if=' - filter: - keywords|contains: 'of=' - condition: selection1 or (selection2 and not filter) -falsepositives: - - 'Legitimate script work' -level: high -tags: - - attack.defense_evasion - - attack.t1027.001 +title: 'Binary Padding' +id: 95361ce5-c891-4b0a-87ca-e24607884a96 +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains|all: + - 'truncate' + - '-s' + selection2: + CommandLine|contains|all: + - 'dd' + - 'if=' + filter: + keywords|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 From 008260b0e41b8c3ff6c4feccccb9f0bfcc23214a Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:41:24 +0300 Subject: [PATCH 0876/1335] fix newlines --- rules/linux/lnx_split_file_into_pieces.yml | 52 ++++++++++---------- rules/linux/macos_split_file_into_pieces.yml | 46 ++++++++--------- 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml index c0a2a14f6..4d237a78d 100644 --- a/rules/linux/lnx_split_file_into_pieces.yml +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -1,26 +1,26 @@ -title: 'Split A File Into Pieces' -id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 -status: experimental -description: 'Detection use of the command "split" to split files into parts and possible transfer.' - # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve -author: 'Igor Fits, oscd.community' -date: 2020/10/15 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md -logsource: - product: linux - service: auditd -detection: - selection: - type: 'SYSCALL' - comm: 'split' - condition: selection -falsepositives: - - 'Legitimate administrative activity' -level: high -tags: - - attack.defense_exfiltration - - attack.t1030 +title: 'Split A File Into Pieces' +id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.defense_exfiltration + - attack.t1030 diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index aecda4342..617e5d5ef 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -1,23 +1,23 @@ -title: 'Split A File Into Pieces' -id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 -status: experimental -description: 'Detection use of the command "split" to split files into parts and possible transfer.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing -author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/15 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md -logsource: - product: macos - category: process_creation -detection: - selection: - ProcessName|endswith: '/split' - condition: selection -falsepositives: - - 'Legitimate administrative activity' -level: high -tags: - - attack.defense_exfiltration - - attack.t1030 +title: 'Split A File Into Pieces' +id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: macos + category: process_creation +detection: + selection: + ProcessName|endswith: '/split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.defense_exfiltration + - attack.t1030 From 85adbc3137740a428ae7b6d3c64f823016cdb44f Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:42:43 +0300 Subject: [PATCH 0877/1335] fix newlines --- rules/linux/lnx_system_shutdown_reboot.yml | 80 ++++++++++---------- rules/linux/macos_system_shutdown_reboot.yml | 54 ++++++------- 2 files changed, 67 insertions(+), 67 deletions(-) diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml index 3cbec19d6..1e1abcf27 100644 --- a/rules/linux/lnx_system_shutdown_reboot.yml +++ b/rules/linux/lnx_system_shutdown_reboot.yml @@ -1,40 +1,40 @@ -title: 'System Shutdown/Reboot' -id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f -status: experimental -description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve -author: 'Igor Fits, oscd.community' -date: 2020/10/15 -references: - - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md -logsource: - product: linux - service: auditd -detection: - selection1: - type: 'EXECVE' - keywords|contains: - - 'shutdown' - - 'reboot' - - 'halt' - - 'poweroff' - selection2: - type: 'EXECVE' - keywords|contains: - - 'init' - - 'telinit' - selection3: - type: 'EXECVE' - keywords|contains: - - '0' - - '6' - condition: selection1 or (selection2 and selection3) -falsepositives: - - 'Legitimate administrative activity' -level: high -tags: - - attack.impact - - attack.t1529 +title: 'System Shutdown/Reboot' +id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + selection2: + type: 'EXECVE' + keywords|contains: + - 'init' + - 'telinit' + selection3: + type: 'EXECVE' + keywords|contains: + - '0' + - '6' + condition: selection1 or (selection2 and selection3) +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.impact + - attack.t1529 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index 9827711c4..406e638b5 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -1,27 +1,27 @@ -title: 'System Shutdown/Reboot' -id: 40b1fbe2-18ea-4ee7-be47-0294285811de -status: experimental -description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing -author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -references: - - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md -logsource: - product: macos - category: process_creation -detection: - selection: - ProcessName|endswith: - - '/shutdown' - - '/reboot' - - '/halt' - - '/poweroff' - condition: selection -falsepositives: - - 'Legitimate administrative activity' -level: high -tags: - - attack.impact - - attack.t1529 +title: 'System Shutdown/Reboot' +id: 40b1fbe2-18ea-4ee7-be47-0294285811de +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: macos + category: process_creation +detection: + selection: + ProcessName|endswith: + - '/shutdown' + - '/reboot' + - '/halt' + - '/poweroff' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: high +tags: + - attack.impact + - attack.t1529 From a64a70f7ed7df1b8ac41d6f32f73588532c09418 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:44:18 +0300 Subject: [PATCH 0878/1335] fix nelwines --- rules/linux/lnx_change_file_time_attr.yml | 66 ++++++++++----------- rules/linux/macos_change_file_time_attr.yml | 58 +++++++++--------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml index 7f7cd5a3d..22763a8cf 100644 --- a/rules/linux/lnx_change_file_time_attr.yml +++ b/rules/linux/lnx_change_file_time_attr.yml @@ -1,33 +1,33 @@ -title: 'File Time Attribute Change' -id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b -status: experimental -description: 'Detect file time attribute change to hide new or changes to existing files.' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve -author: 'Igor Fits, oscd.community' -date: 2020/10/15 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md -logsource: - product: linux - service: auditd -detection: - selection1: - type: 'EXECVE' - keywords|contains: 'touch' - selection2: - type: 'EXECVE' - keywords|contains: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: selection1 and selection2 -falsepositives: - - 'Unknown' -level: medium -tags: - - attack.defense_evasion - - attack.t1070.006 +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'touch' + selection2: + type: 'EXECVE' + keywords|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index 2737887fc..cc283caee 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -1,29 +1,29 @@ -title: 'File Time Attribute Change' -id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b -status: experimental -description: 'Detect file time attribute change to hide new or changes to existing files.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing -author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md -logsource: - product: macos - category: process_creation -detection: - selection1: - CommandLine|contains: 'touch' - selection2: - CommandLine|contains: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: selection1 and selection2 -falsepositives: - - 'Unknown' -level: medium -tags: - - attack.defense_evasion - - attack.t1070.006 +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains: 'touch' + selection2: + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 From e0e81b5c25d7ba55fda72ce6668a8b2735f42cbf Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 16:45:42 +0300 Subject: [PATCH 0879/1335] fix newlines --- rules/linux/lnx_find_cred_in_files.yml | 58 ++++++++++++------------ rules/linux/macos_find_cred_in_files.yml | 54 +++++++++++----------- 2 files changed, 56 insertions(+), 56 deletions(-) diff --git a/rules/linux/lnx_find_cred_in_files.yml b/rules/linux/lnx_find_cred_in_files.yml index 5751a9db4..71b908273 100644 --- a/rules/linux/lnx_find_cred_in_files.yml +++ b/rules/linux/lnx_find_cred_in_files.yml @@ -1,29 +1,29 @@ -title: 'Credentials In Files' -id: df3fcaea-2715-4214-99c5-0056ea59eb35 -status: experimental -description: 'Detecting attempts to extract passwords with grep' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve -author: 'Igor Fits, oscd.community' -date: 2020/10/15 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md -logsource: - product: linux - service: auditd -detection: - selection1: - type: 'EXECVE' - keywords|contains: 'grep' - selection2: - type: 'EXECVE' - keywords|contains: 'password' - condition: selection1 and selection2 -falsepositives: - - 'Unknown' -level: high -tags: - - attack.credential_access - - attack.t1552.001 +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: experimental +description: 'Detecting attempts to extract passwords with grep' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'grep' + selection2: + type: 'EXECVE' + keywords|contains: 'password' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 742a79efd..989deece2 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -1,27 +1,27 @@ -title: 'Credentials In Files' -id: df3fcaea-2715-4214-99c5-0056ea59eb35 -status: experimental -description: 'Detecting attempts to extract passwords with grep and laZagne' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing -author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md -logsource: - product: macos - category: process_creation -detection: - selection1: - CommandLine|contains|all: - - 'grep' - - 'password' - selection2: - CommandLine|contains: 'laZagne' - condition: selection1 or selection2 -falsepositives: - - 'Unknown' -level: high -tags: - - attack.credential_access - - attack.t1552.001 +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: experimental +description: 'Detecting attempts to extract passwords with grep and laZagne' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|contains|all: + - 'grep' + - 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: selection1 or selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 From 42cc1dc5528214b149b2c16c720b3495272db6cf Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 17:01:23 +0300 Subject: [PATCH 0880/1335] fix non-present binary --- rules/linux/macos_system_shutdown_reboot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index 406e638b5..e461aed89 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -17,7 +17,6 @@ detection: - '/shutdown' - '/reboot' - '/halt' - - '/poweroff' condition: selection falsepositives: - 'Legitimate administrative activity' From ddc2d2635d52cc8bcb87b1e737a3f3943351bd30 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 17:16:22 +0300 Subject: [PATCH 0881/1335] fix wrong tactic --- rules/linux/lnx_split_file_into_pieces.yml | 2 +- rules/linux/macos_split_file_into_pieces.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml index 4d237a78d..99f26d7c8 100644 --- a/rules/linux/lnx_split_file_into_pieces.yml +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -22,5 +22,5 @@ falsepositives: - 'Legitimate administrative activity' level: high tags: - - attack.defense_exfiltration + - attack.exfiltration - attack.t1030 diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index 617e5d5ef..0f5d0130a 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -19,5 +19,5 @@ falsepositives: - 'Legitimate administrative activity' level: high tags: - - attack.defense_exfiltration + - attack.exfiltration - attack.t1030 From fe6459d07e9053123717f11972b5fe769996c1e7 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 17:20:43 +0300 Subject: [PATCH 0882/1335] commit to restart checker --- rules/linux/macos_split_file_into_pieces.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index 0f5d0130a..5f6a20269 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -2,7 +2,7 @@ title: 'Split A File Into Pieces' id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 status: experimental description: 'Detection use of the command "split" to split files into parts and possible transfer.' - # For this rule to work you must enable audit of process execution in OpenBSM, see + # For this rule to work you must enable audit of process execution in OpenBSM, see link # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' date: 2020/10/15 From f75654a3f5a4b9712f62e3fd62581e3da9fba3ab Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Mon, 19 Oct 2020 18:19:38 +0300 Subject: [PATCH 0883/1335] fix indentation --- rules/linux/lnx_binary_padding.yml | 2 +- rules/linux/macos_binary_padding.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml index 09357e0f1..cba357572 100644 --- a/rules/linux/lnx_binary_padding.yml +++ b/rules/linux/lnx_binary_padding.yml @@ -26,7 +26,7 @@ detection: - 'if=' filter: keywords|contains: 'of=' - condition: selection1 or (selection2 and not filter) + condition: selection1 or (selection2 and not filter) falsepositives: - 'Legitimate script work' level: high diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml index f004c15d3..47669fd9c 100644 --- a/rules/linux/macos_binary_padding.yml +++ b/rules/linux/macos_binary_padding.yml @@ -22,7 +22,7 @@ detection: - 'if=' filter: keywords|contains: 'of=' - condition: selection1 or (selection2 and not filter) + condition: selection1 or (selection2 and not filter) falsepositives: - 'Legitimate script work' level: high From 43707c9023d06cfa46975eb116e466c7fd789932 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Mon, 19 Oct 2020 19:20:52 +0400 Subject: [PATCH 0884/1335] Added mitre tags --- .../win_susp_file_download_via_gfxdownloadwrapper.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index 89b4418df..da4a75703 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -22,3 +22,6 @@ fields: falsepositives: - Unknown level: medium +tags: + - attack.command_and_control + - attack.t1105 From 6bc483d287db20bbbc9f72f0818ddd118c2cc54b Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Mon, 19 Oct 2020 19:28:52 +0400 Subject: [PATCH 0885/1335] Added mitre tags --- rules/windows/process_creation/win_verclsid_runs_com.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml index 50a10d0d8..6e5d539c2 100644 --- a/rules/windows/process_creation/win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -25,3 +25,6 @@ fields: falsepositives: - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1218 From 0323e500119720f68c3a4b4900299b1425b0c3eb Mon Sep 17 00:00:00 2001 From: Tim I Date: Mon, 19 Oct 2020 23:37:46 +0300 Subject: [PATCH 0886/1335] Detect credential access for macOS via Keychain --- rules/linux/macos_creds_from_keychain.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/linux/macos_creds_from_keychain.yml diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml new file mode 100644 index 000000000..053aca927 --- /dev/null +++ b/rules/linux/macos_creds_from_keychain.yml @@ -0,0 +1,21 @@ +title: Credentials from Password Stores - Keychain +id: b120b587-a4c2-4b94-875d-99c9807d6955 +status: experimental +description: Detects passwords' dumps from Keychain +author: Tim Ismilyaev, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md +logsource: + category: process_creation + product: macos +detection: + any_keychain_call: + ProcessName|startswith: 'security' + condition: any_keychain_call +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.credential_access + - attack.t1555.001 \ No newline at end of file From cc3ef973c05720069386bcf1bce9a88ddf76af0f Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 00:36:21 +0200 Subject: [PATCH 0887/1335] add macos_base64_decode.yml, oscd initiative issue #1012, task number 3 --- rules/linux/macos_base64_decode.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/macos_base64_decode.yml diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml new file mode 100644 index 000000000..88698ae3b --- /dev/null +++ b/rules/linux/macos_base64_decode.yml @@ -0,0 +1,22 @@ +title: Decode base64 encoded text +id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 +status: experimental +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +logsource: + category: process_creation + product: macos +detection: + base64_execution: + ProcessName: '/usr/bin/base64' + CommandLine|contains: '-d' + condition: base64_execution +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file From 8b01062d17193234d03212a14037e944e30c5848 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 00:37:53 +0200 Subject: [PATCH 0888/1335] add lnx_base64_decode.yml, oscd initiative issue #1011, task number 4 --- rules/linux/lnx_base64_decode.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/lnx_base64_decode.yml diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml new file mode 100644 index 000000000..d2f30dd82 --- /dev/null +++ b/rules/linux/lnx_base64_decode.yml @@ -0,0 +1,22 @@ +title: Decode base64 encoded text +id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 +status: experimental +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +logsource: + category: process_creation + product: linux +detection: + base64_execution: + ProcessName|endswith: '/base64' + CommandLine|contains: '-d' + condition: base64_execution +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file From 1ecb2c1932996e1cb88ee4b1fa5b3564ffd7b62f Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 00:39:06 +0200 Subject: [PATCH 0889/1335] add lnx_base64_decode.yml, oscd initiative issue #1011, task number 4 --- rules/linux/lnx_base64_decode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml index d2f30dd82..003d4d177 100644 --- a/rules/linux/lnx_base64_decode.yml +++ b/rules/linux/lnx_base64_decode.yml @@ -1,5 +1,5 @@ title: Decode base64 encoded text -id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 +id: e2072cab-8c9a-459b-b63c-40ae79e27031 status: experimental description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community From f0060dec671799b7bcf095f45b126edbeceb86ce Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 00:44:23 +0200 Subject: [PATCH 0890/1335] fix title --- rules/linux/lnx_base64_decode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml index 003d4d177..b9ae9bc78 100644 --- a/rules/linux/lnx_base64_decode.yml +++ b/rules/linux/lnx_base64_decode.yml @@ -1,4 +1,4 @@ -title: Decode base64 encoded text +title: Decode Base64 Encoded Text id: e2072cab-8c9a-459b-b63c-40ae79e27031 status: experimental description: Detects usage of base64 utility to decode arbitrary base64-encoded text From 272fbcc3784857be648db44dc5a2f07ecb507549 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 00:47:02 +0200 Subject: [PATCH 0891/1335] fix title --- rules/linux/macos_base64_decode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml index 88698ae3b..7d7488048 100644 --- a/rules/linux/macos_base64_decode.yml +++ b/rules/linux/macos_base64_decode.yml @@ -1,4 +1,4 @@ -title: Decode base64 encoded text +title: Decode Base64 Encoded Text id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 status: experimental description: Detects usage of base64 utility to decode arbitrary base64-encoded text From 941fbebcdcbc60296c45ee018c5ad9cdcff4b82e Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 01:14:56 +0200 Subject: [PATCH 0892/1335] add macos_system_network_connections_discovery.yml, oscd initiative issue #1012, task number 14 --- ...s_system_network_connections_discovery.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/macos_system_network_connections_discovery.yml diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml new file mode 100644 index 000000000..32f1ad5bf --- /dev/null +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -0,0 +1,26 @@ +title: System Network Connections Discovery +id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db +status: experimental +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName: + - '/usr/bin/who' + - '/usr/bin/w' + - '/usr/bin/last' + - '/usr/sbin/lsof' + - '/usr/sbin/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1049 \ No newline at end of file From 34591f9f64d07443a5799ca4c458697be88c18bb Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 01:17:06 +0200 Subject: [PATCH 0893/1335] add lnx_system_network_connections_discovery.yml, oscd initiative issue #1011, task number 8 --- ...x_system_network_connections_discovery.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/lnx_system_network_connections_discovery.yml diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml new file mode 100644 index 000000000..1bab3e4c7 --- /dev/null +++ b/rules/linux/lnx_system_network_connections_discovery.yml @@ -0,0 +1,26 @@ +title: System Network Connections Discovery +id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 +status: experimental +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +logsource: + category: process_creation + product: linux +detection: + selection: + ProcessName|endswith: + - '/who' + - '/w' + - '/last' + - '/lsof' + - '/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1049 \ No newline at end of file From 7c507293883cc43f9c38158977529d75e5f87a95 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 02:58:08 +0200 Subject: [PATCH 0894/1335] add macos_file_and_directory_discovery.yml, oscd initiative issue #1012, task number 28 --- .../macos_file_and_directory_discovery.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/macos_file_and_directory_discovery.yml diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml new file mode 100644 index 000000000..dca23a49d --- /dev/null +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -0,0 +1,31 @@ +title: File and Directory Discovery +id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 +status: experimental +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +logsource: + category: process_creation + product: macos +detection: + file_with_asterisk: + ProcessName: '/usr/bin/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + recursive_ls: + ProcessName: '/bin/ls' + CommandLine|contains: '-R' + find_execution: + ProcessName: '/usr/bin/find' + mdfind_execution: + ProcessName: '/usr/bin/mdfind' + tree_execution|endswith: + ProcessName: '/tree' + condition: 1 of them +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1083 \ No newline at end of file From 491f9d023cee68c837e314890afe77e88d7444fe Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 03:05:32 +0200 Subject: [PATCH 0895/1335] add lnx_file_and_directory_discovery.yml, oscd initiative issue #1011, task number 18 --- .../lnx_file_and_directory_discovery.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/lnx_file_and_directory_discovery.yml diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml new file mode 100644 index 000000000..9b1a70130 --- /dev/null +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -0,0 +1,29 @@ +title: File and Directory Discovery +id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 +status: experimental +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +logsource: + category: process_creation + product: linux +detection: + file_with_asterisk: + ProcessName|endswith: '/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + recursive_ls: + ProcessName|endswith: '/ls' + CommandLine|contains: '-R' + find_execution: + ProcessName|endswith: '/find' + tree_execution: + ProcessName|endswith: '/tree' + condition: 1 of them +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1083 \ No newline at end of file From f0663c8412fef4bf98d42bded0fd8a9673e6cb77 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 03:46:41 +0200 Subject: [PATCH 0896/1335] add macos_security_software_discovery.yml, oscd initiative issue #1012, task number 41 --- .../macos_security_software_discovery.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/linux/macos_security_software_discovery.yml diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml new file mode 100644 index 000000000..19286e6bb --- /dev/null +++ b/rules/linux/macos_security_software_discovery.yml @@ -0,0 +1,38 @@ +title: Security Software Discovery +id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 +status: experimental +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +logsource: + category: process_creation + product: macos +detection: + grep_execution: + ProcessName: '/usr/bin/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'santad' # google santa + - 'CbDefense' # carbon black + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'BlockBlock' # Objective-See persistence locations watcher/blocker + - 'LuLu' # Objective-See firewall management utility + little_snitch_process: # Objective Development Software firewall management utility + CommandLine|contains|all: + - 'Little' + - 'Snitch' + condition: grep_execution and security_services_and_processes or + grep_execution and little_snitch_process +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1518.001 \ No newline at end of file From 6f3ac02cb363b0fc68ebe3f762b3b6e6385fa568 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 03:57:41 +0200 Subject: [PATCH 0897/1335] add lnx_security_software_discovery.yml, oscd initiative issue #1011, task number 26 --- .../linux/lnx_security_software_discovery.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/lnx_security_software_discovery.yml diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml new file mode 100644 index 000000000..5a94b29c0 --- /dev/null +++ b/rules/linux/lnx_security_software_discovery.yml @@ -0,0 +1,31 @@ +title: Security Software Discovery +id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 +status: experimental +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +logsource: + category: process_creation + product: linux +detection: + grep_execution: + ProcessName|endswith: '/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'cbagentd' # carbon black + - 'falcond' # crowdstrike falcon + condition: grep_execution and security_services_and_processes +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1518.001 \ No newline at end of file From 5a8c7cd3f9291ac010f2f0e94037b0304d5cf458 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 04:00:16 +0200 Subject: [PATCH 0898/1335] add missing falcond --- rules/linux/macos_security_software_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml index 19286e6bb..320eb89fd 100644 --- a/rules/linux/macos_security_software_discovery.yml +++ b/rules/linux/macos_security_software_discovery.yml @@ -17,6 +17,7 @@ detection: - 'nessusd' # nessus vulnerability scanner - 'santad' # google santa - 'CbDefense' # carbon black + - 'falcond' # crowdstrike falcon - 'td-agent' # fluentd log shipper - 'packetbeat' # elastic network logger/shipper - 'filebeat' # elastic log file shipper From 2890adf093f70f08b2631f935b7322af93555761 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 04:34:02 +0200 Subject: [PATCH 0899/1335] add macos_xattr_gatekeeper_bypass.yml, oscd initiative issue #1012, task number 55 --- rules/linux/macos_xattr_gatekeeper_bypass.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/macos_xattr_gatekeeper_bypass.yml diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml new file mode 100644 index 000000000..989190a43 --- /dev/null +++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml @@ -0,0 +1,24 @@ +title: Gatekeeper Bypass via Xattr +id: f5141b6d-9f42-41c6-a7bf-2a780678b29b +status: experimental +description: Detects macOS Gatekeeper bypass via xattr utility +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName|endswith: '/xattr' + CommandLine|contains|all: + - '-r' + - 'com.apple.quarantine' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1553.001 \ No newline at end of file From cea24c99847da66b4e8160560f5af6fdfa5dd06c Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 05:06:43 +0200 Subject: [PATCH 0900/1335] add macos_disable_security_tools.yml, oscd initiative issue #1012, task number 60 --- rules/linux/macos_disable_security_tools.yml | 43 ++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/linux/macos_disable_security_tools.yml diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml new file mode 100644 index 000000000..3610fcd23 --- /dev/null +++ b/rules/linux/macos_disable_security_tools.yml @@ -0,0 +1,43 @@ +title: Disable Security Tools +id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 +status: experimental +description: Detects disabling security tools +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +logsource: + category: process_creation + product: macos +detection: + launchctl_unload: + ProcessName: '/bin/launchctl' + CommandLine|contains: 'unload' + security_plists: + - CommandLine|endswith: + - 'com.objective-see.lulu.plist' # Objective-See firewall management utility + - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker + - 'com.google.santad.plist' # google santa + - 'com.carbonblack.defense.daemon.plist' # carbon black + - 'com.carbonblack.daemon.plist' # carbon black + - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility + - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus + - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella + - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon + - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon + - CommandLine|contains: # plists for these tools could have arbitrary names + - 'osquery' # facebook osquery + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'packetbeat' # elastic network logger/shipper + - 'td-agent' # fluentd log shipper + disable_gatekeeper: + ProcessName: '/usr/sbin/spctl' + CommandLine|contains: 'disable' + condition: (launchctl_unload and security_plists) or disable_gatekeeper +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file From 99b40e4a6a46f6e880cd5cee7a56d78d0b327e04 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 05:09:08 +0200 Subject: [PATCH 0901/1335] chage list of plist to contains modifier. could be easily bypassed with endswith --- rules/linux/macos_disable_security_tools.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 3610fcd23..6e3dd9b92 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -14,7 +14,7 @@ detection: ProcessName: '/bin/launchctl' CommandLine|contains: 'unload' security_plists: - - CommandLine|endswith: + - CommandLine|contains: - 'com.objective-see.lulu.plist' # Objective-See firewall management utility - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker - 'com.google.santad.plist' # google santa @@ -25,7 +25,6 @@ detection: - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon - - CommandLine|contains: # plists for these tools could have arbitrary names - 'osquery' # facebook osquery - 'filebeat' # elastic log file shipper - 'auditbeat' # elastic auditing agent/log shipper From e95749e19019c1a8ac6a6d87eb325246d97d18fb Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 20 Oct 2020 05:10:11 +0200 Subject: [PATCH 0902/1335] fix syntax --- rules/linux/macos_disable_security_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 6e3dd9b92..8a84e85ce 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -14,7 +14,7 @@ detection: ProcessName: '/bin/launchctl' CommandLine|contains: 'unload' security_plists: - - CommandLine|contains: + CommandLine|contains: - 'com.objective-see.lulu.plist' # Objective-See firewall management utility - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker - 'com.google.santad.plist' # google santa From 60f71d911d96959506cba99d940b6c2430d1ec0a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 17:08:11 +0200 Subject: [PATCH 0903/1335] shorten the title to pass the test --- rules/windows/process_creation/win_susp_use_of_te_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index 0dd232895..357380c7b 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -1,4 +1,4 @@ -title: Malicious WSC (Windows Script Components) File Execution by TAEF Detection +title: Malicious Windows Script Components File Execution by TAEF Detection id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b status: experimental description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe From 462c92e5224b377f3fe2957837dbca874677a922 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 17:10:20 +0200 Subject: [PATCH 0904/1335] changes a syntax a bit to re-run the test --- rules/linux/macos_network_sniffing.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml index 823b448cb..a30534aef 100644 --- a/rules/linux/macos_network_sniffing.yml +++ b/rules/linux/macos_network_sniffing.yml @@ -10,13 +10,11 @@ logsource: category: process_creation product: macos detection: - selection_1: - ProcessName|endswith: + selection: + ProcessName|endswith: - '/tcpdump' - selection_2: - ProcessName|endswith: - '/tshark' - condition: 1 of them + condition: selection falsepositives: - Legitimate administration activities level: medium From 585770faa3c54ccae3808f111340816d6d7c02ca Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 17:31:00 +0200 Subject: [PATCH 0905/1335] update syntax a bit to re-run the test --- rules/linux/macos_startup_items.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml index f930be4a9..2153bd39d 100644 --- a/rules/linux/macos_startup_items.yml +++ b/rules/linux/macos_startup_items.yml @@ -11,11 +11,9 @@ logsource: product: macos detection: selection_1: - TargetFilename|contains: - - '/Library/StartupItems/' + TargetFilename|contains: '/Library/StartupItems/' selection_2: - TargetFilename|endswith: - - '.plist' + TargetFilename|endswith: '.plist' condition: selection_1 and selection_2 falsepositives: - Legitimate administration activities @@ -24,4 +22,3 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1037.005 - From 40f6d5e54325e4aa491833dcbde389b33901b541 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 17:39:04 +0200 Subject: [PATCH 0906/1335] update syntax a bit to re-run the test --- .../process_creation/win_regedit_export_critical_keys.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml index 656842570..472265a7c 100644 --- a/rules/windows/process_creation/win_regedit_export_critical_keys.yml +++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml @@ -16,8 +16,7 @@ logsource: detection: selection: Image|endswith: '\regedit.exe' - CommandLine|contains: - - ' /E ' + CommandLine|contains: ' /E ' selection_2: CommandLine|contains: - 'hklm' From 6ec761d27b7bb5ebdd92f3d9535336e8a5ce564e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 17:40:53 +0200 Subject: [PATCH 0907/1335] update syntax a bit to re-run the test --- ...in_possible_zerologon_exploitation_using_wellknown_tools.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index 673967b83..da829faa9 100644 --- a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -24,4 +24,4 @@ detection: - kali - mimikatz condition: selection -level: critical \ No newline at end of file +level: critical From 3a2c1d213a3ff314eb22b5377ad345e09e7193e1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 20 Oct 2020 19:25:31 +0300 Subject: [PATCH 0908/1335] Update win_susp_multiple_files_renamed.yml --- rules/windows/file_event/win_susp_multiple_files_renamed.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed.yml index 40e145f9b..8c2d4b900 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed.yml @@ -17,11 +17,10 @@ detection: selection: EventID: 4663 ObjectType: 'File' - SubjectLogonId: not null AccessList: '%%1537' Keywords: '0x8020000000000000' timeframe: 30s - condition: selection | count() by SubjectLogonId > 20 + condition: selection | count() by SubjectLogonId > 10 falsepositives: - Unlikely level: high From 27baf472b83037dd423b0e3f59bed47fc3a4ed66 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 18:59:25 +0200 Subject: [PATCH 0910/1335] add an empty line to re-run the test --- .../sysmon_accesschk_usage_after_priv_escalation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index ca74e39f9..0f53941d2 100644 --- a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -27,4 +27,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: high \ No newline at end of file +level: high From 81acc81d10e2d4bf2eada73a203fac140b661897 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 19:06:23 +0200 Subject: [PATCH 0911/1335] updated syntax a bit to re-run the test --- rules/linux/macos_screencapture.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml index 13334b388..7cc9bc983 100644 --- a/rules/linux/macos_screencapture.yml +++ b/rules/linux/macos_screencapture.yml @@ -11,10 +11,9 @@ logsource: product: macos category: process_creation detection: - selection1: - ProcessName: - - '/usr/sbin/screencapture' - condition: selection1 + selection: + ProcessName: '/usr/sbin/screencapture' + condition: selection falsepositives: - Legitimate user activity taking screenshots level: low From 7fbaacabb0e4aaf75b5c26b5b8a59e04094e79c2 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Tue, 20 Oct 2020 23:20:34 +0530 Subject: [PATCH 0912/1335] Mitre attck tags chages --- .../sysmon/silenttrinity_stager_msbuild_activity.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index d6b7569ed..62a448333 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -4,9 +4,10 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - t1127.001 - - tA0002 - - t1127 + - attack.execution + - attack.t1127.001 + - attack.tA0002 + - attack.t1127 status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From a96408b20af9aa02f07a3c353c5745cd3cdb06f5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 20:11:13 +0200 Subject: [PATCH 0914/1335] add an empty line to re-run the test --- .../process_creation/win_CL_Mutexverifiers_LOLScript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml index 5893591cb..984557a01 100644 --- a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml @@ -21,4 +21,4 @@ detection: # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" condition: selection falsepositives: Unknown -level: high \ No newline at end of file +level: high From ca4a0f7a727ad61cf35b28632b8293bb9f97c791 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 20:37:49 +0200 Subject: [PATCH 0915/1335] shorten the titile to pass the test --- ...vated_msi_spawned_cmd_and_powershell_spawned_processes.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 5847206e2..1bfb4d988 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,4 +1,4 @@ -title: Always Install Elevated MSI Spawned Cmd And Powershell Spawned Processes +title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes status: experimental @@ -32,4 +32,4 @@ falsepositives: level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l \ No newline at end of file + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l From f050cedf929cda0ee40d0bdfa3f9f9c9ab06643d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 20 Oct 2020 21:17:59 +0200 Subject: [PATCH 0917/1335] update syntax to re-run the test once more... --- rules/windows/process_creation/win_regedit_export_keys.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml index f40cc2436..70bc2a50f 100644 --- a/rules/windows/process_creation/win_regedit_export_keys.yml +++ b/rules/windows/process_creation/win_regedit_export_keys.yml @@ -16,8 +16,7 @@ logsource: detection: selection: Image|endswith: '\regedit.exe' - CommandLine|contains: - - ' /E ' + CommandLine|contains: ' /E ' filter_1: # filters to avoid intersection with critical keys rule CommandLine|contains: - 'hklm' From cdabf8e0e883b9827329326907f64aa8b1869076 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 21 Oct 2020 09:41:40 +0200 Subject: [PATCH 0918/1335] Sigma rules for network service scanning. --- rules/linux/lnx_network_service_scanning.yml | 34 +++++++++++++++++++ .../linux/macos_network_service_scanning.yml | 34 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 rules/linux/lnx_network_service_scanning.yml create mode 100644 rules/linux/macos_network_service_scanning.yml diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml new file mode 100644 index 000000000..dbd20f8b5 --- /dev/null +++ b/rules/linux/lnx_network_service_scanning.yml @@ -0,0 +1,34 @@ +title: Linux Network Service Scanning +id: 3e102cd9-a70d-4a7a-9508-403963092f31 +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + CommandLine|contains: + - '/dev/tcp/' + selection_2: + ProcessName|endswith: + - '/cat' + selection_3: + ProcessName|endswith: + - '/nmap' + selection_4: + ProcessName|endswith: + - '/telnet' + selection_5: + ProcessName|endswith: + - '/nc' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.discovery + - attack.t1046 diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml new file mode 100644 index 000000000..933a960e7 --- /dev/null +++ b/rules/linux/macos_network_service_scanning.yml @@ -0,0 +1,34 @@ +title: MacOS Network Service Scanning +id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + CommandLine|contains: + - '/dev/tcp/' + selection_2: + ProcessName|endswith: + - '/cat' + selection_3: + ProcessName|endswith: + - '/nmap' + selection_4: + ProcessName|endswith: + - '/telnet' + selection_5: + ProcessName|endswith: + - '/nc' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.discovery + - attack.t1046 From aa416090e16b64d4d025fce9340bc0ec62861181 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 21 Oct 2020 10:09:00 +0200 Subject: [PATCH 0919/1335] Initial sigma rule --- rules/linux/macos_applescript.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/macos_applescript.yml diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml new file mode 100644 index 000000000..6596c27d5 --- /dev/null +++ b/rules/linux/macos_applescript.yml @@ -0,0 +1,24 @@ +title: MacOS Scripting Interpreter AppleScript +id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 +status: experimental +description: Detects execution of AppleScript of the macOS scripting language AppleScript. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md +logsource: + category: process_creation + product: macos +detection: + selection: + ProcessName|endswith: + - '/osascript' + CommandLine|contains|all: + - '-e' + condition: selection +falsepositives: + - Application installers might contain scripts as part of the installation process. +level: medium +tags: + - attack.execution + - attack.t1059.002 From 5e5576a91bdc1930440175e1908b31bedf2ee093 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 21 Oct 2020 10:13:28 +0200 Subject: [PATCH 0920/1335] Fix product --- rules/linux/lnx_network_service_scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index dbd20f8b5..b8e73ebac 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md logsource: category: process_creation - product: macos + product: linux detection: selection_1: CommandLine|contains: From 7ba3d7a9c81bcbc47b2a760cc2a23d746b40cbbd Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 21 Oct 2020 19:58:13 +0530 Subject: [PATCH 0921/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../sysmon/silenttrinity_stager_msbuild_activity.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 62a448333..fd011bbe5 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -5,9 +5,9 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - attack.execution - - attack.t1127.001 - - attack.tA0002 - - attack.t1127 + - attack.ta0002 + - attack.t1127.001 + - attack.t1127 #an old one status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From e8611ca0a7e074e7d3c41989081bffdbbe106af7 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 21 Oct 2020 20:00:19 +0530 Subject: [PATCH 0922/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index fd011bbe5..1accc8231 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -5,7 +5,7 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - attack.execution - - attack.ta0002 + - attack.tA0002 - attack.t1127.001 - attack.t1127 #an old one status: experimental From e474c26c90a46dfe673aab375cda9fd153e266c7 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 21 Oct 2020 20:07:31 +0530 Subject: [PATCH 0923/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../sysmon/silenttrinity_stager_msbuild_activity.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 1accc8231..acf36092f 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -4,10 +4,8 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - attack.execution - - attack.tA0002 - - attack.t1127.001 - - attack.t1127 #an old one + - attack.execution # example MITRE ATT&CK category + - attack.tA0002 # example MITRE ATT&CK technique id status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From 7db0351d6de5ceb1390d6ea57a0d032ac0687a87 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 21 Oct 2020 20:11:55 +0530 Subject: [PATCH 0924/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index acf36092f..051973cd1 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -5,7 +5,6 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - attack.execution # example MITRE ATT&CK category - - attack.tA0002 # example MITRE ATT&CK technique id status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From ca5e86c850610a0a66b826f1dc8073e2f2bd805d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Wed, 21 Oct 2020 20:14:07 +0530 Subject: [PATCH 0925/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 051973cd1..b7d95b726 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -5,6 +5,7 @@ references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - attack.execution # example MITRE ATT&CK category + - attack.t1127.001 status: experimental author: Kiran kumar s, oscd.community date: 2020/10/11 From 7227ed0721a6524d89d5545026cecff86a415fd6 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Wed, 21 Oct 2020 18:25:22 +0300 Subject: [PATCH 0926/1335] fix rule logic --- rules/linux/macos_binary_padding.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml index 47669fd9c..b4c676db0 100644 --- a/rules/linux/macos_binary_padding.yml +++ b/rules/linux/macos_binary_padding.yml @@ -13,15 +13,17 @@ logsource: category: process_creation detection: selection1: - CommandLine|contains|all: - - 'truncate' + ProcessName|endswith: + - '/truncate' + CommandLine|contains: - '-s' selection2: - CommandLine|contains|all: - - 'dd' + ProcessName|endswith: + - '/dd' + CommandLine|contains: - 'if=' filter: - keywords|contains: 'of=' + CommandLine|contains: 'of=' condition: selection1 or (selection2 and not filter) falsepositives: - 'Legitimate script work' From c744a1cb47ffa54197e82a14288f1a2b1383f313 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Wed, 21 Oct 2020 18:29:06 +0300 Subject: [PATCH 0927/1335] fix rule logic --- rules/linux/macos_change_file_time_attr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index cc283caee..80100ca94 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - CommandLine|contains: 'touch' + ProcessName|endswith: 'touch' selection2: CommandLine|contains: - '-t' From 13d84ac27b1616984184db33f1d06b8b3fb405a6 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Wed, 21 Oct 2020 18:32:02 +0300 Subject: [PATCH 0928/1335] rule logic fix --- rules/linux/macos_find_cred_in_files.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 989deece2..5fd340fb5 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -13,8 +13,9 @@ logsource: category: process_creation detection: selection1: - CommandLine|contains|all: - - 'grep' + ProcessName|endswith: + - '/grep' + CommandLine|contains: - 'password' selection2: CommandLine|contains: 'laZagne' From c938d917f11890501dc9321122dd1e2b23f1a852 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Wed, 21 Oct 2020 18:32:50 +0300 Subject: [PATCH 0929/1335] additional processname fix --- rules/linux/macos_change_file_time_attr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index 80100ca94..1267cb82c 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: 'touch' + ProcessName|endswith: '/touch' selection2: CommandLine|contains: - '-t' From a2a1b203355da71caac0a40a285eb67a0cde4fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:40:46 +0300 Subject: [PATCH 0930/1335] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 5ca621ead..a6bf0eec1 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -10,7 +10,7 @@ logsource: product: linux detection: selection: - - CommandLine|contains: + - ProcessName|contains: - 'ps ' - 'top' condition: selection From 9f7244f01922b903e5f2c8af6f92487d07c2cf77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:45:23 +0300 Subject: [PATCH 0931/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index df9a1cc80..5df4ff904 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -42,6 +42,7 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - '/proc/version' - - '/etc/redhat-release' + - '/etc/*version + - '/etc/*release' - '/etc/issue' condition: selection From afe97c000cb1642bb08ac181bfc7ccd523783ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:48:43 +0300 Subject: [PATCH 0932/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 5df4ff904..2ac156ddc 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -42,7 +42,7 @@ detection: - '/proc/scsi/scsi' - '/proc/ide/hd0/model' - '/proc/version' - - '/etc/*version + - '/etc/*version' - '/etc/*release' - '/etc/issue' condition: selection From 5d37c0ee1e4bacbf9c25a3f1a531c3f52d7e65d5 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 22 Oct 2020 10:22:00 +0200 Subject: [PATCH 0933/1335] Added some modifications to firewall disabling --- rules/linux/lnx_security_tools_disabling.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 206c9a490..05f6564d7 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -2,11 +2,11 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools -author: Ömer Günal +author: Ömer Günal, Alejandro Ortuno date: 2020/06/17 references: - - https://attack.mitre.org/techniques/T1089/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md logsource: product: linux detection: @@ -16,6 +16,8 @@ detection: - 'chkconfig off iptables' - 'service ip6tables stop' - 'chkconfig off ip6tables' + - 'systemctl stop firewalld' + - 'systemctl disable firewalld' - CarbonBlack|contains: - 'service cbdaemon stop' - 'chkconfig off cbdaemon' @@ -31,4 +33,6 @@ falsepositives: - Legitimate administration activities level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 From 638fd7eeabe01565911f11387594ba65c86379fa Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 22 Oct 2020 10:37:29 +0200 Subject: [PATCH 0934/1335] Remote system discovery sigma rules for macos and linux --- rules/linux/lnx_remote_system_discovery.yml | 27 +++++++++++++++++++ rules/linux/macos_remote_system_discovery.yml | 27 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 rules/linux/lnx_remote_system_discovery.yml create mode 100644 rules/linux/macos_remote_system_discovery.yml diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml new file mode 100644 index 000000000..67defedf7 --- /dev/null +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -0,0 +1,27 @@ +title: Linux Remote System Discovery +id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +status: experimental +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +date: 2020/10/22 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +logsource: + category: process_creation + product: linux +detection: + selection_1: + ProcessName|endswith: + - '/arp' + CommandLine|contains|all: + - '-a' + selection_2: + ProcessName|endswith: + - '/ping' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.discovery + - attack.t1018 diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml new file mode 100644 index 000000000..d1a21338a --- /dev/null +++ b/rules/linux/macos_remote_system_discovery.yml @@ -0,0 +1,27 @@ +title: Macos Remote System Discovery +id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +status: experimental +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +date: 2020/10/22 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + ProcessName|endswith: + - '/arp' + CommandLine|contains|all: + - '-a' + selection_2: + ProcessName|endswith: + - '/ping' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.discovery + - attack.t1018 From 093941778bf92accc11ee12a4098b0a796f588a1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 22 Oct 2020 15:57:29 +0300 Subject: [PATCH 0935/1335] Update and rename win_susp_multiple_files_renamed.yml to win_susp_multiple_files_renamed_or_deleted.yml --- ...med.yml => win_susp_multiple_files_renamed_or_deleted.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/file_event/{win_susp_multiple_files_renamed.yml => win_susp_multiple_files_renamed_or_deleted.yml} (77%) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml similarity index 77% rename from rules/windows/file_event/win_susp_multiple_files_renamed.yml rename to rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8c2d4b900..ea083f54a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,8 +1,8 @@ -title: Suspicious Multiple File Rename Occurred +title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 author: Vasiliy Burov, oscd.community date: 2020/10/16 -description: Detects multiple file rename events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental references: - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html From 11df6c2566657d611b4bc8d6b2b19480c5efd390 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 23 Oct 2020 10:16:59 +0200 Subject: [PATCH 0936/1335] Sigma rule --- rules/linux/macos_emond_launch_daemon.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/macos_emond_launch_daemon.yml diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos_emond_launch_daemon.yml new file mode 100644 index 000000000..1c904a61b --- /dev/null +++ b/rules/linux/macos_emond_launch_daemon.yml @@ -0,0 +1,26 @@ +title: MacOS Emond Launch Daemon +id: 23c43900-e732-45a4-8354-63e4a6c187ce +status: experimental +description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +author: Alejandro Ortuno, oscd.community +date: 2020/10/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md + - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: '/etc/emond.d/rules/' + TargetFilename|endswith: '.plist' + selection_2: + TargetFilename|contains: '/private/var/db/emondClients/' + condition: selection_1 or selection_2 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.014 From 9d286b4d47c1f6b0fb1b025dcabf5abb746c5ff0 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:38:13 +0400 Subject: [PATCH 0937/1335] Deleted not my rule Was added by mistake =) --- .../registry_event/sysmon_comhijack_sdclt.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/registry_event/sysmon_comhijack_sdclt.yml diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml deleted file mode 100644 index bf76b00d8..000000000 --- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: COM Hijack via Sdclt -id: 07743f65-7ec9-404a-a519-913db7118a8d -status: experimental -description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -author: Omkar Gudhate -date: 2020/09/27 -references: - - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - - https://www.exploit-db.com/exploits/47696 -tags: - - attack.privilege_escalation - - attack.t1546 - - attack.t1548 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject: - - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - EventType: - - SetValue - condition: selection -falsepositives: - - unknown -level: high From f7a110e107693e5d30cfa5320eca844af597a71c Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:41:39 +0400 Subject: [PATCH 0938/1335] Small fix Removed extra line; Added "\" to file path end --- rules/windows/process_creation/win_verclsid_runs_com.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml index 6e5d539c2..99c649aec 100644 --- a/rules/windows/process_creation/win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -13,10 +13,9 @@ logsource: product: windows detection: image_path: - Image|endswith: 'verclsid.exe' + Image|endswith: '\verclsid.exe' cmd_s: CommandLine|contains: '/S' - cmd_c: CommandLine|contains: '/C' condition: image_path and cmd_c and cmd_s From d7709d2236100f712a5a336479a7cb46bde63a6a Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:44:46 +0400 Subject: [PATCH 0939/1335] Small fix Add "\" to file path end --- rules/windows/process_creation/win_winword_dll_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml index e9b9226bd..cae14f604 100644 --- a/rules/windows/process_creation/win_winword_dll_load.yml +++ b/rules/windows/process_creation/win_winword_dll_load.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: image_path: - Image|endswith: 'winword.exe' + Image|endswith: '\winword.exe' cmd: CommandLine|contains: '/l' condition: image_path and cmd From ca6a4beb6584aa719e5603d997a242b36872a75b Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:50:27 +0400 Subject: [PATCH 0940/1335] Small fix Added "\" at file path end --- rules/windows/process_creation/win_susp_runscripthelper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index b5ac43167..3bea7fb7e 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: image_path: - Image|endswith: 'Runscripthelper.exe' + Image|endswith: '\Runscripthelper.exe' cmd: CommandLine|contains: 'surfacecheck' condition: image_path and cmd From f27a7832ad9e11134f7bb347ba066870e3ddb1d2 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 23 Oct 2020 13:25:32 +0400 Subject: [PATCH 0941/1335] Small fix Added "\" at file path end Optimised exclusion of empty cmds --- .../win_susp_file_download_via_gfxdownloadwrapper.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index da4a75703..0d7fff903 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -11,12 +11,12 @@ logsource: product: windows detection: image_path: - Image|endswith: 'GfxDownloadWrapper.exe' - cmd: + Image|endswith: '\GfxDownloadWrapper.exe' + cmd_known_url: CommandLine|contains: 'gameplayapi.intel.com' cmd_null: - CommandLine: '' - condition: image_path and not cmd and not cmd_null + CommandLine: null + condition: image_path and not cmd_known_url and not cmd_null fields: - CommandLine falsepositives: From d623685c2cd311b0217b122f44ed4b76a3782e1c Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Fri, 23 Oct 2020 23:27:52 +0200 Subject: [PATCH 0942/1335] [OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy --- .../win_bad_opsec_sacrificial_processes.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml new file mode 100644 index 000000000..6df66d251 --- /dev/null +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -0,0 +1,25 @@ +title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments +id: a7c3d773-caef-227e-a7e7-c2f13c622329 +status: experimental +description: Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit @am0nsec), and other examples. +author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' +date: 2020/10/23 +references: + - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ + - https://www.cobaltstrike.com/help-opsec +tags: + - attack.defense_evasion + - attack.t1085 # legacy + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\WerFault.exe' + - '*\rundll32.exe' + condition: selection +falsepositives: + - Unlikely +level: high From e5567631eb7f1588286cea205b03049b004ddd56 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Sat, 24 Oct 2020 07:27:59 -0400 Subject: [PATCH 0943/1335] Minor changes to incorporate feedback Incorporated feedback from @yugoslavskiy. Thank you! --- .../process_creation/win_bad_opsec_sacrificial_processes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 6df66d251..4f28c0821 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -1,7 +1,7 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental -description: Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit @am0nsec), and other examples. +description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit @am0nsec), and other examples.' author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' date: 2020/10/23 references: From 15a6352da605ba5b4fe4f2d76245bac51224e85d Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Sat, 24 Oct 2020 17:40:29 +0530 Subject: [PATCH 0944/1335] Removed event ID --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index b7d95b726..c844648f0 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -14,7 +14,6 @@ logsource: product: windows detection: selection: - EventID: 3 ParentImage|endswith: '*\msbuild.exe' condition: selection fields: From 2469ad14d872cacfef8a624895f6194e8f42d510 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 11:47:21 +0530 Subject: [PATCH 0945/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index c844648f0..3ddcaad92 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -15,7 +15,6 @@ logsource: detection: selection: ParentImage|endswith: '*\msbuild.exe' - condition: selection fields: - ParentImage falsepositives: From 02ce1196c3580d2c0d615e2f87514e251115aec3 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 11:58:32 +0530 Subject: [PATCH 0946/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 3ddcaad92..c844648f0 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -15,6 +15,7 @@ logsource: detection: selection: ParentImage|endswith: '*\msbuild.exe' + condition: selection fields: - ParentImage falsepositives: From d7e9a87feb97ef76e0b42b8f6613c0133d85e281 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 12:10:46 +0530 Subject: [PATCH 0947/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../sysmon/silenttrinity_stager_msbuild_activity.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index c844648f0..1ba054f54 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -14,10 +14,14 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '*\msbuild.exe' - condition: selection -fields: - - ParentImage + DestinationPort: + - '80' + - '443' + Initiated: 'true' + filter: + Image|endswith: + - '*\msbuild.exe' + condition: selection and not filter falsepositives: - unknown level: high From 6c5bb72491d1c4a5f19ebed988a1443fb118630e Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 12:28:04 +0530 Subject: [PATCH 0948/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 1ba054f54..805d154b2 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -21,7 +21,7 @@ detection: filter: Image|endswith: - '*\msbuild.exe' - condition: selection and not filter + condition: selection and filter falsepositives: - unknown level: high From 630365cb4b0bf2ee7f85dd165932614451283232 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 14:13:11 +0530 Subject: [PATCH 0949/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 805d154b2..78235fea9 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -19,8 +19,7 @@ detection: - '443' Initiated: 'true' filter: - Image|endswith: - - '*\msbuild.exe' + ParentImage|endswith: '*\msbuild.exe' condition: selection and filter falsepositives: - unknown From 708fe7f8fa7752d029743dbd5bc60757ff4cf22c Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 14:13:33 +0530 Subject: [PATCH 0950/1335] Update silenttrinity_stager_msbuild_activity.yml --- rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index 78235fea9..dff4618c1 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -19,7 +19,7 @@ detection: - '443' Initiated: 'true' filter: - ParentImage|endswith: '*\msbuild.exe' + ParentImage|endswith: '\msbuild.exe' condition: selection and filter falsepositives: - unknown From c83d5a3d65dfa708c7e93ccc21ac1cc7f4601975 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Mon, 26 Oct 2020 09:45:13 +0100 Subject: [PATCH 0951/1335] Added some minor tuning of ip ranges --- rules/linux/lnx_remote_system_discovery.yml | 23 ++++++++++++++++++- rules/linux/macos_remote_system_discovery.yml | 23 ++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml index 67defedf7..96209f7b8 100644 --- a/rules/linux/lnx_remote_system_discovery.yml +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -13,11 +13,32 @@ detection: selection_1: ProcessName|endswith: - '/arp' - CommandLine|contains|all: + CommandLine|contains: - '-a' selection_2: ProcessName|endswith: - '/ping' + CommandLine|contains: + - '10.' #10.0.0.0/8 + - '192.168.' #192.168.0.0/16 + - '172.16.' #172.16.0.0/12 + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' #127.0.0.0/8 + - '169.254.' #169.254.0.0/16 condition: 1 of them falsepositives: - Legitimate administration activities diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index d1a21338a..6738c4134 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -13,11 +13,32 @@ detection: selection_1: ProcessName|endswith: - '/arp' - CommandLine|contains|all: + CommandLine|contains: - '-a' selection_2: ProcessName|endswith: - '/ping' + CommandLine|contains: + - '10.' #10.0.0.0/8 + - '192.168.' #192.168.0.0/16 + - '172.16.' #172.16.0.0/12 + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' #127.0.0.0/8 + - '169.254.' #169.254.0.0/16 condition: 1 of them falsepositives: - Legitimate administration activities From 6da58584c5f60822bc0422ce5e2ffa421b3f740e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 12:14:59 +0300 Subject: [PATCH 0952/1335] Update win_susp_multiple_files_renamed_or_deleted.yml Added an issue into 'falsepositives' section. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ea083f54a..bd78cf417 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation level: high From 779596334c152b55eac202cb0e308bacc4cca45d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 12:35:16 +0300 Subject: [PATCH 0953/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index bd78cf417..3ff4c519d 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation + - Software uninstallation. level: high From b84fc7850cfbd9040f23e0eaed84229548b5ee41 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 26 Oct 2020 13:48:19 +0300 Subject: [PATCH 0954/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 3ff4c519d..fb61a718a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation. + - software uninstallation level: high From 70beef515d9b0305d9e76562dc28d5d3b8ca4dc4 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 14:01:46 +0300 Subject: [PATCH 0955/1335] Update sysmon_abusing_debug_privilege.yml mitre tag added.Checked. --- .../sysmon_abusing_debug_privilege.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 0548c3c22..2e1eba15c 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -3,16 +3,17 @@ id: d522eca2-2973-4391-a3e0-ef0374321dae status: experimental description: Detection of unusual child processes by different system processes references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg + -https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg date: 2020/10/07 tags: - attack.privilege_escalation + - attack.t1548 author: 'oscd.community, Semanur Guneysu @semanurtg' logsource: product: windows category: process_creation detection: - selection: + selection1: ParentImage|endswith: - '\winlogon.exe' - '\services.exe' @@ -22,17 +23,17 @@ detection: - '\wininit.exe' - '\spoolsv.exe' - '\searchindexer.exe' - filter1: + selection2: Image|endswith: - '\powershell.exe' - '\cmd.exe' - filter2: - User: 'NT AUTHORITY\\SYSTEM' - filter3: - CommandLine|contains: - - 'route' - - 'ADD' - condition: selection and filter1 and filter2 and not filter3 + selection3: + User: 'NT AUTHORITY\\SYSTEM' + filter: + CommandLine|contains|all: + - ' route ADD ' + + condition: selection1 and selection2 and selection3 and not filter fields: - ParentImage - Image From b5e07f0a375e74166b871949952e1db43926fdd7 Mon Sep 17 00:00:00 2001 From: "S.kiran kumar" Date: Mon, 26 Oct 2020 17:00:50 +0530 Subject: [PATCH 0956/1335] Update silenttrinity_stager_msbuild_activity.yml --- .../sysmon/silenttrinity_stager_msbuild_activity.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml index dff4618c1..124148c19 100644 --- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml @@ -14,13 +14,13 @@ logsource: product: windows detection: selection: + ParentImage|endswith: '\msbuild.exe' + filter: DestinationPort: - '80' - '443' Initiated: 'true' - filter: - ParentImage|endswith: '\msbuild.exe' - condition: selection and filter + condition: selection and filter falsepositives: - unknown level: high From e65b8249d78be9222fbd9dbaa8a84f597ce3177f Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 14:39:43 +0300 Subject: [PATCH 0957/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 2e1eba15c..980c7f519 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -3,7 +3,7 @@ id: d522eca2-2973-4391-a3e0-ef0374321dae status: experimental description: Detection of unusual child processes by different system processes references: - -https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg + -"https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg" date: 2020/10/07 tags: - attack.privilege_escalation From 3ff10b160f2351ad5796ae696abb8e9ef322e163 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 14:44:27 +0300 Subject: [PATCH 0958/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 980c7f519..ec7fad0ee 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -3,7 +3,7 @@ id: d522eca2-2973-4391-a3e0-ef0374321dae status: experimental description: Detection of unusual child processes by different system processes references: - -"https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg" + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg date: 2020/10/07 tags: - attack.privilege_escalation From cb5a541a5ea4582b346cc7c07ece58df3d1ab45e Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 14:56:25 +0300 Subject: [PATCH 0959/1335] Update sysmon_abusing_debug_privilege.yml NT AUTHORITY\SYSTEM --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index ec7fad0ee..6cb6b4dfd 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -28,7 +28,7 @@ detection: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\\SYSTEM' + User: 'NT AUTHORITY\SYSTEM' filter: CommandLine|contains|all: - ' route ADD ' From 4e1143502edf51ca36f6bb25e5073fdd4642f898 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 15:18:20 +0300 Subject: [PATCH 0960/1335] Create .DS_Store --- rules/windows/process_creation/.DS_Store | Bin 0 -> 30724 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 rules/windows/process_creation/.DS_Store diff --git a/rules/windows/process_creation/.DS_Store b/rules/windows/process_creation/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..d6e5311e6eeda92a3a77842d674b891fb47998a0 GIT binary patch literal 30724 zcmeI5%W|E?5y!t{ZZ;4ufdq1QAQz_y#Ig;TA`2IlRFPe(vSBB5m#}U~vL&`4EnHD7n1ujf0*3YAI)3FIRk>-?vu=Rg0x%pAGvy2*QYRu{T% zzw5e-^2y_KPj}sgOI>$a9--`TRw9EUV_%Z%x+nP@Y-pj$}3VlfM#TI09`9|H z(bEww{IlzxxzdlYC_i~3R<4z`+Y*G`Vwntk{&DVsa}RuHJs`20kBd*~m&@~)`Ehx?b^3T;ANA$kL|@)bPDh@cRw$D)y1edk`SEUYOCQhwJomu42ZkPa zU7mWiubjrJk9Da!mP$nuE0KG7ozuN5Rmf+371DJ-Ym7pLxg*udYN@GKq*7Tbb=6zl zjRx{RrjWDhjOr;OuXW2(yKP84MeTH)V^f_4tACtYeMhht#UFc8TT&luRdv|F{QDGU zZZDXtg1OySd-!6j*n1>Zc3SIAq*@L3UT)g!v6lsJQLLv@rs}7nO!2AY1AexO)bE@9 zx@iY!&G{uqrb?Z~kJuTYj$M z>=jSa-C+d}<-gREbVCAWwnM7s(8D=6T_4tdTTmH|?#WJ$U)bjRMVW`E@nM@PRAb#b zc;!(u%{UUvR>Tipi{`MnaLZ$7-6xM-`)OFr&fpPkO8q^78y@|YgmLuH*mZld%V64} z>^wXIPjp6f8MozU@-bkwA0zX*jzKSaS3c=1qEcIex|*XF_IcD763dSTV^3_|5v0_% z!Z(kSarn5rUORL1D%w|0(fodcpJ)~=pzBD)K-(5YbLd23ZDYoTWggetYP_#@&K36y zyF8|`i(SA9vm)#%_7`i6t#fL7VV6g@m9KkjQ8)#6=+7$hT^Z?6My;LCLBE4bTNQ>ArAGSi@FpPHPN}vW%bd^&{MJ$miE#nt9cK^g zwJU0@rvrV#FE>stPuBpZg%NDW9Tx(s?IQX)|GG%3@4#fkrqc2SKc$S~)DbGT8wcw!rT4R__ zTon&5H8X42>5*S|mcpS$S#LdC;!KHLT2+jZjHB#yJvG}eKf{h!mhLw91uPsNS@$M; zM01nf(>*YqFQX`oV^Q^va26$Nv(t}kai&Hr))&QNb(j$hIFRouYg639P>*Z-N^#ND zyMm&-x~ghbfU3ANvb^B4AGy_HZEj0cAQm2<`eH|{Cl_e?0;WEH(=pZWRIhEsS=C>( z2HTstD7qOijjbp0D)xL_!8mjEN9tjsZa^MZ`uQ_|kf&dfQGFJ%RFupV*tAWfpVp-K z4z*3~!F$~m=e<`4W9Vt`j(BfX{<|kDLuJ5vpnRGkkiqQAbB*d0e}++Bm>PwhsHeZj zWrw7;;=6!yV+sY{Y{(}O#IFx~U^>f$R|kb@`U?N^mOJEj$i5GDSZ+hyBI@Wqr&F>e zgM3?NoLbAC4!D+0R9y6tJyEm!+YKa% zF9FFiMnj^X05e!m-xXPul|f?{#QN0E!o<%U6D{Hx`nIei(VV@zDQM_4eC%03}Nj^B)cLmq9oD%1!>Aoz?XHu6m}m4IaVX0?lb zNd#(WKw*ftWw@^R9E8K-BUMkjVB}Ze?zh*Kd^p%QTvyOh`I@Q0=C#&*;mPEpv5S~gx0 zH^gdk%B_N!qX=^Xip4ua!INYZn(5LjBY$dJCL9WwUeQ#0HpL?PV%lp%$52U>2NtB3 z!mEI4*+jJzkFA#IM7E<+D6^+wZ%j9G6r<>QD#P5d~+ok7&q3Y=QXJd@%TetEp1rjWa6c7lFV6Xi&7 z%p-k&u*c~8tcwR$TKg1T3K+xL5xEw+w}nZ>wCnO6oEnK^0dKf_z}u2l)hs`qSz(Ny z*>G1ArBH8}u3z(AGj12QeC60O+>b|P@4y+&?{~_6Wal*IO1?DlnATOSJ7;2E zwbxN0k3Cd-vN`;yJ5oFBT9Z+q(_3jrNtiQ^uJs;!o!Sg*$)`6(^R;TQ!4lym@*zU2e zUft#N&6gzxXlF=s;+bb40o{7?*krn)Dqdr-o`-1%Lwl3tX{}leo;`3pvpuBqR?TBi zYP=zPq>dRoTM@kqm^a*7qMrBU^|ecgst_r)I$#cUMXA%+zd9f88lyT@g;Xa-&!q}W z{oJerR&Tr4@xZ3;A=^q3#?Gj_5D))JmlT|ac+AMS;*Y_+hJy#<%) z39Jh`qrpF_CvH%X<>?t%>%P12G2mO2na1bd#7TqI!o7gvtwgPB6d0bX!!?w$YEQar z(8qvpae^K;_{t#&z|w$tt!E9h%-N}R31eAjsw&V~nftk8u4w@_z{$O$ zTlfeCCZoM7S<;*G)k0a{g?v2ksVN1o5qFa(?7$<3xe zL{%Pr`JtI-*f&~MqsIRM@^x9mMxO&t2jpM(JGMr86dvWRU8NdTGy@%KPb0g9Eny^! zVDxep zrs#%tTQKNVP>tp&qK`9Ch-S+&Pr3;yN@2sNj%St?nk~dCz14NES3QksIVL>tn9uY) z*c9KOm7BtV^tGs0c&$}KREkI9V_r|zLk^(*Nv&Gx#WhaW3tzlNe*KQ*by|s%@oLwe z47ho3fIKePXf?&Ayb6SPpH0fyI`@m%laQ=+SFno=)KVtq43uu z{Jx(VN~rhq=nVLqN}TZOX;`g`RV(2*oa8)ij+-{Ya_dr3m+1K}Xd{XMs~_8RtTv3= znL>TFtJKhO;$6TnzA8q24=%Q_e(Z}@elEHX3 zqrrF~^#HRBc$QIMJ=xZ->y6bL6jb>MhlMZbtB&*Cz5Df9G6d8ycKj1^2vFRt=Hg@_Ackd?c}YI${vdnQ!A{7B)WqzGI{1 zEA#^6-9{94^mY%N3}{~KP+#U<-!0MLHSsiHc$P3eXE1jA&fls?eTPN`JnI*5m$Ty8 zZMB)Rgm(eavMEl}=pl0^Kx_kxS?gI3H3;9aMyyI|FANOm&-Dys71?>jULsEZdf`fV zz3EGRy{?1ap%^`*eEbW?47)9&IQWj8Pe!J78ZK+eD*POCJ*5(n{({Oek2S zf*HeFlpe^_p|miB^R% zY;SNDj=#05$sQq>Z=EcNLIoVVu{w=Y>(AO_x8AYcXhX4l6~}rsVlwOrBU|?uMdV#~ zCuIdx6>Zd-$Ja`;RmlqH1HRq(z{`3=g8qosY}}AiWUYXx4`!{9HMUN(EQGMvl`bxD1Lo(6o&0dwEbts@)zNKlt^%);S^ zvAN#(qUNgos}UtZw}Z|0uG`#Z{Y^zE9z7X+!8*Vo?c1cDL02zcbUe1`Fg^}vB zt98Ke6g?k9xEsdEeQDhnw8ic*GHd#quz=q_)ly7Rfmzg7_)7fpg;wHu_-JhdDC z2E^Cg>Y#1)213mZ%-86z?mrkt-GTyEevdN`KA$)~TX(R|L(iwJAA{0rcbrJ6zc~vv zK^=L&Y{O&dZ5YXNH13Y+E>{HB0RJ~DH}tiE<tJS4e;d*z1x|}EtQ*^a+mcTo+w(IOH9&CHRRKB0^v%l|H$I@r>5#gmD z(W>M)BGyyQYgRKyAFycYSJl_zCu0Q2{~secRqJX+feC~u91ITqUIu`F&+TbA)7#UySAOsgb@ zn9AJI&TY{-Z{yf}t1dLo&|uJ|4;+L1s-sbw2WF9ty+=QR%D+Zat&B(XD~x41-Jz_l zG8Em?EQ`Is=yasW8u=SIjf$s!hQR^fBFc1SRXH%@_cXw)fM|8kG$Ph<-z&FFSQT*W z=05o(F~{EbMNbAb!I$=%1Mo@tJ(lvfyh|V*2d0H_OgG2InXAr(b!WgPE7a4Jk<7EO z@PT8YXGYDp@qkr@wSQIBUUSe!?+LxRg)QWjo=ErJN zg*9})aL9Wqvu0VcJ#67LCG|IKdGe-Xi=ErqoV3zysh;p5Ab79V`7oPCCB}+}*IPvQ z7NA^o-H7XYYVXfX)48EI0ol4lW5}wDGwRWRYZ2Gu(*3ng0ot2diOvMHeE!^-BR^ng zaVLPPeAe$*5tRwZ`TTXJsDbXz!;%G_1FNKfZddu3fG5nbq)mM%Q6FsKArzm1#9ho+sNs-{* zQ!hL2Sv~EMSb5GdIU{7}Y0rk;I9K-u=7mwN_SNq^qh#6a@D9jG42PRx{9IGXWZsb z36X_9278^8@6-#0d7nDwSy$RPu_`FFSHpd5Q;d2dP3F?#HmvJM_~sj_LFJimwf^V+ zf94T#jk{u3y^T*_n~H_r6OlLd2s&r>3i2DtF7amyL@jcC;um^NCyJgur{?V&;zVo!L(2eG-kE zJcV^%JJ#i^M`m1SiNl zb26^)@Xt}CG{>CMup3#l*Awt(#WA5~x0Wu8`% z@a))a17Tr6%#>h5@EUs!7KGPl*)S_$TFN~Y6pso}BVF?}88!!WUw7B}axS6o-qD`> zLv;0@{?hR(TXj9ntoa%2YTk(`Eb@4n_D|#KUYpAog;gFu%T~en=j?43d890J(i;$S z=ceR#!JAnP;BRr%%Hkoqe}!w_?#u(^=)C`}?ts(-g;%qXs6gp>kb%*wNRd#d@4fF> zl-Z>3vEMCuNK?7tPe96II}w%l2apl9)JHTT;A9#RakyEn=X>cKVO~JYb_zXBJ;ft8 zE|=}0gpjASQ477gbaY3|>y1+&74nI5)AB(p_h=&Gdi zDQx?~vF%|z7vHBz7NMPpd?eWDN3v6cS)Sv4N8FtwyW-SUD~^#_6@K}#vP>fPna)D< zI6OC6D-k`kt0u@dHJZ(d3ik|^ z+W%Xx|1U|EEFb&)`#*n{-#Iz;@BiJB@Bb>FAG&`Fu)N^>k8=;4d*J`a1CvMp^tV5~ zC-a#!=ET3Xb6Gw=luthRx%>LqzeK(${}hk>EdLbGiF}3+`TP4kF*zOOzy1#ZS;RQ6 P|Ih3H+H3pH*8l$oZNcWD literal 0 HcmV?d00001 From 2dab2d420c8f901de48ff1ee82f8537f75df73e5 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 15:24:00 +0300 Subject: [PATCH 0961/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 6cb6b4dfd..6288cf717 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -32,7 +32,6 @@ detection: filter: CommandLine|contains|all: - ' route ADD ' - condition: selection1 and selection2 and selection3 and not filter fields: - ParentImage From bc5e9b57e90537cc4032759185a495939c7907f8 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 17:45:13 +0300 Subject: [PATCH 0962/1335] Update sysmon_abusing_debug_privilege.yml --- .../process_creation/sysmon_abusing_debug_privilege.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 6288cf717..93c098f30 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -31,7 +31,8 @@ detection: User: 'NT AUTHORITY\SYSTEM' filter: CommandLine|contains|all: - - ' route ADD ' + - ' route ' + - ' ADD ' condition: selection1 and selection2 and selection3 and not filter fields: - ParentImage From db49c436a36cf56aa931d3b29f77aef5150d54bd Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 18:08:05 +0300 Subject: [PATCH 0963/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 93c098f30..ceb26224f 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -8,7 +8,7 @@ date: 2020/10/07 tags: - attack.privilege_escalation - attack.t1548 -author: 'oscd.community, Semanur Guneysu @semanurtg' +author: 'oscd.community,Semanur Guneysu @semanurtg' logsource: product: windows category: process_creation From 1b3cb8a64b17ade9dbf55ea92fa18974223afbc0 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 18:15:57 +0300 Subject: [PATCH 0964/1335] Delete .DS_Store --- rules/windows/process_creation/.DS_Store | Bin 30724 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 rules/windows/process_creation/.DS_Store diff --git a/rules/windows/process_creation/.DS_Store b/rules/windows/process_creation/.DS_Store deleted file mode 100644 index d6e5311e6eeda92a3a77842d674b891fb47998a0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 30724 zcmeI5%W|E?5y!t{ZZ;4ufdq1QAQz_y#Ig;TA`2IlRFPe(vSBB5m#}U~vL&`4EnHD7n1ujf0*3YAI)3FIRk>-?vu=Rg0x%pAGvy2*QYRu{T% zzw5e-^2y_KPj}sgOI>$a9--`TRw9EUV_%Z%x+nP@Y-pj$}3VlfM#TI09`9|H z(bEww{IlzxxzdlYC_i~3R<4z`+Y*G`Vwntk{&DVsa}RuHJs`20kBd*~m&@~)`Ehx?b^3T;ANA$kL|@)bPDh@cRw$D)y1edk`SEUYOCQhwJomu42ZkPa zU7mWiubjrJk9Da!mP$nuE0KG7ozuN5Rmf+371DJ-Ym7pLxg*udYN@GKq*7Tbb=6zl zjRx{RrjWDhjOr;OuXW2(yKP84MeTH)V^f_4tACtYeMhht#UFc8TT&luRdv|F{QDGU zZZDXtg1OySd-!6j*n1>Zc3SIAq*@L3UT)g!v6lsJQLLv@rs}7nO!2AY1AexO)bE@9 zx@iY!&G{uqrb?Z~kJuTYj$M z>=jSa-C+d}<-gREbVCAWwnM7s(8D=6T_4tdTTmH|?#WJ$U)bjRMVW`E@nM@PRAb#b zc;!(u%{UUvR>Tipi{`MnaLZ$7-6xM-`)OFr&fpPkO8q^78y@|YgmLuH*mZld%V64} z>^wXIPjp6f8MozU@-bkwA0zX*jzKSaS3c=1qEcIex|*XF_IcD763dSTV^3_|5v0_% z!Z(kSarn5rUORL1D%w|0(fodcpJ)~=pzBD)K-(5YbLd23ZDYoTWggetYP_#@&K36y zyF8|`i(SA9vm)#%_7`i6t#fL7VV6g@m9KkjQ8)#6=+7$hT^Z?6My;LCLBE4bTNQ>ArAGSi@FpPHPN}vW%bd^&{MJ$miE#nt9cK^g zwJU0@rvrV#FE>stPuBpZg%NDW9Tx(s?IQX)|GG%3@4#fkrqc2SKc$S~)DbGT8wcw!rT4R__ zTon&5H8X42>5*S|mcpS$S#LdC;!KHLT2+jZjHB#yJvG}eKf{h!mhLw91uPsNS@$M; zM01nf(>*YqFQX`oV^Q^va26$Nv(t}kai&Hr))&QNb(j$hIFRouYg639P>*Z-N^#ND zyMm&-x~ghbfU3ANvb^B4AGy_HZEj0cAQm2<`eH|{Cl_e?0;WEH(=pZWRIhEsS=C>( z2HTstD7qOijjbp0D)xL_!8mjEN9tjsZa^MZ`uQ_|kf&dfQGFJ%RFupV*tAWfpVp-K z4z*3~!F$~m=e<`4W9Vt`j(BfX{<|kDLuJ5vpnRGkkiqQAbB*d0e}++Bm>PwhsHeZj zWrw7;;=6!yV+sY{Y{(}O#IFx~U^>f$R|kb@`U?N^mOJEj$i5GDSZ+hyBI@Wqr&F>e zgM3?NoLbAC4!D+0R9y6tJyEm!+YKa% zF9FFiMnj^X05e!m-xXPul|f?{#QN0E!o<%U6D{Hx`nIei(VV@zDQM_4eC%03}Nj^B)cLmq9oD%1!>Aoz?XHu6m}m4IaVX0?lb zNd#(WKw*ftWw@^R9E8K-BUMkjVB}Ze?zh*Kd^p%QTvyOh`I@Q0=C#&*;mPEpv5S~gx0 zH^gdk%B_N!qX=^Xip4ua!INYZn(5LjBY$dJCL9WwUeQ#0HpL?PV%lp%$52U>2NtB3 z!mEI4*+jJzkFA#IM7E<+D6^+wZ%j9G6r<>QD#P5d~+ok7&q3Y=QXJd@%TetEp1rjWa6c7lFV6Xi&7 z%p-k&u*c~8tcwR$TKg1T3K+xL5xEw+w}nZ>wCnO6oEnK^0dKf_z}u2l)hs`qSz(Ny z*>G1ArBH8}u3z(AGj12QeC60O+>b|P@4y+&?{~_6Wal*IO1?DlnATOSJ7;2E zwbxN0k3Cd-vN`;yJ5oFBT9Z+q(_3jrNtiQ^uJs;!o!Sg*$)`6(^R;TQ!4lym@*zU2e zUft#N&6gzxXlF=s;+bb40o{7?*krn)Dqdr-o`-1%Lwl3tX{}leo;`3pvpuBqR?TBi zYP=zPq>dRoTM@kqm^a*7qMrBU^|ecgst_r)I$#cUMXA%+zd9f88lyT@g;Xa-&!q}W z{oJerR&Tr4@xZ3;A=^q3#?Gj_5D))JmlT|ac+AMS;*Y_+hJy#<%) z39Jh`qrpF_CvH%X<>?t%>%P12G2mO2na1bd#7TqI!o7gvtwgPB6d0bX!!?w$YEQar z(8qvpae^K;_{t#&z|w$tt!E9h%-N}R31eAjsw&V~nftk8u4w@_z{$O$ zTlfeCCZoM7S<;*G)k0a{g?v2ksVN1o5qFa(?7$<3xe zL{%Pr`JtI-*f&~MqsIRM@^x9mMxO&t2jpM(JGMr86dvWRU8NdTGy@%KPb0g9Eny^! zVDxep zrs#%tTQKNVP>tp&qK`9Ch-S+&Pr3;yN@2sNj%St?nk~dCz14NES3QksIVL>tn9uY) z*c9KOm7BtV^tGs0c&$}KREkI9V_r|zLk^(*Nv&Gx#WhaW3tzlNe*KQ*by|s%@oLwe z47ho3fIKePXf?&Ayb6SPpH0fyI`@m%laQ=+SFno=)KVtq43uu z{Jx(VN~rhq=nVLqN}TZOX;`g`RV(2*oa8)ij+-{Ya_dr3m+1K}Xd{XMs~_8RtTv3= znL>TFtJKhO;$6TnzA8q24=%Q_e(Z}@elEHX3 zqrrF~^#HRBc$QIMJ=xZ->y6bL6jb>MhlMZbtB&*Cz5Df9G6d8ycKj1^2vFRt=Hg@_Ackd?c}YI${vdnQ!A{7B)WqzGI{1 zEA#^6-9{94^mY%N3}{~KP+#U<-!0MLHSsiHc$P3eXE1jA&fls?eTPN`JnI*5m$Ty8 zZMB)Rgm(eavMEl}=pl0^Kx_kxS?gI3H3;9aMyyI|FANOm&-Dys71?>jULsEZdf`fV zz3EGRy{?1ap%^`*eEbW?47)9&IQWj8Pe!J78ZK+eD*POCJ*5(n{({Oek2S zf*HeFlpe^_p|miB^R% zY;SNDj=#05$sQq>Z=EcNLIoVVu{w=Y>(AO_x8AYcXhX4l6~}rsVlwOrBU|?uMdV#~ zCuIdx6>Zd-$Ja`;RmlqH1HRq(z{`3=g8qosY}}AiWUYXx4`!{9HMUN(EQGMvl`bxD1Lo(6o&0dwEbts@)zNKlt^%);S^ zvAN#(qUNgos}UtZw}Z|0uG`#Z{Y^zE9z7X+!8*Vo?c1cDL02zcbUe1`Fg^}vB zt98Ke6g?k9xEsdEeQDhnw8ic*GHd#quz=q_)ly7Rfmzg7_)7fpg;wHu_-JhdDC z2E^Cg>Y#1)213mZ%-86z?mrkt-GTyEevdN`KA$)~TX(R|L(iwJAA{0rcbrJ6zc~vv zK^=L&Y{O&dZ5YXNH13Y+E>{HB0RJ~DH}tiE<tJS4e;d*z1x|}EtQ*^a+mcTo+w(IOH9&CHRRKB0^v%l|H$I@r>5#gmD z(W>M)BGyyQYgRKyAFycYSJl_zCu0Q2{~secRqJX+feC~u91ITqUIu`F&+TbA)7#UySAOsgb@ zn9AJI&TY{-Z{yf}t1dLo&|uJ|4;+L1s-sbw2WF9ty+=QR%D+Zat&B(XD~x41-Jz_l zG8Em?EQ`Is=yasW8u=SIjf$s!hQR^fBFc1SRXH%@_cXw)fM|8kG$Ph<-z&FFSQT*W z=05o(F~{EbMNbAb!I$=%1Mo@tJ(lvfyh|V*2d0H_OgG2InXAr(b!WgPE7a4Jk<7EO z@PT8YXGYDp@qkr@wSQIBUUSe!?+LxRg)QWjo=ErJN zg*9})aL9Wqvu0VcJ#67LCG|IKdGe-Xi=ErqoV3zysh;p5Ab79V`7oPCCB}+}*IPvQ z7NA^o-H7XYYVXfX)48EI0ol4lW5}wDGwRWRYZ2Gu(*3ng0ot2diOvMHeE!^-BR^ng zaVLPPeAe$*5tRwZ`TTXJsDbXz!;%G_1FNKfZddu3fG5nbq)mM%Q6FsKArzm1#9ho+sNs-{* zQ!hL2Sv~EMSb5GdIU{7}Y0rk;I9K-u=7mwN_SNq^qh#6a@D9jG42PRx{9IGXWZsb z36X_9278^8@6-#0d7nDwSy$RPu_`FFSHpd5Q;d2dP3F?#HmvJM_~sj_LFJimwf^V+ zf94T#jk{u3y^T*_n~H_r6OlLd2s&r>3i2DtF7amyL@jcC;um^NCyJgur{?V&;zVo!L(2eG-kE zJcV^%JJ#i^M`m1SiNl zb26^)@Xt}CG{>CMup3#l*Awt(#WA5~x0Wu8`% z@a))a17Tr6%#>h5@EUs!7KGPl*)S_$TFN~Y6pso}BVF?}88!!WUw7B}axS6o-qD`> zLv;0@{?hR(TXj9ntoa%2YTk(`Eb@4n_D|#KUYpAog;gFu%T~en=j?43d890J(i;$S z=ceR#!JAnP;BRr%%Hkoqe}!w_?#u(^=)C`}?ts(-g;%qXs6gp>kb%*wNRd#d@4fF> zl-Z>3vEMCuNK?7tPe96II}w%l2apl9)JHTT;A9#RakyEn=X>cKVO~JYb_zXBJ;ft8 zE|=}0gpjASQ477gbaY3|>y1+&74nI5)AB(p_h=&Gdi zDQx?~vF%|z7vHBz7NMPpd?eWDN3v6cS)Sv4N8FtwyW-SUD~^#_6@K}#vP>fPna)D< zI6OC6D-k`kt0u@dHJZ(d3ik|^ z+W%Xx|1U|EEFb&)`#*n{-#Iz;@BiJB@Bb>FAG&`Fu)N^>k8=;4d*J`a1CvMp^tV5~ zC-a#!=ET3Xb6Gw=luthRx%>LqzeK(${}hk>EdLbGiF}3+`TP4kF*zOOzy1#ZS;RQ6 P|Ih3H+H3pH*8l$oZNcWD From dc41f64023a0ecc281160af4c3bafd5e8eed9a52 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Mon, 26 Oct 2020 11:52:16 -0400 Subject: [PATCH 0965/1335] [OSCD] Bad Opsec Defaults Sacrificial Processes Incorporate feedback from @yugoslavskiy; --- .../process_creation/win_bad_opsec_sacrificial_processes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 4f28c0821..206dd9fa2 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -1,7 +1,7 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 status: experimental -description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit @am0nsec), and other examples.' +description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' date: 2020/10/23 references: From 8a9db12d30565416cc5b24ef5a31ff88321e0115 Mon Sep 17 00:00:00 2001 From: invrep-de <72574591+invrep-de@users.noreply.github.com> Date: Mon, 26 Oct 2020 12:05:16 -0400 Subject: [PATCH 0966/1335] Enhanced to improve specificity Enhanced to improve specificity per feedback received; --- .../win_bad_opsec_sacrificial_processes.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml index 206dd9fa2..4b9294d8c 100644 --- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\WerFault.exe' - - '*\rundll32.exe' + CommandLine|endswith: + - '\WerFault.exe' + - '\rundll32.exe' condition: selection falsepositives: - Unlikely From 27dbf73c0dd531450f1ad79484b2462fbb334f88 Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Mon, 26 Oct 2020 19:25:36 +0300 Subject: [PATCH 0967/1335] Update sysmon_abusing_debug_privilege.yml comment added --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index ceb26224f..e59292ad4 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -28,7 +28,7 @@ detection: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\SYSTEM' + User: 'NT AUTHORITY\SYSTEM' #NT AUTHORITY\SYSTEM same result with NT AUTHORITY\\SYSTEM filter: CommandLine|contains|all: - ' route ' From 66965cec33b87c6763957dc405728b9b408df5ab Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 17:31:46 +0300 Subject: [PATCH 0968/1335] Added some false positives issues --- .../win_susp_multiple_files_renamed_or_deleted.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index fb61a718a..faf8703aa 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,6 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - software uninstallation +falsepositives: + - Software Uninstallation + - Files Restore Activities level: high From 515c4dd9cdcef8e7704ccc63958cc497e143927e Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 20:35:22 +0300 Subject: [PATCH 0969/1335] Added some false positives issues --- .../win_susp_multiple_files_renamed_or_deleted.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index faf8703aa..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,6 +1,6 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov, oscd.community +author: Vasiliy Burov; oscd.community date: 2020/10/16 description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental @@ -21,7 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - Software Uninstallation - - Files Restore Activities +falsepositives: + - software uninstallation + - files restore activities level: high From edede617cf6cb0463b603d79cb1171ac0177aed6 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 22:36:12 +0300 Subject: [PATCH 0970/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..9444c7b19 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' + definition: Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access detection: selection: EventID: 4663 From 172c619719b78724ebc09236796818e1e1e1bbd9 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 22:50:09 +0300 Subject: [PATCH 0971/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 9444c7b19..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - definition: Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' detection: selection: EventID: 4663 From eb166222bdccb80a8124d1c8295cac792758aee1 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 23:15:28 +0300 Subject: [PATCH 0972/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..8ad51ec14 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,7 +21,5 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: - - software uninstallation - - files restore activities +falsepositives: software uninstallation, files restore activities level: high From 64e48ed94d9ef5041a1dc66979a1e375185d394b Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 27 Oct 2020 23:33:56 +0300 Subject: [PATCH 0973/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8ad51ec14..a3af11d09 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,5 +21,4 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: software uninstallation, files restore activities level: high From 53ff19f1671d5ec4bf8746d370b46a651dd04ada Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 21:55:17 -0300 Subject: [PATCH 0974/1335] Update win_mmc20_lateral_movement.yml --- rules/windows/builtin/win_mmc20_lateral_movement.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 15fbbaec0..190dc1057 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -18,7 +18,7 @@ detection: selection: ParentImage|endswith: '\svchost.exe' Image|endswith: '\mmc.exe' - CommandLine|endswith: '-Embedding*' + CommandLine|contains: '-Embedding' condition: selection falsepositives: - Unlikely From 3eea825898abb42bc54c880f35a98713abe2b3de Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 21:59:49 -0300 Subject: [PATCH 0975/1335] Update win_net_ntlm_downgrade.yml --- rules/windows/builtin/win_net_ntlm_downgrade.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index c4010daaf..99bf652ad 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -24,10 +24,15 @@ logsource: detection: selection1: EventID: 13 - TargetObject|endswith: - - 'SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - 'SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec' - - 'SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic' + TargetObject|contains|all: + - 'SYSTEM\' + - 'ControlSet' + - '\Control\Lsa' + TargetObject|endswith: + - '\lmcompatibilitylevel' + - '\NtlmMinClientSec' + - '\RestrictSendingNTLMTraffic' + --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: From 61ccdc598d8df801cffbd2c3bc9a605f63de7415 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:00:42 -0300 Subject: [PATCH 0976/1335] Update win_susp_local_anon_logon_created.yml --- rules/windows/builtin/win_susp_local_anon_logon_created.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml index cb631d803..5ebd146d3 100644 --- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml @@ -18,7 +18,9 @@ logsource: detection: selection: EventID: 4720 - SAMAccountName|contains: 'ANONYMOUS*LOGON' + SAMAccountName|contains|all: + - 'ANONYMOUS' + - 'LOGON' condition: selection falsepositives: - Unknown From dde5b46726afe2bc2fbb3ec27a08d574ed4acfca Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:01:31 -0300 Subject: [PATCH 0977/1335] Update win_susp_sam_dump.yml --- rules/windows/builtin/win_susp_sam_dump.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 19d97f8e2..d014cb46e 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -15,8 +15,9 @@ logsource: detection: selection: EventID: 16 - Message|contains: - - '\AppData\Local\Temp\SAM-*.dmp' + Message|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' condition: selection falsepositives: - Penetration testing From 182b12614b1e133ee619dcfa87d9930e9e2caa01 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:02:47 -0300 Subject: [PATCH 0978/1335] Update sysmon_quarkspw_filedump.yml --- rules/windows/file_event/sysmon_quarkspw_filedump.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index fb8c03e24..66d153487 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -18,7 +18,9 @@ logsource: detection: selection: # Sysmon: File Creation (ID 11) - TargetFilename|contains: '\AppData\Local\Temp\SAM-*.dmp' + TargetFilename|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' condition: selection falsepositives: - Unknown From ebb84486f5d1cedb5e4e7c4944c98468d7e586f9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:04:31 -0300 Subject: [PATCH 0979/1335] Update sysmon_susp_adsi_cache_usage.yml --- rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 2b8ae5871..7ec9950cd 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -18,7 +18,8 @@ logsource: category: file_event detection: selection_1: - TargetFilename|endswith: '\Local\Microsoft\Windows\SchCache\\*.sch' + TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' + TargetFilename|endswith: '.sch' selection_2: Image: - 'C:\windows\system32\svchost.exe' From 9fd203e2a36e019d9ffae53c856b5fcaf13ae71f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:07:45 -0300 Subject: [PATCH 0980/1335] Update mal_azorult_reg.yml --- rules/windows/malware/mal_azorult_reg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index db5a39521..0fc7cad61 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -17,7 +17,7 @@ detection: EventID: - 12 - 13 - TargetObject|startswith: + TargetObject|endswith: - 'SYSTEM\\*\services\localNETService' condition: selection fields: From 34778664514dd3304550af23a240ab03858eb19c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:10:17 -0300 Subject: [PATCH 0981/1335] Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml --- .../sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index 995c407a6..a929366d2 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -15,7 +15,8 @@ logsource: category: file_event detection: selection_1: - TargetFilename|endswith: '\AppData\Local\Temp\\*\PROCEXP152.sys' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'PROCEXP152.sys' selection_2: Image|contains: - '\procexp64.exe' From bfb50a3d42e66721ae6daabfb14cefe3689186d1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:13:02 -0300 Subject: [PATCH 0982/1335] Update sysmon_susp_office_dsparse_dll_load.yml --- .../windows/image_load/sysmon_susp_office_dsparse_dll_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 0a179c242..f6297faef 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -21,7 +21,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|endswith: + ImageLoaded|contains: - '\dsparse.dll' condition: selection falsepositives: From 8f4d6f802bc5fc66538556a11c234e7bfb1bc34e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:18:41 -0300 Subject: [PATCH 0983/1335] Update mal_azorult_reg.yml --- rules/windows/malware/mal_azorult_reg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index 0fc7cad61..8df723b34 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -17,8 +17,8 @@ detection: EventID: - 12 - 13 - TargetObject|endswith: - - 'SYSTEM\\*\services\localNETService' + TargetObject|endswith: 'SYSTEM\ + TargetObject|endswith: '\services\localNETService' condition: selection fields: - Image From 98c7639db766de706a0862b29235379ebf711816 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:19:04 -0300 Subject: [PATCH 0984/1335] Update mal_azorult_reg.yml --- rules/windows/malware/mal_azorult_reg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index 8df723b34..a0551b771 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -17,7 +17,7 @@ detection: EventID: - 12 - 13 - TargetObject|endswith: 'SYSTEM\ + TargetObject|contains: 'SYSTEM\' TargetObject|endswith: '\services\localNETService' condition: selection fields: From d3c6d9df31120945f3600967ad985f35d8f25b3b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:21:16 -0300 Subject: [PATCH 0985/1335] Update win_mal_ryuk.yml --- rules/windows/malware/win_mal_ryuk.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index 465212393..b290afd5d 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,8 +11,9 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + ProcessName|contains: - 'net.exe' + CommandLine|contains: - 'stop' CommandLine|contains: - 'samss' From 95da1ec500405d7610b6746acf063ee3781e7aaa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:32:16 -0300 Subject: [PATCH 0986/1335] Update av_relevant_files.yml --- rules/windows/malware/av_relevant_files.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index eb9033e62..9807803b1 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -10,13 +10,14 @@ logsource: product: antivirus detection: selection: - FileName|startswith: + - FileName|startswith: - 'C:\Windows\Temp\\' - 'C:\Temp\\' - 'C:\PerfLogs\\' - 'C:\Users\Public\\' - 'C:\Users\Default\\' - - '*\\Client\\' + - FileName|contains: + - '\\Client\\' selection2: Filename|endswith: - '.ps1' From 0afe48a0a0121cee5cb4191e5ac41271638d4878 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:34:57 -0300 Subject: [PATCH 0987/1335] Update av_relevant_files.yml --- rules/windows/malware/av_relevant_files.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 9807803b1..4975c1e95 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -11,13 +11,13 @@ logsource: detection: selection: - FileName|startswith: - - 'C:\Windows\Temp\\' - - 'C:\Temp\\' - - 'C:\PerfLogs\\' - - 'C:\Users\Public\\' - - 'C:\Users\Default\\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\PerfLogs\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' - FileName|contains: - - '\\Client\\' + - '\Client\' selection2: Filename|endswith: - '.ps1' From dbad6c637f8b21eb2797fb53719f78a5fcc68f80 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:35:45 -0300 Subject: [PATCH 0988/1335] Update av_webshell.yml --- rules/windows/malware/av_webshell.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index ff04a7971..e955aa2c1 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -14,14 +14,15 @@ logsource: product: antivirus detection: selection: - Signature|startswith: + - Signature|startswith: - "PHP/Backdoor" - "JSP/Backdoor" - "ASP/Backdoor" - "Backdoor.PHP" - "Backdoor.JSP" - "Backdoor.ASP" - - "*Webshell" + - Signature|contains: + - "Webshell" condition: selection fields: - FileName From 187d1d3e3ba10b70c47d7655ae9cb3089bf4a292 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:37:50 -0300 Subject: [PATCH 0989/1335] Update win_user_driver_loaded.yml --- rules/windows/builtin/win_user_driver_loaded.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index d829a0781..7d1630089 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -20,7 +20,7 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' selection_2: - ProcessName|contains: + ProcessName|endswith: - '\Windows\System32\Dism.exe' - '\Windows\System32\rundll32.exe' - '\Windows\System32\fltMC.exe' From 514f9ccd28cdf580bf1577a3977099e8f6a70c1b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:42:15 -0300 Subject: [PATCH 0990/1335] Update win_mal_ryuk.yml --- rules/windows/malware/win_mal_ryuk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index b290afd5d..6bc3ca53e 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -13,7 +13,7 @@ detection: selection: ProcessName|contains: - 'net.exe' - CommandLine|contains: + CommandLine|contains|all: - 'stop' CommandLine|contains: - 'samss' From 266109f3d8db23d270d9827d0fb7ba146a7b1555 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:47:41 -0300 Subject: [PATCH 0991/1335] Update win_mal_ryuk.yml --- rules/windows/malware/win_mal_ryuk.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index 6bc3ca53e..bed167c16 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,8 +11,9 @@ logsource: product: windows detection: selection: - ProcessName|contains: - - 'net.exe' + ProcessName|endswith: + - '\net.exe' + - '\net1.exe' CommandLine|contains|all: - 'stop' CommandLine|contains: From 467af2ebb53cb9bb08d7a6e894bc38c0203914b8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 22:56:32 -0300 Subject: [PATCH 0992/1335] Update sysmon_susp_prog_location_network_connection.yml --- ..._susp_prog_location_network_connection.yml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index 42f1e5d0c..b8c4544dc 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -12,19 +12,21 @@ logsource: definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: selection: - Image|contains: + - Image|contains: # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: - '\$Recycle.bin' - - '\Users\All Users\\' - - '\Users\Default\\' - - '\Users\Public\\' - - '\Users\Contacts\\' - - '\Users\Searches\\' - - 'C:\Perflogs\\' - - '\config\systemprofile\\' - - '\Windows\Fonts\\' - - '\Windows\IME\\' - - '\Windows\addins\\' + - Image|startswith: + - 'C:\Perflogs\' condition: selection falsepositives: - unknown From e24e6da3b55a10362aa335f885ed5274868d7986 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 23:24:04 -0300 Subject: [PATCH 0993/1335] Update win_apt_apt29_thinktanks.yml --- rules/windows/process_creation/win_apt_apt29_thinktanks.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 9affc088f..69a911e44 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -17,7 +17,11 @@ logsource: product: windows detection: selection: - CommandLine|contains: '-noni -ep bypass $' + CommandLine|contains|all: + - '-noni' + - '-ep' + - 'bypass' + - '$' condition: selection falsepositives: - unknown From 08609784127bbd38b4ae54c1ea4b53426e606345 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 23:26:34 -0300 Subject: [PATCH 0994/1335] Update win_apt_bear_activity_gtr19.yml --- .../win_apt_bear_activity_gtr19.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index 7f687adf7..965a89fcb 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -18,10 +18,19 @@ logsource: detection: selection1: Image|endswith: '\xcopy.exe' - CommandLine|contains: '/S /E /C /Q /H \\' + CommandLine|contains|all: + - '/S' + - '/E' + - '/C' + - '/Q' + - '/H' + - '\\' selection2: Image|endswith: '\adexplorer.exe' - CommandLine|contains: ' -snapshot "" c:\users\\' + CommandLine|contains|all: + - '-snapshot' + - '""' + - 'c:\users\\' condition: selection1 or selection2 falsepositives: - unknown From 28febe5dd2ff2f19fd7b070a3dfa84cffd89ee5a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 27 Oct 2020 23:28:04 -0300 Subject: [PATCH 0995/1335] Update win_apt_chafer_mar18.yml --- rules/windows/process_creation/win_apt_chafer_mar18.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 4fd4fa101..49b45faa8 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -74,7 +74,8 @@ detection: CommandLine|startswith: - 'C:\wsc.exe' selection_process2: - Image|endswith: '\Windows\Temp\DB\\*.exe' + Image|contains: '\Windows\Temp\DB\' + Image|endswith: '.exe' selection_process3: CommandLine|contains: '\nslookup.exe -q=TXT' ParentImage|contains: '\Autoit' From 00f1326ae6edc0c27a35d1bf661293a7157eccab Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 10:50:53 +0300 Subject: [PATCH 0996/1335] Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit 64e48ed94d9ef5041a1dc66979a1e375185d394b. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index a3af11d09..8ad51ec14 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,4 +21,5 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 +falsepositives: software uninstallation, files restore activities level: high From fdbd8de219865d2a425229912f7944d8fed4f7b0 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 10:51:18 +0300 Subject: [PATCH 0997/1335] Revert "Update win_susp_multiple_files_renamed_or_deleted.yml" This reverts commit eb166222bdccb80a8124d1c8295cac792758aee1. --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 8ad51ec14..b2ef9b58c 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -21,5 +21,7 @@ detection: Keywords: '0x8020000000000000' timeframe: 30s condition: selection | count() by SubjectLogonId > 10 -falsepositives: software uninstallation, files restore activities +falsepositives: + - software uninstallation + - files restore activities level: high From 2d2464ba22635b6b493593fcb458c433aadb541d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:20:26 +0300 Subject: [PATCH 0998/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../win_susp_multiple_files_renamed_or_deleted.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index b2ef9b58c..ea083f54a 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,6 +1,6 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov; oscd.community +author: Vasiliy Burov, oscd.community date: 2020/10/16 description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental @@ -22,6 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - software uninstallation - - files restore activities + - Unlikely level: high From 744c637125c238a3fa0d294ebf89eb5016e5f900 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:38:39 +0300 Subject: [PATCH 0999/1335] Delete win_rdp_session_hijacking.yml --- .../builtin/win_rdp_session_hijacking.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/builtin/win_rdp_session_hijacking.yml diff --git a/rules/windows/builtin/win_rdp_session_hijacking.yml b/rules/windows/builtin/win_rdp_session_hijacking.yml deleted file mode 100644 index f50381960..000000000 --- a/rules/windows/builtin/win_rdp_session_hijacking.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: RDP Session Hijacking detected -description: Adversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. -references: - - http://blog.gentilkiwi.com/securite/vol-de-session-rdp - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html -date: 2019/02/27 -modified: 2019/02/27 -tags: - - attack.lateral_movement -status: experimental -author: vburov -logsource: - product: windows - service: security -definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: "*\tscon.exe" - SecurityID: "System" - condition: selection -falsepositives: - - Unknown -level: high From d90ec67ccec4d57d352212162b4341fbec68dbea Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Wed, 28 Oct 2020 11:44:21 +0300 Subject: [PATCH 1000/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ea083f54a..223c394b5 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation + - Files restore activities level: high From e31c8f96e94e49b8a1b1e906794d73eb69cb1770 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 28 Oct 2020 09:56:01 +0100 Subject: [PATCH 1001/1335] added the category --- rules/linux/lnx_security_tools_disabling.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 05f6564d7..c90168d78 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md logsource: + category: process_creation product: linux detection: keywords: From 3a58c00feb328dd8892607764dd288c4343ebe3b Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 28 Oct 2020 10:07:59 +0100 Subject: [PATCH 1002/1335] Removing the echo detection --- rules/linux/lnx_network_service_scanning.yml | 9 +++------ rules/linux/macos_network_service_scanning.yml | 9 +++------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index b8e73ebac..08ec9ccb1 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -11,18 +11,15 @@ logsource: product: linux detection: selection_1: - CommandLine|contains: - - '/dev/tcp/' - selection_2: ProcessName|endswith: - '/cat' - selection_3: + selection_2: ProcessName|endswith: - '/nmap' - selection_4: + selection_3: ProcessName|endswith: - '/telnet' - selection_5: + selection_4: ProcessName|endswith: - '/nc' condition: 1 of them diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index 933a960e7..8d02f770a 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -11,18 +11,15 @@ logsource: product: macos detection: selection_1: - CommandLine|contains: - - '/dev/tcp/' - selection_2: ProcessName|endswith: - '/cat' - selection_3: + selection_2: ProcessName|endswith: - '/nmap' - selection_4: + selection_3: ProcessName|endswith: - '/telnet' - selection_5: + selection_4: ProcessName|endswith: - '/nc' condition: 1 of them From 80b1a192466e3d45456af1fa9daff01763b73919 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Wed, 28 Oct 2020 10:16:29 +0100 Subject: [PATCH 1003/1335] Added the space at the beginning of the IP ranges. --- rules/linux/lnx_remote_system_discovery.yml | 40 +++++++++---------- rules/linux/macos_remote_system_discovery.yml | 40 +++++++++---------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml index 96209f7b8..d0c5bbef8 100644 --- a/rules/linux/lnx_remote_system_discovery.yml +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -19,26 +19,26 @@ detection: ProcessName|endswith: - '/ping' CommandLine|contains: - - '10.' #10.0.0.0/8 - - '192.168.' #192.168.0.0/16 - - '172.16.' #172.16.0.0/12 - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' #127.0.0.0/8 - - '169.254.' #169.254.0.0/16 + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 condition: 1 of them falsepositives: - Legitimate administration activities diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index 6738c4134..c715313f1 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -19,26 +19,26 @@ detection: ProcessName|endswith: - '/ping' CommandLine|contains: - - '10.' #10.0.0.0/8 - - '192.168.' #192.168.0.0/16 - - '172.16.' #172.16.0.0/12 - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' #127.0.0.0/8 - - '169.254.' #169.254.0.0/16 + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 condition: 1 of them falsepositives: - Legitimate administration activities From 55a7fe6b9d7aa4984d2a288662377e46e8a5d5db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 28 Oct 2020 19:08:23 +0300 Subject: [PATCH 1004/1335] Splitting into two rules --- .../powershell_CL_Invocation_LOLScript.yml | 16 ++---------- .../powershell_CL_Invocation_LOLScript_v2.yml | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+), 14 deletions(-) create mode 100644 rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 7c1fc3063..6fc70a361 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -19,18 +19,6 @@ detection: ScriptBlockText|contains|all: - 'CL_Invocation.ps1' - 'SyncInvoke' - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - timeframe: 1m - condition: - - selection - - selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe - # or - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe + condition: selection falsepositives: Unknown -level: high +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml new file mode 100644 index 000000000..f85370f51 --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: Unknown +level: high \ No newline at end of file From a4a3e01f2585eb48cd9c0ba82ce90a2d9d1a3143 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?= =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Wed, 28 Oct 2020 19:13:29 +0300 Subject: [PATCH 1005/1335] Splitting into two rules --- ...powershell_CL_Mutexverifiers_LOLScript.yml | 13 +-------- ...ershell_CL_Mutexverifiers_LOLScript_v2.yml | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 12 deletions(-) create mode 100644 rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index d39ce280f..46cbd45be 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -19,17 +19,6 @@ detection: ScriptBlockText|contains|all: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' - selection2: - EventID: 4104 - ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' - timeframe: 1m - condition: - - selection - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe - - selection2 | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe + condition: selection falsepositives: Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml new file mode 100644 index 000000000..efb5ecc19 --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -0,0 +1,27 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: Unknown +level: high \ No newline at end of file From d0a796439bb26b15503d18af7554e2d4ab72182b Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 28 Oct 2020 19:25:43 +0300 Subject: [PATCH 1006/1335] Update powershell_CL_Invocation_LOLScript.yml --- .../windows/powershell/powershell_CL_Invocation_LOLScript.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 6fc70a361..9c4f4342f 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -19,6 +19,6 @@ detection: ScriptBlockText|contains|all: - 'CL_Invocation.ps1' - 'SyncInvoke' - condition: selection + condition: selection falsepositives: Unknown -level: high \ No newline at end of file +level: high From 7ee644eac064814c854cea62f40ed8fbb2af3e3c Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 28 Oct 2020 19:30:21 +0300 Subject: [PATCH 1007/1335] Update powershell_CL_Invocation_LOLScript_v2.yml --- .../powershell/powershell_CL_Invocation_LOLScript_v2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index f85370f51..f22022cf9 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -1,5 +1,5 @@ -title: Execution via CL_Invocation.ps1 -id: 4cd29327-685a-460e-9dac-c3ab96e549dc +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova @@ -23,4 +23,4 @@ detection: # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe falsepositives: Unknown -level: high \ No newline at end of file +level: high From 07f777d1b51185764bcce32c01bf81951887258b Mon Sep 17 00:00:00 2001 From: nsaddler Date: Wed, 28 Oct 2020 19:32:18 +0300 Subject: [PATCH 1008/1335] Update powershell_CL_Mutexverifiers_LOLScript_v2.yml --- .../powershell_CL_Mutexverifiers_LOLScript_v2.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml index efb5ecc19..f7c4075fa 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -1,5 +1,5 @@ -title: Execution via CL_Mutexverifiers.ps1 -id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module status: experimental author: oscd.community, Natalia Shornikova @@ -14,7 +14,6 @@ logsource: product: windows service: powershell detection: - selection: selection2: EventID: 4104 ScriptBlockText|contains: @@ -24,4 +23,4 @@ detection: # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 # PS > runAfterCancelProcess c:\Evil.exe falsepositives: Unknown -level: high \ No newline at end of file +level: high From 46c52b43477ba6771206660d9b1bfc502c6b7c8d Mon Sep 17 00:00:00 2001 From: Semanur Guneysu Date: Wed, 28 Oct 2020 20:11:29 +0300 Subject: [PATCH 1009/1335] Update sysmon_abusing_debug_privilege.yml --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index e59292ad4..b17662640 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -4,7 +4,7 @@ status: experimental description: Detection of unusual child processes by different system processes references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg -date: 2020/10/07 +date: 2020/10/28 tags: - attack.privilege_escalation - attack.t1548 From 81f6f24155b146f878bcace7aa29dcc5d56783ab Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 29 Oct 2020 02:06:20 +0100 Subject: [PATCH 1010/1335] Update lnx_remote_system_discovery.yml --- rules/linux/lnx_remote_system_discovery.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml index d0c5bbef8..b48af1122 100644 --- a/rules/linux/lnx_remote_system_discovery.yml +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -11,13 +11,10 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: - - '/arp' - CommandLine|contains: - - '-a' + ProcessName|endswith: '/arp' + CommandLine|contains: '-a' selection_2: - ProcessName|endswith: - - '/ping' + ProcessName|endswith: '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 - ' 192.168.' #192.168.0.0/16 @@ -42,7 +39,7 @@ detection: condition: 1 of them falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.discovery - attack.t1018 From 167e9745cd92f4f937b43356c23f5ac66d12b835 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 29 Oct 2020 02:06:45 +0100 Subject: [PATCH 1011/1335] Update macos_remote_system_discovery.yml --- rules/linux/macos_remote_system_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index c715313f1..daf24f52e 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -42,7 +42,7 @@ detection: condition: 1 of them falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.discovery - attack.t1018 From d743cbbe4bc77fef05805c464769eddd8651fc96 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 11:14:43 +0300 Subject: [PATCH 1012/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 223c394b5..ab6f5afca 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation - - Files restore activities + - software uninstallation + - files restore activities level: high From 0c0c1725fa1359e0c78901b81516465c1ef2e294 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 29 Oct 2020 09:34:47 +0100 Subject: [PATCH 1013/1335] refactor detections --- rules/linux/lnx_security_tools_disabling.yml | 97 ++++++++++++++++---- 1 file changed, 78 insertions(+), 19 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index c90168d78..609c095dd 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -11,25 +11,84 @@ logsource: category: process_creation product: linux detection: - keywords: - - Command|contains: - - 'service iptables stop' - - 'chkconfig off iptables' - - 'service ip6tables stop' - - 'chkconfig off ip6tables' - - 'systemctl stop firewalld' - - 'systemctl disable firewalld' - - CarbonBlack|contains: - - 'service cbdaemon stop' - - 'chkconfig off cbdaemon' - - 'systemctl stop cbdaemon' - - 'systemctl disable cbdaemon' - - SELinux: - - 'setenforce 0' - - Crowdstrike|contains: - - 'systemctl stop falcon-sensor.service' - - 'systemctl disable falcon-sensor.service' - condition: keywords + iptables_1: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_2: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + iptables_3: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_4: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + firewall_1: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'stop' + firewall_2: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'disable' + carbonblack_1: + ProcessName|endswith: + - 'service' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_2: + ProcessName|endswith: + - 'chkconfig' + CommandLine|contains|all: + - 'cbdaemon' + - 'off' + carbonblack_3: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_4: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'disable' + selinux: + ProcessName|endswith: + - 'setenforce' + CommandLine|contains: + - '0' + crowdstrike_1: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'stop' + - 'falcon-sensor.service' + crowdstrike_2: + ProcessName|endswith: + - 'systemctl' + CommandLine|contains|all: + - 'disable' + - 'falcon-sensor.service' + condition: 1 of them falsepositives: - Legitimate administration activities level: medium From 683824ee464fee417ece8798c20b4f9674621606 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 11:44:45 +0300 Subject: [PATCH 1014/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../win_susp_multiple_files_renamed_or_deleted.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index ab6f5afca..5670c4c31 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,14 +1,14 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -author: Vasiliy Burov, oscd.community -date: 2020/10/16 -description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user. These events may signalize about ransomware activity. status: experimental -references: - - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). tags: - attack.impact - attack.t1486 +author: Vasiliy Burov, oscd.community +date: 2020/10/16 +references: + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html logsource: product: windows service: security From 5918cc0a3d9b05ae16698bc3175577635f33fa06 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Thu, 29 Oct 2020 09:58:58 +0100 Subject: [PATCH 1015/1335] remove cat --- rules/linux/lnx_network_service_scanning.yml | 7 ++----- rules/linux/macos_network_service_scanning.yml | 7 ++----- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index 08ec9ccb1..e424ceec5 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -12,14 +12,11 @@ logsource: detection: selection_1: ProcessName|endswith: - - '/cat' + - '/nmap' selection_2: - ProcessName|endswith: - - '/nmap' - selection_3: ProcessName|endswith: - '/telnet' - selection_4: + selection_3: ProcessName|endswith: - '/nc' condition: 1 of them diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index 8d02f770a..553600ace 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -12,14 +12,11 @@ logsource: detection: selection_1: ProcessName|endswith: - - '/cat' + - '/nmap' selection_2: - ProcessName|endswith: - - '/nmap' - selection_3: ProcessName|endswith: - '/telnet' - selection_4: + selection_3: ProcessName|endswith: - '/nc' condition: 1 of them From ab60fdcef471fc0360b7c561d7df4ce27d3f2dc6 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Thu, 29 Oct 2020 23:38:22 +0300 Subject: [PATCH 1016/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 5670c4c31..488512208 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - software uninstallation - - files restore activities + - Software uninstallation + - Files restore activities level: high From 8dc8fdc44b90ea633d0fae05b4737d2f8275969c Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sat, 31 Oct 2020 12:46:30 +0400 Subject: [PATCH 1017/1335] Added antifalsepositive condition 4688 always has non empty cmd --- .../win_susp_file_download_via_gfxdownloadwrapper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index 0d7fff903..9f756d484 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -16,7 +16,9 @@ detection: CommandLine|contains: 'gameplayapi.intel.com' cmd_null: CommandLine: null - condition: image_path and not cmd_known_url and not cmd_null + same_parent: + ParentProcessName|endswith: '\GfxDownloadWrapper.exe' + condition: image_path and not cmd_known_url and not cmd_null and not same_parent fields: - CommandLine falsepositives: From ea71828d3489c421451b2ae4095dfe47dac048f7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 31 Oct 2020 23:57:13 +0100 Subject: [PATCH 1018/1335] change syntax a bit to re-run the test --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index b17662640..ad1929ac2 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -8,7 +8,7 @@ date: 2020/10/28 tags: - attack.privilege_escalation - attack.t1548 -author: 'oscd.community,Semanur Guneysu @semanurtg' +author: 'Semanur Guneysu @semanurtg, oscd.community' logsource: product: windows category: process_creation From 903ce08277929bbd9da300e5bfdaa66d6894d433 Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Sun, 1 Nov 2020 14:21:27 +0300 Subject: [PATCH 1019/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 488512208..fddb210e8 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,6 +22,5 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation - - Files restore activities + - Unlikely level: high From e93dd7fe61fa88db9076faed2155aa4dc3bec5fd Mon Sep 17 00:00:00 2001 From: feedb <32587208+feedb@users.noreply.github.com> Date: Sun, 1 Nov 2020 15:25:12 +0300 Subject: [PATCH 1020/1335] fix --- rules/windows/process_creation/process_creation_dotnet.yml | 6 +++--- .../windows/process_creation/process_creation_msdeploy.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 90659e7be..9182bb218 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains: - - '*.dll' - - '*.csproj' + Commandline|endswith: + - '.dll' + - '.csproj' Image|endswith: - '\dotnet.exe' condition: selection diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 263ff5bb2..236e747d3 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,9 +1,9 @@ -title: Msdeploy.exe LOLBIN +title: Execute Files with Msdeploy.exe status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 author: Beyu Denis, oscd.community date: 2020/10/18 -description: launch binary via msdeploy.exe +description: Detects file execution using the msdeploy.exe lolbin references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml - https://twitter.com/pabraeken/status/995837734379032576 @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - ProcessCommandline|contains|all: + Commandline|contains|all: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' From e2c4af012b3ac096b730c472fae362678d68d6a3 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 00:56:42 +0300 Subject: [PATCH 1021/1335] Changed to Placeholders Usage A query was too big to pass a test, so I changed logic to placeholders usage. --- .../sysmon_asep_reg_keys_modification.yml | 154 +----------------- 1 file changed, 5 insertions(+), 149 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 17156dd59..954633d15 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys tags: - attack.persistence - attack.t1547.001 @@ -17,155 +18,10 @@ logsource: product: windows level: medium detection: - selection: - TargetObject|contains: - - '\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - - '\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms' - - '\System\CurrentControlSet\Control\Session Manager\SetupExecute' - - '\System\CurrentControlSet\Control\Session Manager\S0InitialCommand' - - '\System\CurrentControlSet\Control\Session Manager\KnownDlls' - - '\System\CurrentControlSet\Control\Session Manager\Execute' - - '\System\CurrentControlSet\Control\Session Manager\BootExecute' - - '\System\CurrentControlSet\Control\Session Manager\AppCertDlls' - - '\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders' - - '\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell' - - '\SYSTEM\CurrentControlSet\Control\Print\Providers' - - '\SYSTEM\CurrentControlSet\Control\Print\Monitors' - - '\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order' - - '\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages' - - '\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages' - - '\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' - - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' - - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' - - '\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' - - '\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' - - '\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect' - - '\Software\Wow6432Node\Microsoft\Office\Word\Addins' - - '\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins' - - '\Software\Wow6432Node\Microsoft\Office\Outlook\Addins' - - '\Software\Wow6432Node\Microsoft\Office\Onenote\Addins' - - '\Software\Wow6432Node\Microsoft\Office\Excel\Addins' - - '\Software\Wow6432Node\Microsoft\Office\Access\Addins' - - '\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar' - - '\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions' - - '\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars' - - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' - - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' - - '\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers' - - '\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews' - - '\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers' - - '\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers' - - '\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers' - - '\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers' - - '\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers' - - '\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers' - - '\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers' - - '\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers' - - '\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers' - - '\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' - - '\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' - - '\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' - - '\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' - - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' - - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' - - '\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' - - '\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers' - - '\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers' - - '\Software\Policies\Microsoft\Windows\System\Scripts\Startup' - - '\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown' - - '\Software\Policies\Microsoft\Windows\System\Scripts\Logon' - - '\Software\Policies\Microsoft\Windows\System\Scripts\Logoff' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - - '\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup' - - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown' - - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon' - - '\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' - - '\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' - - '\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' - - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup' - - '\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells' - - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' - - '\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers' - - '\Software\Microsoft\Windows NT\CurrentVersion\Drivers32' - - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' - - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' - - '\Software\Microsoft\Office\Word\Addins' - - '\Software\Microsoft\Office\PowerPoint\Addins' - - '\Software\Microsoft\Office\Outlook\Addins' - - '\Software\Microsoft\Office\Onenote\Addins' - - '\Software\Microsoft\Office\Excel\Addins' - - '\Software\Microsoft\Office\Access\Addins' - - '\SOFTWARE\Microsoft\Office test\Special\Perf' - - '\Software\Microsoft\Internet Explorer\Toolbar' - - '\Software\Microsoft\Internet Explorer\Extensions' - - '\Software\Microsoft\Internet Explorer\Explorer Bars' - - '\SYSTEM\Setup\CmdLine' - - '\Software\Microsoft\Ctf\LangBarAddin' - - '\Software\Microsoft\Command Processor\Autorun' - - '\SOFTWARE\Microsoft\Active Setup\Installed Components' - - '\SOFTWARE\Classes\Protocols\Handler' - - '\SOFTWARE\Classes\Protocols\Filter' - - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' - - '\Software\Classes\Folder\ShellEx\PropertySheetHandlers' - - '\Software\Classes\Folder\ShellEx\ExtShellFolderViews' - - '\Software\Classes\Folder\ShellEx\DragDropHandlers' - - '\Software\Classes\Folder\ShellEx\ContextMenuHandlers' - - '\Software\Classes\Folder\Shellex\ColumnHandlers' - - '\Software\Classes\Filter' - - '\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)' - - '\Software\Classes\Drive\ShellEx\ContextMenuHandlers' - - '\Software\Classes\Directory\Shellex\PropertySheetHandlers' - - '\Software\Classes\Directory\Shellex\DragDropHandlers' - - '\Software\Classes\Directory\Shellex\CopyHookHandlers' - - '\Software\Classes\Directory\ShellEx\ContextMenuHandlers' - - '\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers' - - '\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' - - '\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' - - '\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' - - '\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' - - '\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' - - '\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' - - '\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' - - '\Software\Classes\.exe' - - '\Software\Classes\.cmd' - - '\Software\Classes\*\ShellEx\PropertySheetHandlers' - - '\Software\Classes\*\ShellEx\ContextMenuHandlers' - - '\Environment\UserInitMprLogonScript' - - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' - - '\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64' - - '\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries' - - '\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64' - - '\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries' - - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run' - - '\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load' - - '\Software\Microsoft\Internet Explorer\UrlSearchHooks' - - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' - - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' - - '\Control Panel\Desktop\Scrnsave.exe' - condition: selection + reg_selection: + TargetObject|contains: %RegistryKeys% # The list is in Reference + + condition: reg_selection fields: - SecurityID - ObjectName From 57f24a338b0dee9119e6b075c52fbb5f8fa685b7 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 01:00:37 +0300 Subject: [PATCH 1022/1335] Update sysmon_asep_reg_keys_modification.yml --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 954633d15..fbd6d5d85 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -19,7 +19,7 @@ logsource: level: medium detection: reg_selection: - TargetObject|contains: %RegistryKeys% # The list is in Reference + TargetObject: %RegistryKeys% # The list is in Reference condition: reg_selection fields: From d0827b120c130ffe95afe094eeb59407999d4b58 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 01:12:40 +0300 Subject: [PATCH 1023/1335] Update sysmon_asep_reg_keys_modification.yml --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index fbd6d5d85..833b04326 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -19,7 +19,7 @@ logsource: level: medium detection: reg_selection: - TargetObject: %RegistryKeys% # The list is in Reference + TargetObject: '%RegistryKeys%' # The list is in Reference condition: reg_selection fields: From b717f69e094dfe2d3b11e08154207f492736f0f9 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 01:19:16 +0300 Subject: [PATCH 1024/1335] Placeholders add --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 833b04326..aba9b0670 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -19,7 +19,7 @@ logsource: level: medium detection: reg_selection: - TargetObject: '%RegistryKeys%' # The list is in Reference + TargetObject|contains: '%RegistryKeys%' # The list is in References condition: reg_selection fields: From cf8c7216620639c7086115fc48178a4538d03b6c Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 02:16:13 +0300 Subject: [PATCH 1025/1335] fixed optimization and references --- .../sysmon_asep_reg_keys_modification.yml | 195 +++++++++++++++++- 1 file changed, 191 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 954633d15..b5b1667a7 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -18,10 +18,197 @@ logsource: product: windows level: medium detection: - reg_selection: - TargetObject|contains: %RegistryKeys% # The list is in Reference - - condition: reg_selection + main_selection: + TargetObject|contains: + - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' + - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' + - '\SOFTWARE\Microsoft\Office test\Special\Perf' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' + - '\SYSTEM\Setup\CmdLine' + - '\Software\Microsoft\Ctf\LangBarAddin' + - '\Software\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Microsoft\Active Setup\Installed Components' + - '\SOFTWARE\Classes\Protocols\Handler' + - '\SOFTWARE\Classes\Protocols\Filter' + - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' + - '\Environment\UserInitMprLogonScript' + - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' + - '\Software\Microsoft\Internet Explorer\UrlSearchHooks' + - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' + - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' + - '\Control Panel\Desktop\Scrnsave.exe' + session_manager: + TargetObject|contains: + - '\System\CurrentControlSet\Control\Session Manager' + session_manager_details: + TargetObject|contains: + - '\SetupExecute' + - '\S0InitialCommand' + - '\KnownDlls' + - '\Execute' + - '\BootExecute' + - '\AppCertDlls' + current_version: + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion' + current_version_details: + TargetObject|contains: + - '\ShellServiceObjectDelayLoad' + - '\Run' + - '\Policies\System\Shell' + - '\Policies\Explorer\Run' + - '\Group Policy\Scripts\Startup' + - '\Group Policy\Scripts\Shutdown' + - '\Group Policy\Scripts\Logon' + - '\Group Policy\Scripts\Logoff' + - '\Explorer\ShellServiceObjects' + - '\Explorer\ShellIconOverlayIdentifiers' + - '\Explorer\ShellExecuteHooks' + - '\Explorer\SharedTaskScheduler' + - '\Explorer\Browser Helper Objects' + - '\Authentication\PLAP Providers' + - '\Authentication\Credential Providers' + - '\Authentication\Credential Provider Filters' + nt_current_version: + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + nt_current_version_details: + TargetObject|contains: + - '\Winlogon\VmApplet' + - '\Winlogon\Userinit' + - '\Winlogon\Taskman' + - '\Winlogon\Shell' + - '\Winlogon\GpExtensions' + - '\Winlogon\AppSetup' + - '\Winlogon\AlternateShells\AvailableShells' + - '\Windows\IconServiceLib' + - '\Windows\Appinit_Dlls' + - '\Image File Execution Options' + - '\Font Drivers' + - '\Drivers32' + - '\Windows\Run' + - '\Windows\Load' + wow_current_version: + TargetObject|contains: + - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' + wow_current_version_details: + TargetObject|contains: + - '\ShellServiceObjectDelayLoad' + - '\Run' + - '\Explorer\ShellServiceObjects' + - '\Explorer\ShellIconOverlayIdentifiers' + - '\Explorer\ShellExecuteHooks' + - '\Explorer\SharedTaskScheduler' + - '\Explorer\Browser Helper Objects' + wow_nt_current_version: + TargetObject|contains: + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' + wow_nt_current_version_details: + TargetObject|contains: + - '\Windows\Appinit_Dlls' + - '\Image File Execution Options' + - '\Drivers32' + wow_office: + TargetObject|contains: + - '\Software\Wow6432Node\Microsoft\Office' + office: + TargetObject|contains: + - '\Software\Microsoft\Office' + wow_office_details: + TargetObject|contains: + - '\Word\Addins' + - '\PowerPoint\Addins' + - '\Outlook\Addins' + - '\Onenote\Addins' + - '\Excel\Addins' + - '\Access\Addins' + wow_ie: + TargetObject|contains: + - '\Software\Wow6432Node\Microsoft\Internet Explorer' + ie: + TargetObject|contains: + - '\Software\Microsoft\Internet Explorer' + wow_ie_details: + TargetObject|contains: + - '\Toolbar' + - '\Extensions' + - '\Explorer Bars' + wow_classes: + TargetObject|contains: + - '\Software\Wow6432Node\Classes' + wow_classes_details: + TargetObject|contains: + - '\Folder\ShellEx\PropertySheetHandlers' + - '\Folder\ShellEx\ExtShellFolderViews' + - '\Folder\ShellEx\DragDropHandlers' + - '\Folder\ShellEx\ColumnHandlers' + - '\Directory\Shellex\DragDropHandlers' + - '\Directory\Shellex\CopyHookHandlers' + - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\ShellEx\PropertySheetHandlers' + - '\ShellEx\ContextMenuHandlers' + classes: + TargetObject|contains: + - '\Software\Classes' + classes_details: + TargetObject|contains: + - '\Folder\ShellEx\ExtShellFolderViews' + - '\Folder\ShellEx\DragDropHandlers' + - '\Folder\Shellex\ColumnHandlers' + - '\Filter' + - '\Exefile\Shell\Open\Command\(Default)' + - '\Directory\Shellex\DragDropHandlers' + - '\Directory\Shellex\CopyHookHandlers' + - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\.exe' + - '\.cmd' + - '\ShellEx\PropertySheetHandlers' + - '\ShellEx\ContextMenuHandlers' + scripts: + TargetObject|contains: + - '\Software\Policies\Microsoft\Windows\System\Scripts' + scripts_details: + TargetObject|contains: + - '\Startup' + - '\Shutdown' + - '\Logon' + - '\Logoff' + winsock_parameters: + TargetObject|contains: + - '\System\CurrentControlSet\Services\WinSock2\Parameters' + winsock_parameters_details: + TargetObject|contains: + - '\Protocol_Catalog9\Catalog_Entries64' + - '\Protocol_Catalog9\Catalog_Entries64' + - '\Protocol_Catalog9\Catalog_Entries' + - '\NameSpace_Catalog5\Catalog_Entries64' + - '\NameSpace_Catalog5\Catalog_Entries' + system_control: + TargetObject|contains: + - '\SYSTEM\CurrentControlSet\Control' + system_control_details: + TargetObject|contains: + - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' + - '\Terminal Server\Wds\rdpwd\StartupPrograms' + - '\SecurityProviders\SecurityProviders' + - '\SafeBoot\AlternateShell' + - '\Print\Providers' + - '\Print\Monitors' + - '\NetworkProvider\Order' + - '\Lsa\Notification Packages' + - '\Lsa\Authentication Packages' + - '\BootVerificationProgram\ImagePath' + condition: main_selection OR (session_manager AND session_manager_details) OR (current_version AND current_version_details) OR (nt_current_version AND nt_current_version_details) OR (wow_current_version AND wow_current_version_details) OR (wow_nt_current_version AND wow_nt_current_version_details) OR ((wow_office OR office) AND wow_office_details) OR ((wow_ie OR ie) AND wow_ie_details) OR (wow_classes AND wow_classes_details) OR (classes AND classes_details) OR (scripts AND scripts_details) OR (winsock_parameters AND winsock_parameters_details) OR (system_control AND system_control_details) fields: - SecurityID - ObjectName From 48e46c279ae2d502084763bc2f7aa0b0672c619e Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 02:25:22 +0300 Subject: [PATCH 1026/1335] fixed duplication --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index b5b1667a7..d8fe0daed 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -23,7 +23,6 @@ detection: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' - - '\SOFTWARE\Microsoft\Office test\Special\Perf' - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' - '\SYSTEM\Setup\CmdLine' @@ -124,6 +123,7 @@ detection: - '\Onenote\Addins' - '\Excel\Addins' - '\Access\Addins' + - 'test\Special\Perf' wow_ie: TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' From 544876951fcd03c3a88354c2745bd4aa8ab476d5 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 02:34:34 +0300 Subject: [PATCH 1027/1335] fixed duplication v2 --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index d8fe0daed..9f1888154 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -140,7 +140,6 @@ detection: - '\Software\Wow6432Node\Classes' wow_classes_details: TargetObject|contains: - - '\Folder\ShellEx\PropertySheetHandlers' - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' - '\Folder\ShellEx\ColumnHandlers' @@ -188,10 +187,7 @@ detection: - '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters_details: TargetObject|contains: - - '\Protocol_Catalog9\Catalog_Entries64' - - '\Protocol_Catalog9\Catalog_Entries64' - '\Protocol_Catalog9\Catalog_Entries' - - '\NameSpace_Catalog5\Catalog_Entries64' - '\NameSpace_Catalog5\Catalog_Entries' system_control: TargetObject|contains: From 80684873406026cc3815d02666cc508395c807a0 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Tue, 3 Nov 2020 12:04:03 +0300 Subject: [PATCH 1028/1335] test trigger --- .../registry_event/sysmon_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 9f1888154..123884178 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -1,6 +1,6 @@ title: Autorun Keys Modification id: 17f878b8-9968-4578-b814-c4217fc5768c -description: Detects modification of autostart extensibility point (ASEP) in registry +description: Detects modification of autostart extensibility point (ASEP) in registry. status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml From 2f789c45dc79323b7f1e711beed267c556bcf891 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 4 Nov 2020 22:30:27 +0100 Subject: [PATCH 1029/1335] change a syntax a bit to re-run the tests --- .../windows/process_creation/sysmon_abusing_debug_privilege.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index ad1929ac2..0bfa8ec82 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -31,7 +31,7 @@ detection: User: 'NT AUTHORITY\SYSTEM' #NT AUTHORITY\SYSTEM same result with NT AUTHORITY\\SYSTEM filter: CommandLine|contains|all: - - ' route ' + - ' route ' - ' ADD ' condition: selection1 and selection2 and selection3 and not filter fields: From efc3f298b8016a4695c1fad075a556157a4de55f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 4 Nov 2020 23:03:34 +0100 Subject: [PATCH 1030/1335] simplify syntax --- .../sysmon_asep_reg_keys_modification.yml | 60 +++++++++---------- 1 file changed, 29 insertions(+), 31 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 123884178..a3e03568d 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -11,8 +11,8 @@ tags: - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 -modified: 2020/10/13 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +modified: 2020/11/04 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community logsource: category: registry_event product: windows @@ -39,9 +39,8 @@ detection: - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' - '\Control Panel\Desktop\Scrnsave.exe' session_manager: - TargetObject|contains: + TargetObject|contains|all: - '\System\CurrentControlSet\Control\Session Manager' - session_manager_details: TargetObject|contains: - '\SetupExecute' - '\S0InitialCommand' @@ -50,9 +49,8 @@ detection: - '\BootExecute' - '\AppCertDlls' current_version: - TargetObject|contains: + TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows\CurrentVersion' - current_version_details: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -71,9 +69,8 @@ detection: - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' nt_current_version: - TargetObject|contains: + TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - nt_current_version_details: TargetObject|contains: - '\Winlogon\VmApplet' - '\Winlogon\Userinit' @@ -90,9 +87,8 @@ detection: - '\Windows\Run' - '\Windows\Load' wow_current_version: - TargetObject|contains: + TargetObject|contains|all: - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' - wow_current_version_details: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -102,19 +98,16 @@ detection: - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' wow_nt_current_version: - TargetObject|contains: + TargetObject|contains|all: - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' - wow_nt_current_version_details: TargetObject|contains: - '\Windows\Appinit_Dlls' - '\Image File Execution Options' - '\Drivers32' wow_office: - TargetObject|contains: - - '\Software\Wow6432Node\Microsoft\Office' + TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office' office: - TargetObject|contains: - - '\Software\Microsoft\Office' + TargetObject|contains: '\Software\Microsoft\Office' wow_office_details: TargetObject|contains: - '\Word\Addins' @@ -125,20 +118,17 @@ detection: - '\Access\Addins' - 'test\Special\Perf' wow_ie: - TargetObject|contains: - - '\Software\Wow6432Node\Microsoft\Internet Explorer' + TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer' ie: - TargetObject|contains: - - '\Software\Microsoft\Internet Explorer' + TargetObject|contains: '\Software\Microsoft\Internet Explorer' wow_ie_details: TargetObject|contains: - '\Toolbar' - '\Extensions' - '\Explorer Bars' wow_classes: - TargetObject|contains: + TargetObject|contains|all: - '\Software\Wow6432Node\Classes' - wow_classes_details: TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -153,9 +143,8 @@ detection: - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' classes: - TargetObject|contains: + TargetObject|contains|all: - '\Software\Classes' - classes_details: TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -174,25 +163,22 @@ detection: - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' scripts: - TargetObject|contains: + TargetObject|contains|all: - '\Software\Policies\Microsoft\Windows\System\Scripts' - scripts_details: TargetObject|contains: - '\Startup' - '\Shutdown' - '\Logon' - '\Logoff' winsock_parameters: - TargetObject|contains: + TargetObject|contains|all: - '\System\CurrentControlSet\Services\WinSock2\Parameters' - winsock_parameters_details: TargetObject|contains: - '\Protocol_Catalog9\Catalog_Entries' - '\NameSpace_Catalog5\Catalog_Entries' system_control: - TargetObject|contains: + TargetObject|contains|all: - '\SYSTEM\CurrentControlSet\Control' - system_control_details: TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' @@ -204,7 +190,19 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' - condition: main_selection OR (session_manager AND session_manager_details) OR (current_version AND current_version_details) OR (nt_current_version AND nt_current_version_details) OR (wow_current_version AND wow_current_version_details) OR (wow_nt_current_version AND wow_nt_current_version_details) OR ((wow_office OR office) AND wow_office_details) OR ((wow_ie OR ie) AND wow_ie_details) OR (wow_classes AND wow_classes_details) OR (classes AND classes_details) OR (scripts AND scripts_details) OR (winsock_parameters AND winsock_parameters_details) OR (system_control AND system_control_details) + condition: main_selection OR + session_manager OR + current_version OR + nt_current_version OR + wow_current_version OR + wow_nt_current_version OR + (wow_office OR office) AND wow_office_details OR + (wow_ie OR ie) AND wow_ie_details OR + wow_classes OR + classes OR + scripts OR + winsock_parameters OR + system_control fields: - SecurityID - ObjectName From a9a90e024c075745b6d3a38e66dc70fe5208e0c6 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 6 Nov 2020 09:56:49 +0100 Subject: [PATCH 1031/1335] make it global rule --- rules/linux/lnx_network_service_scanning.yml | 42 ++++++++++++------- .../linux/macos_network_service_scanning.yml | 9 ++-- 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index e424ceec5..ab1935539 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -1,3 +1,4 @@ +action: global title: Linux Network Service Scanning id: 3e102cd9-a70d-4a7a-9508-403963092f31 status: experimental @@ -6,23 +7,36 @@ author: Alejandro Ortuno, oscd.community date: 2020/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md -logsource: - category: process_creation - product: linux -detection: - selection_1: - ProcessName|endswith: - - '/nmap' - selection_2: - ProcessName|endswith: - - '/telnet' - selection_3: - ProcessName|endswith: - - '/nc' - condition: 1 of them falsepositives: - Legitimate administration activities level: medium tags: - attack.discovery - attack.t1046 +--- +logsource: + category: process_creation + product: linux +detection: + selection: + ProcessName|endswith: + - '/nmap' + - '/telnet' + - '/nc' + - '/netcat' + condition: selection +--- +logsource: + product: linux + service: auditd + definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' +detection: + selection: + type: 'SYSCALL' + exe|endswith: + - '/nc' + - '/netcat' + - '/telnet' + - '/nmap' + key: 'network_connect_4' + condition: selection diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index 553600ace..eb19512f8 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -10,16 +10,13 @@ logsource: category: process_creation product: macos detection: - selection_1: + selection: ProcessName|endswith: - '/nmap' - selection_2: - ProcessName|endswith: - '/telnet' - selection_3: - ProcessName|endswith: - '/nc' - condition: 1 of them + - '/netcat' + condition: selection falsepositives: - Legitimate administration activities level: medium From 7c5067ade43023e86e19c8b213adfcb3bea7f412 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 6 Nov 2020 10:25:59 +0100 Subject: [PATCH 1032/1335] Making it a global rule --- rules/linux/lnx_security_tools_disabling.yml | 28 +++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 609c095dd..a6a5fe01f 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,3 +1,4 @@ +action: global title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental @@ -7,6 +8,14 @@ date: 2020/06/17 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 +--- logsource: category: process_creation product: linux @@ -89,10 +98,15 @@ detection: - 'disable' - 'falcon-sensor.service' condition: 1 of them -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.defense_evasion - - attack.t1562.004 - - attack.t1089 +--- +logsource: + product: linux + service: syslog +detection: + keywords: + - '*stopping iptables*' + - '*stopping ip6tables*' + - '*stopping firewalld*' + - '*stopping cbdaemon*' + - '*stopping falcon-sensor*' + condition: keywords From c17e8574d0bbe0d2082bfbce6608965dc9db497b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 6 Nov 2020 20:56:08 +0100 Subject: [PATCH 1033/1335] change the syntax a bit and removed `.service` suffix as it is MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [redundant](https://www.freedesktop.org/software/systemd/man/systemctl.html]: ``` Unit commands listed above take either a single unit name (designated as UNIT), or multiple unit specifications (designated as PATTERN…). In the first case, the unit name with or without a suffix must be given. If the suffix is not specified (unit name is "abbreviated"), systemctl will append a suitable suffix, ".service" by default, and a type-specific suffix in case of commands which operate only on specific unit types. For example, # systemctl start sshd and # systemctl start sshd.service are equivalent ``` --- rules/linux/lnx_security_tools_disabling.yml | 49 +++++++------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index a6a5fe01f..72643ae36 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -3,10 +3,9 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools -author: Ömer Günal, Alejandro Ortuno +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md falsepositives: - Legitimate administration activities @@ -21,82 +20,68 @@ logsource: product: linux detection: iptables_1: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' iptables_2: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' iptables_3: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' iptables_4: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' firewall_1: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' firewall_2: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' carbonblack_1: - ProcessName|endswith: - - 'service' + ProcessName|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_2: - ProcessName|endswith: - - 'chkconfig' + ProcessName|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' carbonblack_3: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_4: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' selinux: - ProcessName|endswith: - - 'setenforce' - CommandLine|contains: - - '0' + ProcessName|endswith: '/setenforce' + CommandLine|contains: '0' crowdstrike_1: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - - 'falcon-sensor.service' + - 'falcon-sensor' crowdstrike_2: - ProcessName|endswith: - - 'systemctl' + ProcessName|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - - 'falcon-sensor.service' + - 'falcon-sensor' condition: 1 of them --- logsource: From 89a24d4bfae596777596bcf98d021817e19e8958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 7 Nov 2020 11:50:30 +0300 Subject: [PATCH 1034/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index c6e9be9a2..702a3e80c 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -14,12 +14,14 @@ detection: - CommandLine|contains|all: - 'mv ' - '/usr/local/share/ca-certificates' - - 'update-ca-certificates' selection2: + - ProcessName|contains: + - 'update-ca-certificates' + selection3: - CommandLine|contains|all: - 'cp ' - 'rootCA.crt' - 'update-ca-trust' - condition: selection or selection2 + condition: (selection and selection2) or selection3 falsepositives: - Legitimate administration activities From 5dc3472af0afa0aba6dd011f803a025ea3e65e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 7 Nov 2020 11:51:53 +0300 Subject: [PATCH 1035/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index 2ac156ddc..f13c05efa 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,7 +19,7 @@ logsource: categories: process_creation detection: selection: - CommandLine|contains: + ProcessName|contains: - 'uname' - 'hostname' - 'uptime' From 499a8f85b08216f8ff03c2effab61a6469415251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sun, 8 Nov 2020 11:06:11 +0300 Subject: [PATCH 1036/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 702a3e80c..08cb1f0da 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -2,6 +2,8 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee description: Detects installed new certificate author: Ömer Günal, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md date: 2020/10/05 tags: - attack.defense_evasion From 0e4a5baf1ac0b60293ccd306b7de84528e0d6e19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sun, 8 Nov 2020 11:08:30 +0300 Subject: [PATCH 1037/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 08cb1f0da..643e132d0 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -13,17 +13,11 @@ logsource: product: linux detection: selection: - - CommandLine|contains|all: - - 'mv ' - - '/usr/local/share/ca-certificates' + - ProcessName|endswith: + - '/update-ca-certificates' selection2: - - ProcessName|contains: - - 'update-ca-certificates' - selection3: - CommandLine|contains|all: - - 'cp ' - - 'rootCA.crt' - 'update-ca-trust' - condition: (selection and selection2) or selection3 + condition: selection or selection2 falsepositives: - Legitimate administration activities From 577165b7f7067ab70e1e899ce562ca90e37caaa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sun, 8 Nov 2020 11:09:27 +0300 Subject: [PATCH 1038/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f13c05efa..f5709a91e 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,14 +19,14 @@ logsource: categories: process_creation detection: selection: - ProcessName|contains: - - 'uname' - - 'hostname' - - 'uptime' - - 'lspci' - - 'dmidecode' - - 'lscpu' - - 'lsmod' + ProcessName|endswith: + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' condition: selection --- logsource: From ad031d97ee106e7ed78a5f5953c49bc5a2c3d593 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Mon, 9 Nov 2020 10:32:56 +0100 Subject: [PATCH 1039/1335] Filter out listening mode on nc --- rules/linux/lnx_network_service_scanning.yml | 11 +++++------ rules/linux/macos_network_service_scanning.yml | 14 +++++++++----- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index ab1935539..be6713c15 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.discovery - attack.t1046 @@ -17,14 +17,15 @@ tags: logsource: category: process_creation product: linux + definition: 'Detect netcat and filter our listening mode' detection: selection: ProcessName|endswith: - - '/nmap' - - '/telnet' - '/nc' - '/netcat' - condition: selection + filter: + CommandLine|contains: 'l' + condition: selection and not filter --- logsource: product: linux @@ -34,8 +35,6 @@ detection: selection: type: 'SYSCALL' exe|endswith: - - '/nc' - - '/netcat' - '/telnet' - '/nmap' key: 'network_connect_4' diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index eb19512f8..09bcef383 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -10,16 +10,20 @@ logsource: category: process_creation product: macos detection: - selection: + selection_1: + ProcessName|endswith: + - '/nc' + - '/netcat' + selection_2: ProcessName|endswith: - '/nmap' - '/telnet' - - '/nc' - - '/netcat' - condition: selection + filter: + CommandLine|contains: 'l' + condition: (selection_1 and not filter) or selection_2 falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.discovery - attack.t1046 From d4d694b4dac4fc1c4acb02b167b16e6fcbee5bae Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Tue, 10 Nov 2020 10:01:47 -0500 Subject: [PATCH 1040/1335] Logic fix for sysmon_non_priv_program_files_move --- .../file_event/sysmon_non_priv_program_files_move.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml index 51af9b500..b7440b4b6 100644 --- a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml +++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml @@ -21,10 +21,11 @@ detection: - TargetFilename|contains: - '\Program Files\' - '\Program Files (x86)\' - - TargetFilename|startswith: '\Windows\' + windows: + TargetFilename|startswith: '\Windows\' temp: TargetFilename|contains: 'temp' - condition: integrity and (program_files or temp) + condition: integrity and (program_files or windows and not temp) falsepositives: - Unknown level: medium From f41accab33a6aeae6067148bea5b50552783db0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 10 Nov 2020 20:09:03 +0300 Subject: [PATCH 1041/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 643e132d0..041baea74 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -13,10 +13,10 @@ logsource: product: linux detection: selection: - - ProcessName|endswith: + ProcessName|endswith: - '/update-ca-certificates' selection2: - - CommandLine|contains|all: + CommandLine|contains|all: - 'update-ca-trust' condition: selection or selection2 falsepositives: From ab959394abc5dbeadc22f4130fb9d40cb9bcf0c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 10 Nov 2020 20:09:46 +0300 Subject: [PATCH 1042/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 041baea74..ecd7fc341 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -16,8 +16,8 @@ detection: ProcessName|endswith: - '/update-ca-certificates' selection2: - CommandLine|contains|all: - - 'update-ca-trust' + ProcessName|endswith: + - '/update-ca-trust' condition: selection or selection2 falsepositives: - Legitimate administration activities From 19cad11a4adaa720caa635c281cb47311eae3a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 10 Nov 2020 20:11:49 +0300 Subject: [PATCH 1043/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index f5709a91e..aa196084a 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -31,10 +31,9 @@ detection: --- logsource: product: linux - categories: file_event + categories: auditd detection: selection: - type: 'PATH' name: - '/sys/class/dmi/id/bios_version' - '/sys/class/dmi/id/product_name' From 19eb8306d38678675f5073dfa3dc32c662558738 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Sat, 14 Nov 2020 09:50:29 +0400 Subject: [PATCH 1044/1335] Removed unnessary antifalse positive --- .../win_susp_file_download_via_gfxdownloadwrapper.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index 9f756d484..4adaeef44 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -14,11 +14,9 @@ detection: Image|endswith: '\GfxDownloadWrapper.exe' cmd_known_url: CommandLine|contains: 'gameplayapi.intel.com' - cmd_null: - CommandLine: null same_parent: ParentProcessName|endswith: '\GfxDownloadWrapper.exe' - condition: image_path and not cmd_known_url and not cmd_null and not same_parent + condition: image_path and not cmd_known_url and not same_parent fields: - CommandLine falsepositives: From 821bdf8ab47969f310712275d4c30ce9935b7d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 14 Nov 2020 19:19:28 +0300 Subject: [PATCH 1045/1335] Update lnx_install_root_certificate.yml --- rules/linux/lnx_install_root_certificate.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index ecd7fc341..3595fb437 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -11,13 +11,12 @@ tags: level: low logsource: product: linux + category: process_creation detection: selection: ProcessName|endswith: - '/update-ca-certificates' - selection2: - ProcessName|endswith: - '/update-ca-trust' - condition: selection or selection2 + condition: selection falsepositives: - Legitimate administration activities From edc416a1d8f7ace9386dacb4c8ec8b74826d832f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Sat, 14 Nov 2020 19:24:23 +0300 Subject: [PATCH 1046/1335] Update lnx_system_info_discovery.yml --- rules/linux/lnx_system_info_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index aa196084a..eabff7636 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -34,6 +34,7 @@ logsource: categories: auditd detection: selection: + type: 'PATH' name: - '/sys/class/dmi/id/bios_version' - '/sys/class/dmi/id/product_name' From 2939b33ab513b33db8c8c450e3fb8d01eb6714d8 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 16 Nov 2020 01:00:09 +0100 Subject: [PATCH 1047/1335] Update lnx_network_service_scanning.yml --- rules/linux/lnx_network_service_scanning.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index be6713c15..e3dc8b9e0 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -19,13 +19,17 @@ logsource: product: linux definition: 'Detect netcat and filter our listening mode' detection: - selection: + netcat: ProcessName|endswith: - '/nc' - '/netcat' - filter: + network_scanning_tools: + ProcessName|endswith: + - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning + - '/nmap' + netcat_listen_flag: CommandLine|contains: 'l' - condition: selection and not filter + condition: (netcat and not netcat_listen_flag) or network_scanning_tools --- logsource: product: linux @@ -37,5 +41,7 @@ detection: exe|endswith: - '/telnet' - '/nmap' + - '/netcat' + - '/nc' key: 'network_connect_4' condition: selection From 3d206b08d8b887f28170d029cdf554321c7f4091 Mon Sep 17 00:00:00 2001 From: v3t0 Date: Sun, 15 Nov 2020 19:04:12 -0500 Subject: [PATCH 1048/1335] [OSCD] Added a rule to detect potential persistence using registry keys --- .../sysmon_runonce_persistence.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_runonce_persistence.yml diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml new file mode 100644 index 000000000..aff6c60e7 --- /dev/null +++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml @@ -0,0 +1,24 @@ +title: Run Once Task Configuration in Registry +id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff +description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/11/15 +references: + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + EventType: 'SetValue' + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' + TargetObject|endswith: '\StubPath' + condition: selection +falsepositives: + - Legitimate modification of the registry key by legitimate program +level: medium From 7860bda5d656c49da377ab29c4799b68f90ba7bd Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1049/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 199a897f75f95d5419ff511af760426de432d207 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1050/1335] Fix rule indent --- rules/linux/lnx_network_service_scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index e3dc8b9e0..40ad7cd2a 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -44,4 +44,4 @@ detection: - '/netcat' - '/nc' key: 'network_connect_4' - condition: selection + condition: selection From 1582c5230ab93fc765d4d154fab508086691e8bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 18 Nov 2020 23:25:15 +0300 Subject: [PATCH 1051/1335] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index a6bf0eec1..863879928 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -8,11 +8,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md logsource: product: linux + category: process_creation detection: selection: - - ProcessName|contains: - - 'ps ' - - 'top' + - ProcessName|endswith: + - '/ps' + - '/top' condition: selection falsepositives: - Legitimate administration activities From e3b310438cea36e2c54efee9e5625b20e5ded748 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1052/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From a0a5bfe2043ff4eae380c0ff0732c71dff3f0516 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1053/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 371c1121431ca964d806d81ced2d3200a86f34f8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 21:45:19 -0300 Subject: [PATCH 1054/1335] Fix the detection logic ObjectName = admin was included in the query using AND, not OR. --- .../windows/builtin/win_account_discovery.yml | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index 2945d8881..a6705cb88 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -21,19 +21,20 @@ detection: ObjectType: - 'SAM_USER' - 'SAM_GROUP' - ObjectName|endswith: - - '-512' - - '-502' - - '-500' - - '-505' - - '-519' - - '-520' - - '-544' - - '-551' - - '-555' - ObjectName|contains: - - 'admin' - condition: selection + selection_object: + - ObjectName|endswith: + - '-512' + - '-502' + - '-500' + - '-505' + - '-519' + - '-520' + - '-544' + - '-551' + - '-555' + - ObjectName|contains: + - 'admin' + condition: selection and selection_object falsepositives: - if source account name is not an admin then its super suspicious level: high From 7fe2c00ac1e6253f6cb7310f7374c97cc0686c74 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:14:37 -0300 Subject: [PATCH 1055/1335] Update win_net_ntlm_downgrade.yml --- rules/windows/builtin/win_net_ntlm_downgrade.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 99bf652ad..c12948609 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -42,7 +42,7 @@ logsource: detection: selection2: EventID: 4657 - ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*' + ObjectName|startswith: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa' ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' From c20bce4a779eb81624a549cf53b9a01fbfccc693 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:30:48 -0300 Subject: [PATCH 1056/1335] Update win_susp_msmpeng_crash.yml --- rules/windows/builtin/win_susp_msmpeng_crash.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index ad62efc82..15b527e73 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -26,7 +26,7 @@ detection: Message|contains: - 'MsMpEng.exe' - 'mpengine.dll' - condition: 1 of selection* and all of keywords + condition: 1 of selection* and keywords falsepositives: - MsMpEng.exe can crash when C:\ is full level: high From 5d85bbba56d59fa21339e6bd87fef91b8ce61745 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:37:13 -0300 Subject: [PATCH 1057/1335] Improve detection logic --- .../builtin/win_susp_net_recon_activity.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index c6a7653af..c73d5b2ed 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -4,7 +4,7 @@ status: experimental description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -author: Florian Roth (rule), Jack Croock (method) +author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro, oscd.community date: 2017/03/07 modified: 2020/08/23 tags: @@ -22,13 +22,13 @@ detection: selection: - EventID: 4661 ObjectType: 'SAM_USER' - ObjectName: 'S-1-5-21-*-500' + ObjectName|startswith: 'S-1-5-21-' AccessMask: '0x2d' - - EventID: 4661 - ObjectType: 'SAM_GROUP' - ObjectName: 'S-1-5-21-*-512' - AccessMask: '0x2d' - condition: selection + selection2: + ObjectName|endswith: + - '-500' + - '-512' + condition: selection and selection2 falsepositives: - Administrator activity - Penetration tests From ea385767b99e965a96d96669e2f0f49fd5a60342 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:40:43 -0300 Subject: [PATCH 1058/1335] Update win_susp_ntlm_auth.yml --- rules/windows/builtin/win_susp_ntlm_auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index 81aa4bf6a..f9e9df5a2 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: ntlm - definition: Reqiures events from Microsoft-Windows-NTLM/Operational + definition: Requires events from Microsoft-Windows-NTLM/Operational detection: selection: EventID: 8002 From 4f4fcbc576976710f46a6e176ae6bbbfa08eb64d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:47:20 -0300 Subject: [PATCH 1059/1335] Update win_susp_wmi_login.yml --- rules/windows/builtin/win_susp_wmi_login.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml index cf0bad0c5..98835de02 100644 --- a/rules/windows/builtin/win_susp_wmi_login.yml +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventID: 4624 - ProcessName|endswith: "\\WmiPrvSE.exe" + ProcessName|endswith: '\WmiPrvSE.exe' condition: selection falsepositives: - Monitoring tools From fdd28556cf4c061da53eb52f97c7c82eeeada4ae Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:48:20 -0300 Subject: [PATCH 1060/1335] Fix ref --- .../builtin/win_suspicious_outbound_kerberos_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index c975f68f7..6b172fb38 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -3,7 +3,7 @@ id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 status: experimental description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. references: - - https://github.com/GhostPack/Rubeus8 + - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community date: 2019/10/24 modified: 2019/11/13 From f42ef96140f8be8d38a388f9d5e38e95d43a4c6a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:50:27 -0300 Subject: [PATCH 1061/1335] Fix Reference --- rules/windows/builtin/win_syskey_registry_access.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml index ff56999a5..0c36525b1 100644 --- a/rules/windows/builtin/win_syskey_registry_access.yml +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -6,7 +6,7 @@ date: 2019/08/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html tags: - attack.discovery - attack.t1012 @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical From 6ecafac619d64f862920436b8f8f0409125539f0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:56:34 -0300 Subject: [PATCH 1062/1335] Update sysmon_susp_driver_load.yml --- rules/windows/driver_load/sysmon_susp_driver_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml index 479c799e6..73f423d2a 100755 --- a/rules/windows/driver_load/sysmon_susp_driver_load.yml +++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: '\Temp\\' + ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment From f79caba72a9d979e0c3d57547192a1480f1d65d2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 22:58:50 -0300 Subject: [PATCH 1063/1335] Remove additional backslash --- .../file_event/sysmon_creation_system_file.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index 1c6840e89..386636a0c 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -41,13 +41,13 @@ detection: - '\wlanext.exe' filter: TargetFilename|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\system32\\' - - 'C:\Windows\SysWow64\\' - - 'C:\Windows\SysWOW64\\' - - 'C:\Windows\winsxs\\' - - 'C:\Windows\WinSxS\\' - - '\SystemRoot\System32\\' + - 'C:\Windows\System32\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWow64\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\winsxs\' + - 'C:\Windows\WinSxS\' + - '\SystemRoot\System32\' condition: selection and not filter fields: - Image From 9a5b17f2bb6c73f9d9e93045c18cb933a1129ec3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 23:04:26 -0300 Subject: [PATCH 1064/1335] Remove additional backslash --- rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index 307967868..c171dcdfc 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -10,7 +10,7 @@ logsource: detection: selection: Image|endswith: '\mstsc.exe' - TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\\' + TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' condition: selection falsepositives: - unknown From 44652c4ffd63a0f8ca07124cc95d9e3b23f72a3c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 23:08:40 -0300 Subject: [PATCH 1065/1335] Remove additional backslash --- .../image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index 7e70aed3b..c9d881196 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -22,7 +22,7 @@ detection: - '\excel.exe' - '\outlook.exe' ImageLoaded|startswith: - - 'C:\Windows\assembly\\' + - 'C:\Windows\assembly\' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate From 43ffb80d94a83927cc18362511ef7fe45c440dd8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 23:09:50 -0300 Subject: [PATCH 1066/1335] Remove additional backslash --- .../image_load/sysmon_svchost_dll_search_order_hijack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 9477a77a3..02e3ae288 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -29,7 +29,7 @@ detection: - '\wlbsctrl.dll' filter: ImageLoaded|startswith: - - 'C:\Windows\WinSxS\\' + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Pentest From 351a9920ed6817f47a613ef5d18897705352a20c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 23:14:44 -0300 Subject: [PATCH 1067/1335] Update win_mal_flowcloud.yml --- rules/windows/malware/win_mal_flowcloud.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 37e315f90..d033b4b84 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -17,12 +17,14 @@ detection: EventID: - 12 # key create - 13 # value set - TargetObject: + selection2: + - TargetObject: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' - condition: selection + - TargetObject|startswith: + - 'HKLM\SYSTEM\Setup\PrintResponsor\' + condition: selection and selection2 falsepositives: - Unknown level: critical From 0ffd1ef47f2e57e47bdf30c7858686ef33c08f48 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 Nov 2020 23:15:38 -0300 Subject: [PATCH 1068/1335] Remove additional backslash --- rules/windows/malware/win_mal_ursnif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index cf696cf73..a0c51c74a 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 13 - TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\\' + TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' condition: selection falsepositives: - Unknown From f6a89e970734cc52e7764897241669060d6c579e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 00:51:22 -0300 Subject: [PATCH 1069/1335] Fix Detection Logic --- .../network_connection/sysmon_rdp_reverse_tunnel.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index 87a85b318..ad50510af 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -22,11 +22,12 @@ detection: Image|endswith: '\svchost.exe' Initiated: 'true' SourcePort: 3389 - DestinationIp|startswith: + selection2: + - DestinationIp|startswith: - '127.' - DestinationIP: + - DestinationIP: - '::1' - condition: selection + condition: selection and selection2 falsepositives: - unknown level: high From 813afd4f4c17bb1e64474607d350b331dfd4bedc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 00:52:54 -0300 Subject: [PATCH 1070/1335] Remove additional backslash --- .../windows/network_connection/sysmon_win_binary_github_com.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 6e76f63df..a63c8b1e0 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -24,7 +24,7 @@ detection: DestinationHostname|endswith: - '.github.com' - '.githubusercontent.com' - Image|startswith: 'C:\Windows\\' + Image|startswith: 'C:\Windows\' condition: selection falsepositives: - 'Unknown' From b3e0b55250e4c6bcd6d894d8c0758cb61fc7d667 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 00:53:13 -0300 Subject: [PATCH 1071/1335] Remove additional backslash --- rules/windows/network_connection/sysmon_win_binary_susp_com.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml index 0dab809fd..4422fc1e5 100755 --- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml @@ -20,7 +20,7 @@ detection: - 'dl.dropboxusercontent.com' - '.pastebin.com' - '.githubusercontent.com' # includes both gists and github repositories - Image|startswith: 'C:\Windows\\' + Image|startswith: 'C:\Windows\' condition: selection falsepositives: - 'Unknown' From 718792e0ba5ad53920e54d01c32bcf86f3e736ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 00:57:16 -0300 Subject: [PATCH 1072/1335] Update win_tool_psexec.yml --- rules/windows/other/win_tool_psexec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 211766129..76f9deda4 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -33,7 +33,7 @@ detection: service_installation: EventID: 7045 ServiceName: 'PSEXESVC' - ServiceFileName: '*\PSEXESVC.exe' + ServiceFileName|endswith: '\PSEXESVC.exe' service_execution: EventID: 7036 ServiceName: 'PSEXESVC' @@ -43,5 +43,5 @@ logsource: product: windows detection: sysmon_processcreation: - Image: '*\PSEXESVC.exe' + Image|endswith: '\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' From c42911cb4719441a99825476737ac6bd934b1f96 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 00:58:49 -0300 Subject: [PATCH 1073/1335] Update win_wmi_persistence.yml --- rules/windows/other/win_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index a3deb48fe..26f8174a0 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -27,7 +27,7 @@ detection: # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 - condition: selection and 1 of keywords or selection2 + condition: selection and keywords or selection2 falsepositives: - Unknown (data set is too small; further testing needed) level: medium From ee43919eecd514571fb999c37884a579a41657e9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:05:06 -0300 Subject: [PATCH 1074/1335] Change detection logic --- .../powershell_clear_powershell_history.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index b2249b79b..1893c763a 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -3,7 +3,7 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -author: Ilyas Ochkov, oscd.community +author: Ilyas Ochkov, oscd.community, Jonhnathan Ribeiro references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a tags: @@ -14,12 +14,17 @@ logsource: product: windows service: powershell detection: - keywords: - - 'del (Get-PSReadlineOption).HistorySavePath' - - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' - - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' - - 'rm (Get-PSReadlineOption).HistorySavePath' - condition: keywords + command: + - 'del' + - 'Set-PSReadlineOption' + - 'Remove-Item' + - 'rm' + selection_1: + - '(Get-PSReadlineOption).HistorySavePath' + selection_2: + - '–HistorySaveStyle' + - 'SaveNothing' + condition: command and (selection_1 or selection_2) falsepositives: - some PS-scripts level: medium From 728276ef135422e7c91902572f07140129b3a831 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:22:20 -0300 Subject: [PATCH 1075/1335] Improve Logic --- ...ershell_suspicious_invocation_specific.yml | 56 +++++++++++++++---- 1 file changed, 46 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 42b151a2c..97833fc3e 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -6,21 +6,57 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -author: Florian Roth (rule) +author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 logsource: product: windows service: powershell detection: - keywords: - Message: - - '* -nop -w hidden -c * [Convert]::FromBase64String*' - - '* -w hidden -noni -nop -c "iex(New-Object*' - - '* -w hidden -ep bypass -Enc*' - - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' - - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' - - '*iex(New-Object Net.WebClient).Download*' - condition: keywords + convert_b64: + Message|contains|all: + - '-nop' + - ' -w ' + - 'hidden' + - ' -c ' + - '[Convert]::FromBase64String' + iex_selection: + Message|contains|all: + - ' -w ' + - 'hidden' + - '-noni' + - '-nop' + - ' -c ' + - 'iex' + - 'New-Object' + enc_selection: + Message|contains|all: + - ' -w ' + - 'hidden' + - '-ep' + - 'bypass' + - '-Enc' + reg_selection: + Message|contains|all: + - 'powershell' + - 'reg' + - 'add' + - 'HKCU\software\microsoft\windows\currentversion\run' + webclient_selection: + Message|contains|all: + - 'bypass' + - '-noprofile' + - '-windowstyle' + - 'hidden' + - 'new-object' + - 'system.net.webclient' + - '.download' + iex_webclient: + Message|contains|all: + - 'iex' + - 'New-Object' + - 'Net.WebClient' + - '.Download' + condition: 1 of them falsepositives: - Penetration tests level: high From 4af7f00f4abf8e22db20e2696c8d7d6dac6e9f94 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:30:01 -0300 Subject: [PATCH 1076/1335] Improve logic --- .../sysmon_in_memory_assembly_execution.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 6606314d4..dbf969a17 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -8,7 +8,7 @@ description: Detects the access to processes by other suspicious processes which status: experimental date: 2019/10/27 modified: 2020/08/24 -author: Perez Diego (@darkquassar), oscd.community +author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ tags: @@ -22,9 +22,12 @@ logsource: product: windows detection: selection1: - CallTrace: - - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)" - - "*UNKNOWN(*)|UNKNOWN(*)" + - CallTrace|contains|all: + - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' + - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - '|UNKNOWN(*)' + - CallTrace|endswith: + - "UNKNOWN(*)|UNKNOWN(*)" selection2: CallTrace: "*UNKNOWN*" granted_access: From 219474480355445ef4ed299f38eed5a2b32a7ad4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:30:58 -0300 Subject: [PATCH 1077/1335] Update sysmon_invoke_phantom.yml --- rules/windows/process_access/sysmon_invoke_phantom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index 7230b6859..f779354d6 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -19,8 +19,8 @@ detection: selection: TargetImage|endswith: '\windows\system32\svchost.exe' GrantedAccess: '0x1f3fff' - CallTrace: - - '*unknown*' + CallTrace|contains: + - 'unknown' condition: selection falsepositives: - unknown From ebd9973dcbcb15f3ce65f3b6ddc97d785be2a2df Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:32:41 -0300 Subject: [PATCH 1078/1335] Update sysmon_lazagne_cred_dump_lsass_access.yml --- .../sysmon_lazagne_cred_dump_lsass_access.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index 34b5bf6aa..445496fe0 100644 --- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -16,7 +16,11 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*" + CallTrace|contains|all: + - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' + - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - '_ctypes.pyd+' + - 'python27.dll+' GrantedAccess: "0x1FFFFF" condition: selection level: critical From 240a8b9aa08726a00524615d3d5eceb4df251ac3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:33:04 -0300 Subject: [PATCH 1079/1335] Update sysmon_lazagne_cred_dump_lsass_access.yml --- .../process_access/sysmon_lazagne_cred_dump_lsass_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index 445496fe0..bbeede229 100644 --- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -3,7 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 description: Detects LSASS process access by LaZagne for credential dumping. status: stable date: 2020/09/09 -author: Bhabesh Raj +author: Bhabesh Raj, Jonhnathan Ribeiro references: - https://twitter.com/bh4b3sh/status/1303674603819081728 tags: From ab2edd1ff0a2d75ee7c1d194a89500b56adb120e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:34:43 -0300 Subject: [PATCH 1080/1335] Update sysmon_malware_verclsid_shellcode.yml --- .../process_access/sysmon_malware_verclsid_shellcode.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml index 5a65e0bc0..55855b3bc 100755 --- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml @@ -19,9 +19,11 @@ detection: TargetImage|endswith: '\verclsid.exe' GrantedAccess: '0x1FFFFF' combination1: - CallTrace|contains: '|UNKNOWN(*VBE7.DLL' + CallTrace|contains|all: + - '|UNKNOWN(' + - 'VBE7.DLL' combination2: - SourceImage|contains: '\Microsoft Office\\' + SourceImage|contains: '\Microsoft Office\' CallTrace|contains: '|UNKNOWN' condition: selection and 1 of combination* falsepositives: From 1acc19a8d52cb3260af9e7389bd2a023b793b49a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:37:24 -0300 Subject: [PATCH 1081/1335] Remove additional backlash --- .../sysmon_susp_run_key_img_folder.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index ec9b79889..8faa52d1f 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -17,16 +17,16 @@ logsource: detection: selection: TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\' - - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' Details|contains: - - 'C:\Windows\Temp\\' - - 'C:\$Recycle.bin\\' - - 'C:\Temp\\' - - 'C:\Users\Public\\' - - '%Public%\\' - - 'C:\Users\Default\\' - - 'C:\Users\Desktop\\' + - 'C:\Windows\Temp\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - '%Public%\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' - 'wscript' - 'cscript' condition: selection From 9cf2ea58620467992be9f5f1ff34600576a46837 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:38:17 -0300 Subject: [PATCH 1082/1335] Update sysmon_susp_service_installed.yml --- rules/windows/registry_event/sysmon_susp_service_installed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 115dc8569..00e4022e6 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -26,7 +26,7 @@ detection: - '\procmon.exe' selection_3: Details|contains: - - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS' + - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection_1 and not selection_2 and not selection_3 falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. From 57e98e395733fe65945ed0b70250c55bd60d3cca Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:38:57 -0300 Subject: [PATCH 1083/1335] Remove additional backlash --- .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index badfbb365..0cd426a5b 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -15,8 +15,8 @@ logsource: detection: selection_registry: TargetObject|contains: - - '\Keyboard Layout\Preload\\' - - '\Keyboard Layout\Substitutes\\' + - '\Keyboard Layout\Preload\' + - '\Keyboard Layout\Substitutes\' Details|contains: - 00000429 # Persian (Iran) - 00050429 # Persian (Iran) From e8aa9a854a0927bab4c606f3cdc78fc0e64d0592 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:40:29 -0300 Subject: [PATCH 1084/1335] Update sysmon_uac_bypass_eventvwr.yml --- rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 737f18139..6a17fd0f2 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -24,7 +24,8 @@ logsource: category: registry_event detection: methregistry: - TargetObject: 'HKU\\*\mscfile\shell\open\command' + - TargetObject|startswith: 'HKU\' + - TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry --- logsource: From 372f000b7f6a9357c7736551832b9b7341ab4622 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:41:20 -0300 Subject: [PATCH 1085/1335] Update sysmon_uac_bypass_eventvwr.yml --- rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index 6a17fd0f2..065779e19 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -24,8 +24,8 @@ logsource: category: registry_event detection: methregistry: - - TargetObject|startswith: 'HKU\' - - TargetObject|endswith: '\mscfile\shell\open\command' + TargetObject|startswith: 'HKU\' + TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry --- logsource: From 8d8c29e0fe1eb44ebbe285e1844ff5b162adb08b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:42:17 -0300 Subject: [PATCH 1086/1335] Update sysmon_uac_bypass_sdclt.yml --- rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 79063257e..5a91724f2 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -13,7 +13,8 @@ logsource: detection: selection: # usrclass.dat is mounted on HKU\USERSID_Classes\... - TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject|startswith: 'HKU\' + TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion From 1af9e9ed48ebbdf5baed145b7c2fd96135b9b0f5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:47:19 -0300 Subject: [PATCH 1087/1335] Update sysmon_win_reg_persistence.yml --- .../sysmon_win_reg_persistence.yml | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 2268d68fa..dea029f4f 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -5,18 +5,26 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 modified: 2020/09/06 -author: Karneades +author: Karneades, Jonhnathan Ribeiro logsource: category: registry_event product: windows detection: selection_reg1: - TargetObject|endswith: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' EventType: SetValue - condition: selection_reg1 + selection_reg2: + - TargetObject|contains|all: + - '\Image File Execution Options\' + - '\GlobalFlag' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\ReportingMode' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\MonitorProcess' + condition: selection_reg1 and selection_reg2 tags: - attack.privilege_escalation - attack.persistence From 9967bd1fe5f82fb053c55cc2f2a156a2015967c8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:51:01 -0300 Subject: [PATCH 1088/1335] Update sysmon_apt_oceanlotus_registry.yml --- .../sysmon_apt_oceanlotus_registry.yml | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index 916d4773d..82f154b27 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -7,7 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1112 -author: megan201296 +author: megan201296, Jonhnathan Ribeiro date: 2019/04/14 modified: 2020/09/06 logsource: @@ -17,20 +17,25 @@ detection: selection: TargetObject: - 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + TargetObject|endswith: # covers HKU\* and HKLM.. - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' + - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' + - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' + - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' + - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' + - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + selection2: + TargetObject|startswith: + - 'HKU\' + TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*' + - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*' + - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\' # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*' + - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' + - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' condition: selection falsepositives: - Unknown From 6f3daad053a8f3bad9360f21809e0c79fc67026f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:51:53 -0300 Subject: [PATCH 1089/1335] Update sysmon_apt_oceanlotus_registry.yml --- rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index 82f154b27..243d2d7ec 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -36,7 +36,7 @@ detection: # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - condition: selection + condition: selection or selection2 falsepositives: - Unknown level: critical From d595df2879bb3df3a2140628af9508820fadc669 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:53:15 -0300 Subject: [PATCH 1090/1335] Fix --- rules/windows/registry_event/sysmon_cmstp_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml index d1989a112..0f66d173e 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml @@ -29,11 +29,11 @@ logsource: detection: # Registry Object Add selection2: - TargetObject|endswith: '\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' EventType: 'CreateKey' # Registry Object Value Set selection3: - TargetObject|endswith: '\cmmgr32.exe*' + TargetObject|contains: '\cmmgr32.exe' # Process Access Call Trace selection4: CallTrace|contains: 'cmlua.dll' From e35b09e1a6675c8c35d4fe9a6a1931d2939e5af2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:55:48 -0300 Subject: [PATCH 1091/1335] Remove out of context falsepositive --- rules/windows/registry_event/sysmon_hack_wce_reg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 647282408..88b35f834 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -19,5 +19,5 @@ detection: TargetObject|contains: Services\WCESERVICE\Start condition: selection falsepositives: - - 'Another service that uses a single -s command line switch' -level: critical \ No newline at end of file + - Unknown +level: critical From acff5ef4f9790810d393d1165cbfc523e01567dc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:57:34 -0300 Subject: [PATCH 1092/1335] Update sysmon_registry_persistence_key_linking.yml --- .../sysmon_registry_persistence_key_linking.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2e2abe6be..aaee6929b 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -16,7 +16,10 @@ logsource: detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs' + TargetObject|contains|all: + - 'HKU\' + - '_Classes\CLSID\' + - '\TreatAs' condition: selection falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compability From 1e640b50f966b6486e6ff668bd9057638637af4a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 01:58:20 -0300 Subject: [PATCH 1093/1335] Remove additional backlash --- .../sysmon_registry_persistence_search_order.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 8d1ff7ad2..ae431d0e2 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -19,8 +19,8 @@ detection: TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' filter: Details|contains: # Exclude privileged directories and observed FPs - - '%%systemroot%%\system32\\' - - '%%systemroot%%\SysWow64\\' + - '%%systemroot%%\system32\' + - '%%systemroot%%\SysWow64\' - '\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' - '\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' - '\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' From 6c88dd700ef95f8d61de91489a6b1f874a735196 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:00:53 -0300 Subject: [PATCH 1094/1335] Update sysmon_stickykey_like_backdoor.yml --- .../sysmon_stickykey_like_backdoor.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 85fef1834..5f406210d 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -12,7 +12,7 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 -author: Florian Roth, @twjackomo +author: Florian Roth, @twjackomo, Jonhnathan Ribeiro date: 2018/03/15 modified: 2020/09/06 falsepositives: @@ -41,11 +41,13 @@ detection: selection_process: ParentImage|endswith: - '\winlogon.exe' + CommandLine|contains|all: + - 'cmd.exe' CommandLine|contains: - - 'cmd.exe sethc.exe ' - - 'cmd.exe utilman.exe ' - - 'cmd.exe osk.exe ' - - 'cmd.exe Magnify.exe ' - - 'cmd.exe Narrator.exe ' - - 'cmd.exe DisplaySwitch.exe ' + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'Magnify.exe' + - 'Narrator.exe' + - 'DisplaySwitch.exe' condition: 1 of them From 9e3a61295367005bfb4b8c327be6edfaabfd231c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:01:43 -0300 Subject: [PATCH 1095/1335] Remove additional backlash --- .../registry_event/sysmon_susp_download_run_key.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index 06e473525..9d55cf0a7 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -17,10 +17,10 @@ logsource: detection: selection: Image|contains: - - '\Downloads\\' - - '\Temporary Internet Files\Content.Outlook\\' - - '\Local Settings\Temporary Internet Files\\' - TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' condition: selection falsepositives: - Software installers downloaded and used by users From 493fa3d5ee4116a3c017bd08741d8318ec409fd6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:02:26 -0300 Subject: [PATCH 1096/1335] Update sysmon_susp_mic_cam_access.yml --- .../windows/registry_event/sysmon_susp_mic_cam_access.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index 66d0e60a1..8d9c31d21 100644 --- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -14,8 +14,9 @@ logsource: product: windows detection: selection_1: - TargetObject|contains: - - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged + TargetObject|contains|all: + - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\' + - '\NonPackaged' selection_2: TargetObject|contains: - microphone @@ -31,4 +32,4 @@ detection: condition: all of selection_* falsepositives: - Unlikely, there could be conferencing software running from a Temp folder accessing the devices -level: high \ No newline at end of file +level: high From 2ba146be074a81f4a16eb94e155fedfb86b647ac Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:03:06 -0300 Subject: [PATCH 1097/1335] Remove additional backlash --- .../sysmon_susp_reg_persist_explorer_run.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index e65cd25c1..0ecd0dfe1 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -12,15 +12,15 @@ logsource: product: windows detection: selection: - TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' Details|startswith: - - 'C:\Windows\Temp\\' - - 'C:\ProgramData\\' - - '*\AppData\\' - - 'C:\$Recycle.bin\\' - - 'C:\Temp\\' - - 'C:\Users\Public\\' - - 'C:\Users\Default\\' + - 'C:\Windows\Temp\' + - 'C:\ProgramData\' + - '*\AppData\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' condition: selection tags: - attack.persistence From ebb4580378bcb615aa3f74f13625a4693ca99c9e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:04:28 -0300 Subject: [PATCH 1098/1335] Remove additional backlash --- rules/windows/sysmon/sysmon_cactustorch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index 087ba323a..45ab4e3a0 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -20,7 +20,7 @@ detection: - '\System32\mshta.exe' - '\winword.exe' - '\excel.exe' - TargetImage|contains: '\SysWOW64\\' + TargetImage|contains: '\SysWOW64\' StartModule: null condition: selection tags: From 0606cd3dde6c5552e258408972a073fc4936ce38 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:10:27 -0300 Subject: [PATCH 1099/1335] Update detection Logic --- .../sysmon/sysmon_wmi_susp_scripting.yml | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index 9e75dea5b..cf33afa51 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -2,7 +2,7 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 status: experimental description: Detects suspicious scripting in WMI Event Consumers -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 @@ -17,18 +17,23 @@ logsource: detection: selection: EventID: 20 - Destination|contains: - - 'new-object system.net.webclient).downloadstring(' - - 'new-object system.net.webclient).downloadfile(' - - 'new-object net.webclient).downloadstring(' - - 'new-object net.webclient).downloadfile(' - - ' iex(' - - 'WScript.shell' - - ' -nop ' - - ' -noprofile ' - - ' -decode ' - - ' -enc ' - condition: selection + selection_destination: + - Destination|contains|all: + - 'new-object' + - 'net.webclient' + - '.downloadstring' + - Destination|contains|all: + - 'new-object' + - 'net.webclient' + - '.downloadfile' + - Destination|contains: + - ' iex(' + - 'WScript.shell' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' + condition: selection and selection_destination fields: - CommandLine - ParentCommandLine From d5cb4246c2323fea75efa171825a7deaf410eac0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:16:51 -0300 Subject: [PATCH 1100/1335] Remove additional backlash --- rules/windows/process_creation/win_shell_spawn_susp_program.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 3dffe6894..0463c67c6 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -34,7 +34,7 @@ detection: - '\bitsadmin.exe' - '\mshta.exe' falsepositives: - CurrentDirectory|contains: '\ccmcache\\' + CurrentDirectory|contains: '\ccmcache\' condition: selection and not falsepositives fields: - CommandLine From 8af17dda5bc3c90339111f4626e22100914c2efd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:17:31 -0300 Subject: [PATCH 1101/1335] Update win_spn_enum.yml --- rules/windows/process_creation/win_spn_enum.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index cc6df2742..c71eae33f 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -17,7 +17,9 @@ detection: selection_image: Image|endswith: '\setspn.exe' selection_desc: - Description|contains: 'Query or reset the computer* SPN attribute' + Description|contains|all: + - 'Query or reset the computer' + - 'SPN attribute' cmd: CommandLine|contains: '-q' condition: (selection_image or selection_desc) and cmd From 23edcc6dc6acea8916a2330ee455dbd343128dd6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:21:55 -0300 Subject: [PATCH 1102/1335] Update win_susp_certutil_command.yml --- .../process_creation/win_susp_certutil_command.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 8caee6d26..c830f1a6f 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -30,11 +30,15 @@ detection: - ' /verifyctl ' - ' -encode ' - ' /encode ' - - 'certutil* -URL' - - 'certutil* /URL' - - 'certutil* -ping' - - 'certutil* /ping' - condition: selection + certutil: + CommandLine|contains|all: + - 'certutil' + CommandLine|contains: + - '-URL' + - '/URL' + - '-ping' + - '/ping' + condition: selection or certutil fields: - CommandLine - ParentCommandLine From c31c0d981afa757be195767fcef5a4f741f452ef Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:23:18 -0300 Subject: [PATCH 1103/1335] Update detection logic --- .../process_creation/win_susp_certutil_encode.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index 836879821..24becd7cd 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -5,7 +5,7 @@ description: Detects suspicious a certutil command that used to encode files, wh references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro date: 2019/02/24 modified: 2020/09/05 tags: @@ -16,11 +16,10 @@ logsource: product: windows detection: selection: - CommandLine|startswith: - - certutil -f -encode - - certutil.exe -f -encode - - certutil -encode -f - - certutil.exe -encode -f + CommandLine|contains|all: + - 'certutil' + - '-f' + - '-encode' condition: selection falsepositives: - unknown From b274be8d4ec619b6cb828808838ebda0c3f7275b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:25:32 -0300 Subject: [PATCH 1104/1335] Update detection Logic --- .../process_creation/win_susp_cmd_http_appdata.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index ddbf7dd1a..8a19f10b5 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -5,9 +5,9 @@ description: Detects a suspicious command line execution that includes an URL an references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro date: 2019/01/16 -modified: 2020/09/05 +modified: 2020/11/20 tags: - attack.execution - attack.t1059.003 @@ -19,9 +19,11 @@ logsource: product: windows detection: selection: - CommandLine: - - cmd.exe /c *http://*%AppData% - - cmd.exe /c *https://*%AppData% + CommandLine|contains|all: + - 'cmd.exe' + - '/c ' + - 'http' #Will capture both http and https + - '://*%AppData%' condition: selection fields: - CommandLine From 32ed588adbdfeb656e8a33c1b016a210a59d72ce Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:27:58 -0300 Subject: [PATCH 1105/1335] Update detection Logic --- .../win_susp_codepage_switch.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml index 6b68d66dc..bf33cd53e 100644 --- a/rules/windows/process_creation/win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/win_susp_codepage_switch.yml @@ -2,7 +2,7 @@ title: Suspicious Code Page Switch id: c7942406-33dd-4377-a564-0f62db0593a3 status: experimental description: Detects a code page switch in command line or batch scripts to a rare language -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro date: 2019/10/14 references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers @@ -12,13 +12,15 @@ logsource: product: windows detection: selection: - CommandLine: - - 'chcp* 936' # Chinese - # - 'chcp* 1256' # Arabic - - 'chcp* 1258' # Vietnamese - # - 'chcp* 855' # Russian - # - 'chcp* 866' # Russian - # - 'chcp* 864' # Arabic + CommandLine|contains|all: + - 'chcp' + CommandLine|endswith: + - ' 936' # Chinese + # - ' 1256' # Arabic + - ' 1258' # Vietnamese + # - ' 855' # Russian + # - ' 866' # Russian + # - ' 864' # Arabic condition: selection fields: - ParentCommandLine From 5d7131bbf26b10d30a4142c9b2055738e456c65c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:29:41 -0300 Subject: [PATCH 1106/1335] Update win_susp_compression_params.yml --- rules/windows/process_creation/win_susp_compression_params.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index 931c16654..32655a9b0 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -30,7 +30,7 @@ detection: - ' -dw' - ' -hp' falsepositive: - ParentImage: 'C:\Program*' + ParentImage|startswith: 'C:\Program' condition: selection and not falsepositive falsepositives: - unknown From ec1944e2d7c2444bf2dc2c2fe6c7f7ac5c12e317 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:31:26 -0300 Subject: [PATCH 1107/1335] Update win_susp_copy_system32.yml --- rules/windows/process_creation/win_susp_copy_system32.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index 48de314d0..5a3535453 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -16,8 +16,10 @@ tags: detection: selection: CommandLine|contains: - - ' /c copy *\System32\' - - 'xcopy*\System32\' + - ' /c copy' + - 'xcopy' + CommandLine|contains|all: + - '\System32\' condition: selection fields: - CommandLine From 31e0cfb13fa5775adca9b7f1d532bb6003ca41c9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 20 Nov 2020 02:36:20 -0300 Subject: [PATCH 1108/1335] Update win_susp_covenant.yml --- .../process_creation/win_susp_covenant.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index d2440ff5c..0c323f1e7 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -4,7 +4,7 @@ description: Detects suspicious command lines used in Covenant luanchers status: experimental references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2020/06/04 tags: - attack.execution @@ -17,12 +17,19 @@ logsource: product: windows detection: selection: + CommandLine|contains|all: + - '-Sta' + - '-Nop' + - '-Window' + - 'Hidden' + CommandLine|contains: + - '-Command' + - '-EncodedCommand' + selection2: CommandLine|contains: - - ' -Sta -Nop -Window Hidden -Command ' - - ' -Sta -Nop -Window Hidden -EncodedCommand ' - 'sv o (New-Object IO.MemorySteam);sv d ' - 'mshta file.hta' - 'GruntHTTP' - '-EncodedCommand cwB2ACAAbwAgA' - condition: selection + condition: selection or selection2 level: high From cfcda8d25fd191efa28d611f94d7a45829e81786 Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 20 Nov 2020 09:29:09 +0100 Subject: [PATCH 1109/1335] Trigger new test execution --- rules/linux/lnx_security_tools_disabling.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 72643ae36..8f812b387 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -87,7 +87,7 @@ detection: logsource: product: linux service: syslog -detection: +detection: keywords: - '*stopping iptables*' - '*stopping ip6tables*' From 000c038edeaf3bd74b8fdfce4add774d5e98263d Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Fri, 20 Nov 2020 09:30:43 +0100 Subject: [PATCH 1110/1335] Retrigger tests --- rules/linux/macos_remote_system_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index daf24f52e..6ec947914 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -40,7 +40,7 @@ detection: - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 condition: 1 of them -falsepositives: +falsepositives: - Legitimate administration activities level: low tags: From 84dc11ca98e8fe904050b491b66ddfb328298378 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1111/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 78d201ad1580c1c23196581ca25473b36a37b58b Mon Sep 17 00:00:00 2001 From: Tim I Date: Tue, 24 Nov 2020 23:06:21 +0300 Subject: [PATCH 1112/1335] Fix value modifier and add a slash --- rules/linux/macos_creds_from_keychain.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml index 053aca927..3709f3f60 100644 --- a/rules/linux/macos_creds_from_keychain.yml +++ b/rules/linux/macos_creds_from_keychain.yml @@ -1,7 +1,7 @@ title: Credentials from Password Stores - Keychain id: b120b587-a4c2-4b94-875d-99c9807d6955 status: experimental -description: Detects passwords' dumps from Keychain +description: Detects passwords dumps from Keychain author: Tim Ismilyaev, oscd.community date: 2020/10/19 references: @@ -11,7 +11,7 @@ logsource: product: macos detection: any_keychain_call: - ProcessName|startswith: 'security' + ProcessName|endswith: '/security' condition: any_keychain_call falsepositives: - Legitimate administration activities From 48f16a0ca8c9e581316d8ab2ca17543d2b05345c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 22:39:49 -0300 Subject: [PATCH 1113/1335] Update win_susp_net_recon_activity.yml --- rules/windows/builtin/win_susp_net_recon_activity.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index c73d5b2ed..cb5aa7a89 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -18,10 +18,16 @@ logsource: product: windows service: security definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems +logsource: + product: windows + service: security + definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: selection: - - EventID: 4661 - ObjectType: 'SAM_USER' + EventID: 4661 + ObjectType: + - 'SAM_USER' + - 'SAM_GROUP' ObjectName|startswith: 'S-1-5-21-' AccessMask: '0x2d' selection2: From 784cab1dfefca77998999b9b1db27b205020be7b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 22:46:17 -0300 Subject: [PATCH 1114/1335] Fix missing logic and Field --- .../powershell_clear_powershell_history.yml | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 1893c763a..79828fc2d 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -14,17 +14,20 @@ logsource: product: windows service: powershell detection: - command: - - 'del' - - 'Set-PSReadlineOption' - - 'Remove-Item' - - 'rm' - selection_1: - - '(Get-PSReadlineOption).HistorySavePath' - selection_2: + selection1: + Message|contains: + - 'del' + - 'Set-PSReadlineOption' + - 'Remove-Item' + - 'rm' + selection2: + Message|contains: + - '(Get-PSReadlineOption).HistorySavePath' + selection3: + Message|contains: - '–HistorySaveStyle' - 'SaveNothing' - condition: command and (selection_1 or selection_2) + condition: selection1 and (selection2 or selection3) falsepositives: - some PS-scripts level: medium From f61317b2f9efdb74511e4517c41f8d6ee03684a7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 22:50:48 -0300 Subject: [PATCH 1115/1335] Update sysmon_in_memory_assembly_execution.yml --- .../process_access/sysmon_in_memory_assembly_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index dbf969a17..772f60786 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -27,9 +27,9 @@ detection: - '|C:\\Windows\\System32\\KERNELBASE.dll+' - '|UNKNOWN(*)' - CallTrace|endswith: - - "UNKNOWN(*)|UNKNOWN(*)" + - 'UNKNOWN(*)|UNKNOWN(*)' selection2: - CallTrace: "*UNKNOWN*" + CallTrace|contains: 'UNKNOWN' granted_access: GrantedAccess: - "0x1F0FFF" From d57d7c1e5b58eb7e520f50ba140bed4b7cfa6607 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 22:59:35 -0300 Subject: [PATCH 1116/1335] Remove Additional backslash --- rules/windows/process_creation/win_apt_bear_activity_gtr19.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index 965a89fcb..248e3d652 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -30,7 +30,7 @@ detection: CommandLine|contains|all: - '-snapshot' - '""' - - 'c:\users\\' + - 'c:\users\' condition: selection1 or selection2 falsepositives: - unknown From a113c0f3b4861dd5388d4967bc987eb0fffd124d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:00:05 -0300 Subject: [PATCH 1117/1335] Remove Additional backslash --- rules/windows/process_creation/win_apt_bluemashroom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 27a9f18be..375c537cd 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -16,7 +16,7 @@ logsource: detection: selection: CommandLine|contains: - - '\regsvr32*\AppData\Local\\' + - '\regsvr32*\AppData\Local\' - '\AppData\Local\\*,DllEntry' condition: selection falsepositives: From 707fbe048eab23e6b3359331df9b03dbba42d489 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:05:08 -0300 Subject: [PATCH 1118/1335] Update win_apt_evilnum_jul20.yml --- rules/windows/process_creation/win_apt_evilnum_jul20.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index da8c4c04f..df63be5a5 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -19,7 +19,8 @@ detection: selection: CommandLine|contains|all: - 'regsvr32' - - ' /s /i ' + - '/s' + - '/i' - '\AppData\Roaming\' - '.ocx' condition: selection From d0b66947677e730c5c16c4d36e9d53b2d994192f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:05:44 -0300 Subject: [PATCH 1119/1335] Update win_apt_greenbug_may20.yml --- rules/windows/process_creation/win_apt_greenbug_may20.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index f56288f7f..ffae03271 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -23,7 +23,8 @@ logsource: detection: selection1: CommandLine|contains|all: - - 'bitsadmin /transfer' + - 'bitsadmin' + - '/transfer' - 'CSIDL_APPDATA' selection2: CommandLine|contains: From fda266adb6bcf99197a9b3f5703e2f4ad2221b23 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:12:26 -0300 Subject: [PATCH 1120/1335] Update win_apt_hurricane_panda.yml --- .../windows/process_creation/win_apt_hurricane_panda.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml index e613c5909..8f7f0eedd 100755 --- a/rules/windows/process_creation/win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml @@ -15,9 +15,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - ' localgroup administrators admin /add' - - '\Win64.exe' + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '/add' + - CommandLine|contains: + - '\Win64.exe' condition: selection falsepositives: - Unknown From bce74198ab21800f37d75c30fcf37cb88db508f9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:14:24 -0300 Subject: [PATCH 1121/1335] Remove Additional backslash --- .../process_creation/win_apt_judgement_panda_gtr19.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index 8cd9b5113..c84d9bc82 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -27,8 +27,8 @@ detection: - '\aaaa\procdump64.exe' - '\aaaa\netsess.exe' - '\aaaa\7za.exe' - - 'copy .\1.7z \\' - - 'copy \\client\c$\aaaa\\' + - 'copy .\1.7z \' + - 'copy \\client\c$\aaaa\' selection2: Image: C:\Users\Public\7za.exe condition: selection1 or selection2 From 127607c5e79d6f2e03240e7e78fe427ce6059ea5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:14:51 -0300 Subject: [PATCH 1122/1335] Remove Additional backslash --- .../process_creation/win_apt_lazarus_session_highjack.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 8e8cad6e9..b7bcf0de3 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -20,8 +20,8 @@ detection: - '\gpvc.exe' filter: Image|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\SysWOW64\\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and not filter falsepositives: - unknown From f2dd516b7c784f5d1b975020913e626e244ec279 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:16:03 -0300 Subject: [PATCH 1123/1335] Fix logic --- .../process_creation/win_apt_mustangpanda.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index e99b23f35..614745109 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -2,7 +2,7 @@ title: Mustang Panda Dropper id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00 status: experimental description: Detects specific process parameters as used by Mustang Panda droppers -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/10/30 references: - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ @@ -13,15 +13,18 @@ logsource: product: windows detection: selection1: - CommandLine|contains: + - CommandLine|contains: - 'Temp\wtask.exe /create' - '%windir:~-3,1%%PUBLIC:~-9,1%' - '/tn "Security Script ' - '%windir:~-1,1%' - - '/E:vbscript * C:\Users\\*.txt" /F' + - CommandLine|contains|all: + - '/E:vbscript' + - 'C:\Users\' + - '.txt' + - '/F' selection2: - Image|endswith: - - 'Temp\winwsh.exe' + Image|endswith: 'Temp\winwsh.exe' condition: 1 of them fields: - CommandLine From 77bae30bef54e7511aff240031ab51e2036c8910 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:18:32 -0300 Subject: [PATCH 1124/1335] Update win_apt_slingshot.yml --- rules/windows/process_creation/win_apt_slingshot.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 63303b507..90bcb4c4b 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -21,8 +21,10 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'schtasks* /delete *Defrag\ScheduledDefrag' + ProcessName|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/delete' + - 'Defrag\ScheduledDefrag' --- logsource: product: windows From b234d577d65646fa6edb05998ae9b43cf89498ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:21:53 -0300 Subject: [PATCH 1125/1335] Update win_apt_sofacy.yml --- rules/windows/process_creation/win_apt_sofacy.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index 6daeed46b..c7f4ebce8 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -1,6 +1,6 @@ title: Sofacy Trojan Loader Activity id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 -author: Florian Roth +author: Florian Roth, oscd.community status: experimental date: 2018/03/01 modified: 2020/08/27 @@ -23,9 +23,11 @@ logsource: product: windows detection: selection: - CommandLine: - - 'rundll32.exe %APPDATA%\\*.dat",*' - - 'rundll32.exe %APPDATA%\\*.dll",#1' + CommandLine|contains|all: + - 'rundll32.exe' + CommandLine|contains: + - '%APPDATA%\\*.dat",' + - '%APPDATA%\\*.dll",#1' condition: selection falsepositives: - Unknown From df93846117e4daf4b5550aff4214fd04c86d1b04 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:26:18 -0300 Subject: [PATCH 1126/1335] Update win_apt_unidentified_nov_18.yml --- rules/windows/process_creation/win_apt_unidentified_nov_18.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 31c15cc9d..e238b8785 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -22,7 +22,8 @@ logsource: product: windows detection: selection1: - CommandLine|endswith: 'cyzfc.dat, PointFunctionCall' + CommandLine|contains: 'cyzfc.dat,' + CommandLine|endswith: 'PointFunctionCall' --- # Sysmon: File Creation (ID 11) logsource: From 89a4aa84bf7c6b940b0670627a50cab20b417714 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:29:10 -0300 Subject: [PATCH 1127/1335] Update win_apt_winnti_pipemon.yml --- .../process_creation/win_apt_winnti_pipemon.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 20e369df9..fb055f88e 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -9,7 +9,7 @@ tags: - attack.t1574.002 - attack.t1073 # an old one - attack.g0044 -author: Florian Roth +author: Florian Roth, oscd.community date: 2020/07/30 logsource: category: process_creation @@ -19,10 +19,12 @@ detection: CommandLine|contains: - 'setup0.exe -p' selection2: - CommandLine|endswith: - - 'setup.exe -x:0' - - 'setup.exe -x:1' - - 'setup.exe -x:2' + CommandLine|contains|all: + - 'setup.exe' + CommandLine|endswith: + - '-x:0' + - '-x:1' + - '-x:2' condition: 1 of them falsepositives: - Legitimate setups that use similar flags From d5803b89ef3c6e0430ee91c6a37b49e9bde3b936 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:31:10 -0300 Subject: [PATCH 1128/1335] Update win_apt_zxshell.yml --- rules/windows/process_creation/win_apt_zxshell.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 527ad2067..4bd1603ba 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -1,7 +1,7 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2017/07/20 modified: 2020/08/26 references: @@ -20,13 +20,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains|all: - 'rundll32.exe' - selection2: CommandLine|contains: - 'zxFunction' - 'RemoteDiskXXXXX' - condition: selection and selection2 + condition: selection fields: - CommandLine - ParentCommandLine From a40308263127b7e40f0c10ba2dbd65d39f85ea23 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 26 Nov 2020 23:33:00 -0300 Subject: [PATCH 1129/1335] Update win_bypass_squiblytwo.yml --- rules/windows/process_creation/win_bypass_squiblytwo.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 6cc7c95cd..a5422e5f6 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -24,8 +24,8 @@ logsource: product: windows detection: selection1: - Image: - - '*\wmic.exe' + Image|endswith: + - '\wmic.exe' CommandLine|contains|all: - wmic - format From e58333f80837be3c22dc337122d774f76a88585b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:13:45 -0300 Subject: [PATCH 1130/1335] Update win_commandline_path_traversal.yml --- .../process_creation/win_commandline_path_traversal.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 5a42c7f50..589a2a18d 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -16,9 +16,11 @@ logsource: product: windows detection: selection: - ParentCommandLine|contains: 'cmd*/c' + ParentCommandLine|contains|all: + - 'cmd' + - '/c' CommandLine|contains: '/../../' condition: selection falsepositives: - (not much) some benign Java tools may product false-positive commandlines for loading libraries -level: high \ No newline at end of file +level: high From bde2b95cdc19b986a6e100d3e3693824a58b0614 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:14:34 -0300 Subject: [PATCH 1131/1335] Remove Additional backslash --- rules/windows/process_creation/win_control_panel_item.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 02f827c26..8045adc4c 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -24,7 +24,7 @@ detection: CommandLine|endswith: '.cpl' filter: CommandLine|contains: - - '\System32\\' + - '\System32\' - '%System%' selection2: CommandLine|contains: From 3f9edf19a93d9f789157eddb40f700d7c7236dc6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:15:12 -0300 Subject: [PATCH 1132/1335] Update win_control_panel_item.yml --- rules/windows/process_creation/win_control_panel_item.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 8045adc4c..86f4b748e 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -27,8 +27,9 @@ detection: - '\System32\' - '%System%' selection2: - CommandLine|contains: - - 'reg add' + CommandLine|contains|all: + - 'reg' + - 'add' selection3: CommandLine|contains: - 'CurrentVersion\\Control Panel\\CPLs' From 421ab4dc5fed2dd5c6c89422384ec71a57e447c2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:18:06 -0300 Subject: [PATCH 1133/1335] Update win_exploit_cve_2017_0261.yml --- rules/windows/process_creation/win_exploit_cve_2017_0261.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index b96139734..bdc45eabb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -21,7 +21,7 @@ logsource: detection: selection: ParentImage|endswith: '\WINWORD.EXE' - Image|endswith: '\FLTLDR.exe*' + Image|contains: '\FLTLDR.exe' condition: selection falsepositives: - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) From dbd97647f6fe5a5b5fbddea4d3fbc94afe4c256a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:22:04 -0300 Subject: [PATCH 1134/1335] Remove Additional backslash and update logic --- .../win_exploit_cve_2019_1378.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index 0a2837c40..ef8256895 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -4,7 +4,7 @@ status: experimental description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/11/15 modified: 2020/08/29 tags: @@ -19,15 +19,19 @@ logsource: product: windows detection: selection: - ParentCommandLine|endswith: - - '\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' - - '\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' + ParentCommandLine|contains|all: + - '\cmd.exe' + - '/c' + - 'C:\Windows\Setup\Scripts\' + ParentCommandLine|endswith: + - 'SetupComplete.cmd' + - 'PartnerSetupComplete.cmd' filter: Image|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\SysWOW64\\' - - 'C:\Windows\WinSxS\\' - - 'C:\Windows\Setup\\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\Setup\' condition: selection and not filter falsepositives: - Unknown From 933168636858a79ab3d41ee2cd93df038337bc9f Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:27:23 -0300 Subject: [PATCH 1135/1335] Update Logic --- rules/windows/process_creation/win_hack_koadic.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 9fd0d7233..f65b70d87 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -21,8 +21,11 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'cmd.exe* /q /c chcp ' + ProcessName: 'cmd.exe' + CommandLine|contains|all: + - '/q' + - '/c' + - 'chcp' condition: selection1 fields: - CommandLine From e18829697ffc7c5edfa4049396e8a40cd1551b7a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:33:31 -0300 Subject: [PATCH 1136/1335] Update Logic --- .../win_impacket_lateralization.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index e12bfe31b..7e6abfd81 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -37,15 +37,22 @@ detection: - '\mmc.exe' # dcomexec MMC - '\explorer.exe' # dcomexec ShellBrowserWindow - '\services.exe' # smbexec - CommandLine|contains: - - 'cmd.exe* /Q /c * \\\\127.0.0.1\\*&1' + CommandLine|contains|all: + - 'cmd.exe' + - '/Q' + - '/c' + - '\\\\127.0.0.1\' + - '&1' selection_atexec: ParentCommandLine|contains: - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 - CommandLine: - - 'cmd.exe /C *Windows\\Temp\\*&1' + CommandLine|contains|all: + - 'cmd.exe' + - '/C' + - 'Windows\Temp\' + - '&1' condition: (1 of selection_*) fields: - CommandLine From 22ae395e4aedf7f254069e06954bd3a88683e3aa Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:35:27 -0300 Subject: [PATCH 1137/1335] Update win_impacket_lateralization.yml --- rules/windows/process_creation/win_impacket_lateralization.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 7e6abfd81..a97030d7d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -7,7 +7,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py -author: Ecco +author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 modified: 2020/09/01 logsource: From 7672db2aeb2f4d6e45aa8e1367835d9e9055bbba Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 12:37:04 -0300 Subject: [PATCH 1138/1335] Update Logic --- .../win_install_reg_debugger_backdoor.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 351f36687..166a4561b 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -9,21 +9,23 @@ tags: - attack.privilege_escalation - attack.t1546.008 - attack.t1015 # an old one -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/09/06 logsource: category: process_creation product: windows detection: selection: + CommandLine|contains|all: + - '\CurrentVersion\Image File Execution Options\' CommandLine|contains: - - '\CurrentVersion\Image File Execution Options\sethc.exe' - - '\CurrentVersion\Image File Execution Options\utilman.exe' - - '\CurrentVersion\Image File Execution Options\osk.exe' - - '\CurrentVersion\Image File Execution Options\magnify.exe' - - '\CurrentVersion\Image File Execution Options\narrator.exe' - - '\CurrentVersion\Image File Execution Options\displayswitch.exe' - - '\CurrentVersion\Image File Execution Options\atbroker.exe' + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'magnify.exe' + - 'narrator.exe' + - 'displayswitch.exe' + - 'atbroker.exe' condition: selection falsepositives: - Penetration Tests From 5f5af0bd36a47f9c3370284b81d51184465ddef2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:10:31 -0300 Subject: [PATCH 1139/1335] Update win_malware_dridex.yml --- .../process_creation/win_malware_dridex.yml | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 90493846b..4c322dfd6 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -4,7 +4,7 @@ status: experimental description: Detects typical Dridex process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/01/10 modified: 2020/09/01 tags: @@ -19,13 +19,21 @@ logsource: product: windows detection: selection1: - CommandLine|contains: '\svchost.exe C:\Users\\*\Desktop\\' + ProcessName|endswith: '\svchost.exe' + CommandLine|contains|all: + - 'C:\Users\' + - '\Desktop\' selection2: - ParentImage|contains: '\svchost.exe' - CommandLine|endswith: - - 'whoami.exe /all' - - 'net.exe view' - condition: 1 of them + ParentImage|endswith: '\svchost.exe' + selection3: + ProcessName|endswith: '\whoami.exe' + CommandLine|contains: 'all' + selection4: + ProcessName|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' + condition: selection1 or selection2 and (selection3 or selection4) falsepositives: - Unlikely level: critical From c17c034cb5e7cda3c167048f830c85aa633c6ae3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 27 Nov 2020 19:23:31 +0100 Subject: [PATCH 1140/1335] Changed selections and condition see manpage for security tool on macOS https://gist.github.com/Capybara/6228955 --- rules/linux/macos_creds_from_keychain.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml index 3709f3f60..e8d3d1302 100644 --- a/rules/linux/macos_creds_from_keychain.yml +++ b/rules/linux/macos_creds_from_keychain.yml @@ -2,20 +2,28 @@ title: Credentials from Password Stores - Keychain id: b120b587-a4c2-4b94-875d-99c9807d6955 status: experimental description: Detects passwords dumps from Keychain -author: Tim Ismilyaev, oscd.community +author: Tim Ismilyaev, oscd.community, Florian Roth date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md + - https://gist.github.com/Capybara/6228955 logsource: category: process_creation product: macos detection: - any_keychain_call: - ProcessName|endswith: '/security' - condition: any_keychain_call + selection1: + Image: '/usr/bin/security' + CommandLine|contains: + - 'find-certificate' + - ' export ' + selection2: + CommandLine|contains: + - ' dump-keychain ' + - ' login-keychain ' + condition: 1 of them falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.credential_access - - attack.t1555.001 \ No newline at end of file + - attack.t1555.001 From 253c0839eca11607e71d0baf430050a40a123331 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:25:38 -0300 Subject: [PATCH 1141/1335] Update logic --- .../process_creation/win_malware_formbook.yml | 32 ++++++++++++++----- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 83aad0b77..ceb8f85db 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -19,14 +19,30 @@ detection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine: - - 'C:\Windows\System32\\*.exe' - - 'C:\Windows\SysWOW64\\*.exe' - CommandLine|endswith: - - ' /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - - ' /c del "C:\Users\\*\Desktop\\*.exe' - - ' /C type nul > "C:\Users\\*\Desktop\\*.exe' - condition: selection + ParentCommandLine|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + ParentCommandLine|endswith: + - '.exe' + selection2: + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\AppData\Local\Temp\' + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\Desktop\' + - CommandLine|contains|all: + - '/C' + - 'type nul >' + - 'C:\Users\' + - '\Desktop\' + selection3: + CommandLine|endswith: '.exe' + condition: selection and selection2 and selection3 fields: - CommandLine - ParentCommandLine From 3410a1eecef33658aea464f485a2ecb4afda3877 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:26:15 -0300 Subject: [PATCH 1142/1335] Update win_malware_formbook.yml --- rules/windows/process_creation/win_malware_formbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index ceb8f85db..d30851ea9 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -3,7 +3,7 @@ id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: experimental description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/09/30 modified: 2019/10/31 references: From 217dd53c62b029af31dc37ea6668abf6756fd426 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:29:29 -0300 Subject: [PATCH 1143/1335] Update win_malware_notpetya.yml --- rules/windows/process_creation/win_malware_notpetya.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 8b6b8d3d2..4f0d44bf2 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -24,7 +24,9 @@ logsource: product: windows detection: pipe_com: - CommandLine|contains: '\AppData\Local\Temp\\* \\.\pipe\\' + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\.\pipe\\' rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: '.dat,#1' @@ -37,3 +39,4 @@ fields: falsepositives: - Admin activity level: critical + From 84b35dd6b8e019bb54ea6f8b47f6f5524eef5f55 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:30:53 -0300 Subject: [PATCH 1144/1335] Update win_malware_script_dropper.yml --- .../win_malware_script_dropper.yml | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 1469fb9d7..a2b13a35a 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -2,7 +2,7 @@ title: WScript or CScript Dropper id: cea72823-df4d-4567-950c-0b579eaf0846 status: experimental description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (rule) +author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community date: 2019/01/16 modified: 2020/09/01 tags: @@ -11,28 +11,24 @@ tags: - attack.t1059.007 - attack.defense_evasion # an old one - attack.t1064 # an old one -logsource: - category: process_creation - product: windows detection: - selection: + selection1: Image|endswith: - '\wscript.exe' - '\cscript.exe' CommandLine|contains: - - ' C:\Users\\*.jse ' - - ' C:\Users\\*.vbe ' - - ' C:\Users\\*.js ' - - ' C:\Users\\*.vba ' - - ' C:\Users\\*.vbs ' - - ' C:\ProgramData\\*.jse ' - - ' C:\ProgramData\\*.vbe ' - - ' C:\ProgramData\\*.js ' - - ' C:\ProgramData\\*.vba ' - - ' C:\ProgramData\\*.vbs ' + - 'C:\Users\' + - 'C:\ProgramData\' + selection2: + CommandLine|contains: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + - '.vbs' falsepositive: ParentImage|contains: '\winzip' - condition: selection and not falsepositive + condition: selection1 and selection2 and not falsepositive fields: - CommandLine - ParentCommandLine From 3854a0ed8d3316b9a86d2e969b2ae152a32dc58d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:38:16 -0300 Subject: [PATCH 1145/1335] Update Logic --- .../process_creation/win_malware_wannacry.yml | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 1f6356f3a..178f12c1d 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -4,7 +4,7 @@ status: experimental description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2020/09/01 tags: @@ -23,12 +23,10 @@ logsource: product: windows detection: selection1: - Image|endswith: + - Image|endswith: - '\tasksche.exe' - '\mssecsvc.exe' - '\taskdl.exe' - - '\@WanaDecryptor@*' - - '\WanaDecryptor*' - '\taskhsvc.exe' - '\taskse.exe' - '\111.exe' @@ -36,11 +34,22 @@ detection: - '\diskpart.exe' - '\linuxnew.exe' - '\wannacry.exe' + - Image|contains: + - '\@WanaDecryptor@' + - '\WanaDecryptor' selection2: - CommandLine|contains: - - 'icacls * /grant Everyone:F /T /C /Q' - - 'bcdedit /set {default} recoveryenabled no' + - CommandLine|contains|all: + - 'icacls' + - '/grant' + - 'Everyone:F /T /C /Q' + - CommandLine|contains|all: + - 'bcdedit' + - '/set' + - '{default}' + - 'recoveryenabled no' + - CommandLine|contains: - 'wbadmin delete catalog -quiet' + - CommandLine|contains: - '@Please_Read_Me@.txt' condition: 1 of them fields: From 345c6627a83f3496a6aaf1cb6ef761b7f5854ec9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:42:22 -0300 Subject: [PATCH 1146/1335] Update win_mmc_spawn_shell.yml --- rules/windows/process_creation/win_mmc_spawn_shell.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index c54953edd..70641647f 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -17,7 +17,8 @@ logsource: detection: selection: ParentImage|endswith: '\mmc.exe' - Image|endswith: + selection2: + - Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\wscript.exe' @@ -26,8 +27,9 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - '\BITSADMIN*' - condition: selection + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - CommandLine - Image From 3f5a2af2db8c0f56e663ede6d10fcf020bd58af8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:43:29 -0300 Subject: [PATCH 1147/1335] Update win_mshta_spawn_shell.yml --- rules/windows/process_creation/win_mshta_spawn_shell.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index a65dda9bc..ad6835d1a 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -13,7 +13,8 @@ logsource: detection: selection: ParentImage|endswith: '\mshta.exe' - Image|endswith: + selection2: + - Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\wscript.exe' @@ -22,8 +23,9 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - '\BITSADMIN*' - condition: selection + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - CommandLine - ParentCommandLine From 0bf996d66e0555388bdfa84053bd8e2ed45c90cc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:44:22 -0300 Subject: [PATCH 1148/1335] Update win_netsh_fw_add.yml --- rules/windows/process_creation/win_netsh_fw_add.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 727242a37..107be717f 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -20,8 +20,9 @@ detection: CommandLine|contains: - 'netsh' selection2: - CommandLine|contains: - - 'firewall add' + CommandLine|contains|all: + - 'firewall' + - 'add' condition: selection1 and selection2 falsepositives: - Legitimate administration From 9171d8913c07b4b8927716fc79ec9317b34f1ab1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:45:08 -0300 Subject: [PATCH 1149/1335] Remove Additional backslash --- .../win_netsh_fw_add_susp_image.yml | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index bc18f820c..a6de8533c 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -29,26 +29,26 @@ detection: susp_image: CommandLine|contains: - '%TEMP%' - - ':\RECYCLER\\' - - 'C:\$Recycle.bin\\' - - ':\SystemVolumeInformation\\' - - 'C:\\Windows\\Tasks\\' - - 'C:\\Windows\\debug\\' - - 'C:\\Windows\\fonts\\' - - 'C:\\Windows\\help\\' - - 'C:\\Windows\\drivers\\' - - 'C:\\Windows\\addins\\' - - 'C:\\Windows\\cursors\\' - - 'C:\\Windows\\system32\tasks\\' - - 'C:\Windows\Temp\\' - - 'C:\Temp\\' - - 'C:\Users\Public\\' - - '%Public%\\' - - 'C:\Users\Default\\' - - 'C:\Users\Desktop\\' - - '\Downloads\\' - - '\Temporary Internet Files\Content.Outlook\\' - - '\Local Settings\Temporary Internet Files\\' + - ':\RECYCLER\' + - 'C:\$Recycle.bin\' + - ':\SystemVolumeInformation\' + - 'C:\\Windows\\Tasks\' + - 'C:\\Windows\\debug\' + - 'C:\\Windows\\fonts\' + - 'C:\\Windows\\help\' + - 'C:\\Windows\\drivers\' + - 'C:\\Windows\\addins\' + - 'C:\\Windows\\cursors\' + - 'C:\\Windows\\system32\tasks\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - '%Public%\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' condition: (selection1 or selection2) and susp_image falsepositives: - Legitimate administration From 5acd8d622b43d35bd38ed9474535322b7e9f3266 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:57:53 -0300 Subject: [PATCH 1150/1335] Update win_netsh_port_fwd.yml --- rules/windows/process_creation/win_netsh_port_fwd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index ad6128419..5af47cd0e 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - CommandLine: - - netsh interface portproxy add v4tov4 * + CommandLine|startswith: + - 'netsh interface portproxy add v4tov4' condition: selection falsepositives: - Legitimate administration From b816754018e969abdad064420b72fae210602184 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 15:59:25 -0300 Subject: [PATCH 1151/1335] Update win_netsh_port_fwd_3389.yml --- .../windows/process_creation/win_netsh_port_fwd_3389.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 02124e93f..64a4809a2 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -10,14 +10,17 @@ tags: - attack.command_and_control - attack.t1090 status: experimental -author: Florian Roth +author: Florian Roth, oscd.community logsource: category: process_creation product: windows detection: selection: - CommandLine: - - netsh i* p*=3389 c* + CommandLine|contains|all: + - 'netsh' + - 'i' + - '=3389' + - ' c' condition: selection falsepositives: - Legitimate administration From d996e97fdd0263aaa3dd5e7f643135c7f11540c9 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 16:00:04 -0300 Subject: [PATCH 1152/1335] Update win_netsh_port_fwd_3389.yml --- rules/windows/process_creation/win_netsh_port_fwd_3389.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 64a4809a2..24d23585b 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -19,6 +19,7 @@ detection: CommandLine|contains|all: - 'netsh' - 'i' + - ' p' - '=3389' - ' c' condition: selection From f6aaa957ff249eb33b79355ac6535149f1580487 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 16:01:25 -0300 Subject: [PATCH 1153/1335] Update win_netsh_wifi_credential_harvesting.yml --- .../win_netsh_wifi_credential_harvesting.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml index b34ae86ee..185ea60d9 100644 --- a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml +++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml @@ -4,7 +4,7 @@ status: experimental description: Detect the harvesting of wifi credentials using netsh.exe references: - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ -author: Andreas Hunkeler (@Karneades) +author: Andreas Hunkeler (@Karneades), oscd.community date: 2020/04/20 modified: 2020/09/01 tags: @@ -16,8 +16,13 @@ logsource: product: windows detection: selection: - CommandLine: - - 'netsh wlan s* p* k*=clear' + CommandLine|contains|all: + - 'netsh' + - 'wlan' + - ' s' + - ' p' + - ' k' + - '=clear' condition: selection falsepositives: - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason From bf5aa947e39cf5ad4f9eb6820567819dba39aec2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 16:04:55 -0300 Subject: [PATCH 1154/1335] Update win_office_spawn_exe_from_users_directory.yml --- .../win_office_spawn_exe_from_users_directory.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index b7d3f1bdd..fb3a33036 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -26,8 +26,9 @@ detection: - '\MSPUB.exe' - '\VISIO.exe' - '\OUTLOOK.EXE' - Image: - - 'C:\users\\*.exe' + Image|contains|all: + - 'C:\users\' + - '.exe' condition: selection fields: - CommandLine From fb119d6112727b85f6ca8bdbed7f29e732b4ce03 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 16:06:15 -0300 Subject: [PATCH 1155/1335] Remove additional backslash --- .../win_plugx_susp_exe_locations.yml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 282920701..2f7c1cd98 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -19,30 +19,30 @@ detection: selection_cammute: Image|endswith: '\CamMute.exe' filter_cammute: - Image|contains: '\Lenovo\Communication Utility\\' + Image|contains: '\Lenovo\Communication Utility\' selection_chrome_frame: Image|endswith: '\chrome_frame_helper.exe' filter_chrome_frame: - Image|contains: '\Google\Chrome\application\\' + Image|contains: '\Google\Chrome\application\' selection_devemu: Image|endswith: '\dvcemumanager.exe' filter_devemu: - Image|contains: '\Microsoft Device Emulator\\' + Image|contains: '\Microsoft Device Emulator\' selection_gadget: Image|endswith: '\Gadget.exe' filter_gadget: - Image|contains: '\Windows Media Player\\' + Image|contains: '\Windows Media Player\' selection_hcc: Image|endswith: '\hcc.exe' filter_hcc: - Image|contains: '\HTML Help Workshop\\' + Image|contains: '\HTML Help Workshop\' selection_hkcmd: Image|endswith: '\hkcmd.exe' filter_hkcmd: Image|contains: - - '\System32\\' - - '\SysNative\\' - - '\SysWowo64\\' + - '\System32\' + - '\SysNative\' + - '\SysWowo64\' selection_mc: Image|endswith: '\Mc.exe' filter_mc: @@ -54,20 +54,20 @@ detection: Image|endswith: '\MsMpEng.exe' filter_msmpeng: Image|contains: - - '\Microsoft Security Client\\' - - '\Windows Defender\\' - - '\AntiMalware\\' + - '\Microsoft Security Client\' + - '\Windows Defender\' + - '\AntiMalware\' selection_msseces: Image|endswith: '\msseces.exe' filter_msseces: Image|contains: - - '\Microsoft Security Center\\' - - '\Microsoft Security Client\\' - - '\Microsoft Security Essentials\\' + - '\Microsoft Security Center\' + - '\Microsoft Security Client\' + - '\Microsoft Security Essentials\' selection_oinfo: Image|endswith: '\OInfoP11.exe' filter_oinfo: - Image|contains: '\Common Files\Microsoft Shared\\' + Image|contains: '\Common Files\Microsoft Shared\' selection_oleview: Image|endswith: '\OleView.exe' filter_oleview: @@ -75,7 +75,7 @@ detection: - '\Microsoft Visual Studio' - '\Microsoft SDK' - '\Windows Kit' - - '\Windows Resource Kit\\' + - '\Windows Resource Kit\' selection_rc: Image|endswith: '\rc.exe' filter_rc: @@ -83,8 +83,8 @@ detection: - '\Microsoft Visual Studio' - '\Microsoft SDK' - '\Windows Kit' - - '\Windows Resource Kit\\' - - '\Microsoft.NET\\' + - '\Windows Resource Kit\' + - '\Microsoft.NET\' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) fields: - CommandLine From 702f697168ad8d0ee7cdd3e4a62d9665b5c1ede8 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 27 Nov 2020 16:10:10 -0300 Subject: [PATCH 1156/1335] Update win_powershell_download.yml --- .../process_creation/win_powershell_download.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 972f5099c..b40ed1fc6 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -2,7 +2,7 @@ title: PowerShell Download from URL id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 status: experimental description: Detects a Powershell process that contains download commands in its command line string -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/01/16 tags: - attack.t1086 # an old one @@ -14,12 +14,14 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'new-object system.net.webclient).downloadstring(' - - 'new-object system.net.webclient).downloadfile(' - - 'new-object net.webclient).downloadstring(' - - 'new-object net.webclient).downloadfile(' - condition: selection + selection2: + - Message|contains|all: + - 'System.Net.WebClient' + - '.DownloadFile(' + - Message|contains|all: + - 'System.Net.WebClient' + - '.DownloadString(' + condition: selection and selection2 fields: - CommandLine - ParentCommandLine From 016a89c18678b49730e93d3a29ee6a729ed0636c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 08:00:07 +0100 Subject: [PATCH 1157/1335] Update win_susp_net_recon_activity.yml --- rules/windows/builtin/win_susp_net_recon_activity.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index cb5aa7a89..3fa612999 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -4,7 +4,7 @@ status: experimental description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro, oscd.community +author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community date: 2017/03/07 modified: 2020/08/23 tags: @@ -18,10 +18,6 @@ logsource: product: windows service: security definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems -logsource: - product: windows - service: security - definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: selection: EventID: 4661 From 2e5e4a20d20bbf6f46809a471b5f2a2d19a09d76 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 09:26:18 +0100 Subject: [PATCH 1158/1335] Update powershell_clear_powershell_history.yml --- .../powershell_clear_powershell_history.yml | 41 +++++++++++++------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index 79828fc2d..695c01d00 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -3,7 +3,8 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -author: Ilyas Ochkov, oscd.community, Jonhnathan Ribeiro +modified: 2020/11/28 +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a tags: @@ -14,20 +15,36 @@ logsource: product: windows service: powershell detection: - selection1: - Message|contains: + selection_1: + EventID: 4104 + selection_2: + ScriptBlockText|contains: - 'del' - - 'Set-PSReadlineOption' - 'Remove-Item' - 'rm' - selection2: - Message|contains: + ScriptBlockText|contains|all: - '(Get-PSReadlineOption).HistorySavePath' - selection3: - Message|contains: - - '–HistorySaveStyle' - - 'SaveNothing' - condition: selection1 and (selection2 or selection3) + selection_3: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + selection_4: + EventID: 4103 + selection_5: + Payload|contains: + - 'del' + - 'Remove-Item' + - 'rm' + Payload|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' + selection_6: + Payload|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + condition: selection_1 and ( selection_2 or selection_3 ) or + selection_4 and ( selection_5 or selection_6 ) falsepositives: - - some PS-scripts + - Legitimate PowerShell scripts level: medium From 26fa500e21975c05591f8ed1cb5993e34605db02 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 09:38:49 +0100 Subject: [PATCH 1159/1335] Update win_control_panel_item.yml --- rules/windows/process_creation/win_control_panel_item.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 86f4b748e..49cd25730 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -14,7 +14,7 @@ tags: - attack.t1546 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) date: 2020/06/22 -modified: 2020/08/29 +modified: 2020/11/28 level: critical logsource: product: windows @@ -27,9 +27,8 @@ detection: - '\System32\' - '%System%' selection2: - CommandLine|contains|all: - - 'reg' - - 'add' + Image|endswith: '\reg.exe' + CommandLine|contains: 'add' selection3: CommandLine|contains: - 'CurrentVersion\\Control Panel\\CPLs' From 17813c947ca8239b766ecb18c3c2aeb75bdfcd20 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 09:48:30 +0100 Subject: [PATCH 1160/1335] Update win_apt_bluemashroom.yml --- rules/windows/process_creation/win_apt_bluemashroom.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 375c537cd..dedb3b2d5 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -15,9 +15,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - '\regsvr32*\AppData\Local\' - - '\AppData\Local\\*,DllEntry' + - CommandLine|contains|all: + - '\regsvr32' + - '\AppData\Local\' + - CommandLine|contains|all: + - '\AppData\Local\' + - ',DllEntry' condition: selection falsepositives: - Unlikely From 1ea4bb0b871ed4c1fd8bf5d1e1036a2ac0e92aeb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 28 Nov 2020 10:10:00 +0100 Subject: [PATCH 1161/1335] wrong field name --- .../win_susp_file_download_via_gfxdownloadwrapper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index 4adaeef44..63ffa1398 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -15,7 +15,7 @@ detection: cmd_known_url: CommandLine|contains: 'gameplayapi.intel.com' same_parent: - ParentProcessName|endswith: '\GfxDownloadWrapper.exe' + ParentImage|endswith: '\GfxDownloadWrapper.exe' condition: image_path and not cmd_known_url and not same_parent fields: - CommandLine From 4a2cce0b400686a0c7a7e603fbd254ab7da35e73 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:15:39 +0100 Subject: [PATCH 1162/1335] Update win_apt_chafer_mar18.yml --- .../process_creation/win_apt_chafer_mar18.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 49b45faa8..c167ff6ed 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -19,7 +19,7 @@ tags: - attack.t1071.004 date: 2018/03/23 modified: 2020/08/26 -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community detection: condition: 1 of them falsepositives: @@ -47,17 +47,15 @@ detection: - 'UpdatMachine' --- logsource: + category: registry_event product: windows - service: sysmon detection: selection_reg1: - EventID: 13 TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' EventType: 'SetValue' selection_reg2: - EventID: 13 TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential' EventType: 'SetValue' Details: 'DWORD (0x00000001)' @@ -66,16 +64,19 @@ logsource: category: process_creation product: windows detection: - selection_process1: + selection_process0: + CommandLine|contains: '\Service.exe' CommandLine|endswith: - - '\Service.exe i' - - '\Service.exe u' - - '\microsoft\Taskbar\autoit3.exe' - CommandLine|startswith: - - 'C:\wsc.exe' + - 'i' + - 'u' + selection_process1: + - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe' + - CommandLine|startswith: 'C:\wsc.exe' selection_process2: Image|contains: '\Windows\Temp\DB\' Image|endswith: '.exe' selection_process3: - CommandLine|contains: '\nslookup.exe -q=TXT' + CommandLine|contains|all: + - '\nslookup.exe' + - '-q=TXT' ParentImage|contains: '\Autoit' From 9ae26e2674cea201eab6df591ce7ef2cc6cc7ff1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:20:12 +0100 Subject: [PATCH 1163/1335] Update win_apt_cloudhopper.yml --- rules/windows/process_creation/win_apt_cloudhopper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 940696607..8c6538e18 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -16,7 +16,9 @@ logsource: detection: selection: Image|endswith: '\cscript.exe' - CommandLine|contains: '.vbs /shell ' + CommandLine|contains|all: + - '.vbs' + - '/shell' condition: selection fields: - CommandLine From 5a4b01662e061db419f31d7ed9ff6f440356c9a2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:22:24 +0100 Subject: [PATCH 1164/1335] Update win_netsh_fw_add.yml --- rules/windows/process_creation/win_netsh_fw_add.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 107be717f..9fe41f4c9 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'netsh' + Image|endswith: '\netsh.exe' selection2: CommandLine|contains|all: - 'firewall' From de5cac99d9d488cca223dd2cca26927396eb90a4 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:28:04 +0100 Subject: [PATCH 1165/1335] Update win_malware_wannacry.yml --- .../process_creation/win_malware_wannacry.yml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 178f12c1d..35833f3bd 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -34,23 +34,28 @@ detection: - '\diskpart.exe' - '\linuxnew.exe' - '\wannacry.exe' - - Image|contains: - - '\@WanaDecryptor@' - - '\WanaDecryptor' + - Image|contains: 'WanaDecryptor' selection2: - CommandLine|contains|all: - 'icacls' - '/grant' - - 'Everyone:F /T /C /Q' + - 'Everyone:' + - 'F' + - '/T' + - '/C' + - '/Q' - CommandLine|contains|all: - 'bcdedit' - '/set' - '{default}' - - 'recoveryenabled no' - - CommandLine|contains: - - 'wbadmin delete catalog -quiet' - - CommandLine|contains: - - '@Please_Read_Me@.txt' + - 'recoveryenabled' + - 'no' + - CommandLine|contains|all: + - 'wbadmin' + - 'delete' + - 'catalog' + - '-quiet' + - CommandLine|contains: '@Please_Read_Me@.txt' condition: 1 of them fields: - CommandLine From fe0029e738f7fd57155c2da843b7f439b6f31011 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:29:07 +0100 Subject: [PATCH 1166/1335] Update win_powersploit_empire_schtasks.yml --- .../win_powersploit_empire_schtasks.yml | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index b6f33126f..4f722ef26 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -12,15 +12,24 @@ logsource: product: windows category: process_creation detection: - selection: - ParentImage|endswith: - - '\powershell.exe' + selection1: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + selection2: CommandLine|contains: - - 'schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell' - - 'schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell' - - 'schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell' - - 'schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell' - condition: selection + - 'ONLOGON' + - 'DAILY' + - 'ONIDLE' + - 'Updater' + CommandLine|contains|all: + - '/TN' + - 'Updater' + - '/TR' + - 'powershell' + condition: selection1 and selection2 tags: - attack.execution - attack.persistence From 687f6d8946efcaed80fbd28837cdc0ab52e14a54 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:37:30 +0100 Subject: [PATCH 1167/1335] Update win_powershell_download.yml --- .../process_creation/win_powershell_download.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index b40ed1fc6..3db56ae97 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -14,14 +14,14 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - selection2: - - Message|contains|all: - - 'System.Net.WebClient' - - '.DownloadFile(' - - Message|contains|all: - - 'System.Net.WebClient' - - '.DownloadString(' - condition: selection and selection2 + CommandLine|contains|all: + - 'new-object' + - 'net.webclient).' + - 'download' + CommandLine|contains: + - 'string(' + - 'file(' + condition: selection fields: - CommandLine - ParentCommandLine From 9445d18474c6284dbd48aed321a61e7685ee3bc1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:39:37 +0100 Subject: [PATCH 1168/1335] Update win_netsh_wifi_credential_harvesting.yml --- .../process_creation/win_netsh_wifi_credential_harvesting.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml index 185ea60d9..952ac4683 100644 --- a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml +++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml @@ -6,7 +6,7 @@ references: - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ author: Andreas Hunkeler (@Karneades), oscd.community date: 2020/04/20 -modified: 2020/09/01 +modified: 2020/11/28 tags: - attack.discovery - attack.credential_access @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'netsh' - 'wlan' - ' s' - ' p' From 5eec5d485b98ebe88ec924d992da1a989526b9e7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 10:55:18 +0100 Subject: [PATCH 1169/1335] Update sysmon_in_memory_assembly_execution.yml --- .../sysmon_in_memory_assembly_execution.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 772f60786..c313d0afc 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -21,15 +21,19 @@ logsource: category: process_access product: windows detection: - selection1: - - CallTrace|contains|all: + selection1: + CallTrace|contains|all: - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' - '|C:\\Windows\\System32\\KERNELBASE.dll+' - - '|UNKNOWN(*)' - - CallTrace|endswith: - - 'UNKNOWN(*)|UNKNOWN(*)' - selection2: - CallTrace|contains: 'UNKNOWN' + - '|UNKNOWN(' + - ')' + selection2: + CallTrace|contains|all: + - "UNKNOWN(" + - ")|UNKNOWN(" + CallTrace|endswith: ")" + selection3: + CallTrace|contains: "UNKNOWN" granted_access: GrantedAccess: - "0x1F0FFF" @@ -40,7 +44,7 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: selection1 OR (selection2 AND granted_access) + condition: (selection1 OR selection2) or (selection3 AND granted_access) fields: - ComputerName - User From eaf2fde6ebbe7179974da71c499360c079392abf Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:05:04 +0100 Subject: [PATCH 1170/1335] Update win_netsh_fw_add_susp_image.yml --- .../win_netsh_fw_add_susp_image.yml | 42 +++++++++++-------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index a6de8533c..13f3ead73 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -5,50 +5,56 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 date: 2020/05/25 -modified: 2020/09/01 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1089 # an old one - attack.t1562.004 status: experimental -author: Sander Wiebing +author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community logsource: category: process_creation product: windows detection: selection1: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'netsh' - - 'firewall add allowedprogram' + - 'firewall' + - 'add' + - 'allowedprogram' selection2: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - program= + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' susp_image: - CommandLine|contains: + - CommandLine|contains: - '%TEMP%' - ':\RECYCLER\' - 'C:\$Recycle.bin\' - ':\SystemVolumeInformation\' - - 'C:\\Windows\\Tasks\' - - 'C:\\Windows\\debug\' - - 'C:\\Windows\\fonts\' - - 'C:\\Windows\\help\' - - 'C:\\Windows\\drivers\' - - 'C:\\Windows\\addins\' - - 'C:\\Windows\\cursors\' - - 'C:\\Windows\\system32\tasks\' - 'C:\Windows\Temp\' - 'C:\Temp\' - 'C:\Users\Public\' - - '%Public%\' - 'C:\Users\Default\' - 'C:\Users\Desktop\' - '\Downloads\' - '\Temporary Internet Files\Content.Outlook\' - '\Local Settings\Temporary Internet Files\' + - CommandLine|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' + - '%Public%\' condition: (selection1 or selection2) and susp_image falsepositives: - Legitimate administration From 11c18e14d899cc0bed54f9bd7288f364ada6c41f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:12:06 +0100 Subject: [PATCH 1171/1335] Update win_hack_koadic.yml --- rules/windows/process_creation/win_hack_koadic.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index f65b70d87..6daa475f9 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -14,19 +14,19 @@ tags: - attack.t1059.007 - attack.t1064 # an old one date: 2020/01/12 -modified: 2020/09/01 -author: wagga +modified: 2020/11/28 +author: wagga, Jonhnathan Ribeiro, oscd.community logsource: category: process_creation product: windows detection: - selection1: - ProcessName: 'cmd.exe' + selection: + Image|endswith: '\cmd.exe' CommandLine|contains|all: - '/q' - '/c' - 'chcp' - condition: selection1 + condition: selection fields: - CommandLine - ParentCommandLine From fe499d8838e381d781ad63914c4565ecade41a99 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:14:23 +0100 Subject: [PATCH 1172/1335] Update win_apt_judgement_panda_gtr19.yml --- .../process_creation/win_apt_judgement_panda_gtr19.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index c84d9bc82..c1fb93db5 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -20,10 +20,10 @@ logsource: product: windows detection: selection1: - CommandLine|contains: + - CommandLine|endswith: 'eprod.ldf' + - CommandLine|contains: - '\ldifde.exe -f -n ' - '\7za.exe a 1.7z ' - - ' eprod.ldf' - '\aaaa\procdump64.exe' - '\aaaa\netsess.exe' - '\aaaa\7za.exe' From de41e34d536883fd2d5d6d4eb044b84034f51e76 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:21:23 +0100 Subject: [PATCH 1173/1335] Update win_apt_sofacy.yml --- rules/windows/process_creation/win_apt_sofacy.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index c7f4ebce8..ac8d9ae9b 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -1,9 +1,9 @@ title: Sofacy Trojan Loader Activity id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 -author: Florian Roth, oscd.community +author: Florian Roth, Jonhnathan Ribeiro, oscd.community status: experimental date: 2018/03/01 -modified: 2020/08/27 +modified: 2020/11/28 description: Detects Trojan loader acitivty as used by APT28 references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ @@ -22,13 +22,14 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: CommandLine|contains|all: - 'rundll32.exe' - CommandLine|contains: - - '%APPDATA%\\*.dat",' - - '%APPDATA%\\*.dll",#1' - condition: selection + - '%APPDATA%\' + selection2: + - CommandLine|contains: '.dat",' + - CommandLine|endswith: '.dll",#1' + condition: selection1 and selection2 falsepositives: - Unknown level: critical From 78193d3e3ac4520870ca73e0da02afad81ec6137 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:25:28 +0100 Subject: [PATCH 1174/1335] Update win_mal_adwind.yml --- .../process_creation/win_mal_adwind.yml | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index f1836a991..6eea37379 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -6,7 +6,7 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi +author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2020/09/01 tags: @@ -23,25 +23,31 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - '\AppData\Roaming\Oracle*\java*.exe ' - - 'cscript.exe *Retrive*.vbs ' + - CommandLine|contains|all: + - '\AppData\Roaming\Oracle' + - '\java' + - '.exe ' + - CommandLine|contains|all: + - 'cscript.exe' + - 'Retrive' + - '.vbs ' --- logsource: + category: file_event product: windows - service: sysmon detection: selection: - EventID: 11 - TargetFilename|endswith: - - '\AppData\Roaming\Oracle\bin\java*.exe' - - '\Retrive*.vbs' + - TargetFilename|contains|all: + - '\AppData\Roaming\Oracle\bin\java' + - '.exe' + - TargetFilename|contains|all: + - '\Retrive' + - '.vbs' --- logsource: + category: registry_event product: windows - service: sysmon detection: selection: - EventID: 13 TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details|startswith: '%AppData%\Roaming\Oracle\bin\\' From 5d457f4f79f8397b8034b31c9338c293cdc41588 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:31:27 +0100 Subject: [PATCH 1175/1335] Update win_netsh_port_fwd.yml --- rules/windows/process_creation/win_netsh_port_fwd.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index 5af47cd0e..e1368b7e3 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -4,7 +4,7 @@ description: Detects netsh commands that configure a port forwarding references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 -modified: 2020/09/01 +modified: 2020/11/28 tags: - attack.lateral_movement - attack.defense_evasion @@ -17,8 +17,12 @@ logsource: product: windows detection: selection: + Image|endswith: '\netsh.exe' CommandLine|startswith: - - 'netsh interface portproxy add v4tov4' + - 'interface' + - 'portproxy' + - 'add' + - 'v4tov4' condition: selection falsepositives: - Legitimate administration From 0fdd8e71284c0d1b835cd9eac42a88375c60c854 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 11:32:35 +0100 Subject: [PATCH 1176/1335] Update win_netsh_port_fwd_3389.yml --- rules/windows/process_creation/win_netsh_port_fwd_3389.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 24d23585b..91f2c0488 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -4,6 +4,7 @@ description: Detects netsh commands that configure a port forwarding of port 338 references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 +modified: 2020/11/28 tags: - attack.lateral_movement - attack.defense_evasion @@ -16,8 +17,8 @@ logsource: product: windows detection: selection: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'netsh' - 'i' - ' p' - '=3389' From dbb054777aef25c526df5d40e20e96ea9a37a2e4 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:02:16 +0100 Subject: [PATCH 1177/1335] Update win_plugx_susp_exe_locations.yml --- .../win_plugx_susp_exe_locations.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 2f7c1cd98..ffc3f0ac4 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -7,6 +7,7 @@ references: - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ author: Florian Roth date: 2017/06/12 +modified: 2020/11/28 tags: - attack.s0013 - attack.defense_evasion @@ -85,7 +86,18 @@ detection: - '\Windows Kit' - '\Windows Resource Kit\' - '\Microsoft.NET\' - condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) + condition: ( selection_cammute and not filter_cammute ) or + ( selection_chrome_frame and not filter_chrome_frame ) or + ( selection_devemu and not filter_devemu ) or + ( selection_gadget and not filter_gadget ) or + ( selection_hcc and not filter_hcc ) or + ( selection_hkcmd and not filter_hkcmd ) or + ( selection_mc and not filter_mc ) or + ( selection_msmpeng and not filter_msmpeng ) or + ( selection_msseces and not filter_msseces ) or + ( selection_oinfo and not filter_oinfo ) or + ( selection_oleview and not filter_oleview ) or + ( selection_rc and not filter_rc ) fields: - CommandLine - ParentCommandLine From 331a177f69321a601b44341a461f0840c8bff896 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:10:37 +0100 Subject: [PATCH 1178/1335] Update win_proc_wrong_parent.yml --- .../process_creation/win_proc_wrong_parent.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index 8a1f501d4..84a23d598 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -9,7 +9,7 @@ references: - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 -modified: 2020/09/06 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -30,15 +30,17 @@ detection: - '\csrss.exe' - '\wininit.exe' - '\winlogon.exe' - filter: - ParentImage|endswith: - - '\System32\\*' - - '\SysWOW64\\*' - - '\SavService.exe' - - '\Windows Defender\\*\MsMpEng.exe' + filter1: + - ParentImage|endswith: '\SavService.exe' + - ParentImage|contains: + - '\System32\' + - '\SysWOW64\' + filter2: + ParentImage|contains: '\Windows Defender\' + ParentImage|endswith: '\MsMpEng.exe' filter_null: ParentImage: null - condition: selection and not filter and not filter_null + condition: selection and not filter1 and not filter2 and not filter_null falsepositives: - Some security products seem to spawn these level: low From c9596d7e30ffbf1cc01d50b7c3e4d890aa51753c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:11:53 +0100 Subject: [PATCH 1179/1335] Update win_susp_adfind.yml --- rules/windows/process_creation/win_susp_adfind.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index 07b234894..dc7ad7c4c 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -20,7 +20,7 @@ logsource: service: process_creation detection: selection: - ProcessCommandline|contains: + Commandline|contains: - 'objectcategory' - 'trustdmp' - 'dcmodes' From 68365f29c2a02bb643d604199fba0d78ec7c0cbd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:29:30 +0100 Subject: [PATCH 1180/1335] Update win_susp_certutil_command.yml --- .../win_susp_certutil_command.yml | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index c830f1a6f..08eff719f 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -5,7 +5,7 @@ description: Detects a suspicious Microsoft certutil execution with sub commands the built-in certutil utility author: Florian Roth, juju4, keepwatch date: 2019/01/16 -modified: 2020/09/05 +modified: 2020/11/28 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 @@ -18,27 +18,28 @@ logsource: category: process_creation product: windows detection: + suffixes_1: + CommandLine|contains: + - ' -' + - ' /' selection: CommandLine|contains: - - ' -decode ' - - ' /decode ' - - ' -decodehex ' - - ' /decodehex ' - - ' -urlcache ' - - ' /urlcache ' - - ' -verifyctl ' - - ' /verifyctl ' - - ' -encode ' - - ' /encode ' - certutil: - CommandLine|contains|all: - - 'certutil' + - 'decode ' + - 'decodehex ' + - 'urlcache ' + - 'verifyctl ' + - 'encode ' + suffixes_2: CommandLine|contains: - - '-URL' - - '/URL' - - '-ping' - - '/ping' - condition: selection or certutil + - '-' + - '/' + certutil: + Image|endswith: '\certutil.exe' + CommandLine|contains: + - 'URL' + - 'ping' + condition: suffixes_1 and selection or + suffixes_2 and certutil fields: - CommandLine - ParentCommandLine From fd102c1b5f4e9ed7e94ade28a05561247a8e3506 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:31:40 +0100 Subject: [PATCH 1181/1335] Update win_susp_certutil_encode.yml --- rules/windows/process_creation/win_susp_certutil_encode.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index 24becd7cd..3ab6f3319 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -5,9 +5,9 @@ description: Detects suspicious a certutil command that used to encode files, wh references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -author: Florian Roth, Jonhnathan Ribeiro +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/02/24 -modified: 2020/09/05 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1027 @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: + Image|endswith: '\certutil.exe' CommandLine|contains|all: - - 'certutil' - '-f' - '-encode' condition: selection From 5278fcd476338d551000f3c11270a35c791a7ba6 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:34:28 +0100 Subject: [PATCH 1182/1335] Update win_susp_cmd_http_appdata.yml --- .../process_creation/win_susp_cmd_http_appdata.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 8a19f10b5..93c3f436f 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -5,7 +5,7 @@ description: Detects a suspicious command line execution that includes an URL an references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 -author: Florian Roth, Jonhnathan Ribeiro +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 modified: 2020/11/20 tags: @@ -19,11 +19,11 @@ logsource: product: windows detection: selection: + Image|endswith: '\cmd.exe' CommandLine|contains|all: - - 'cmd.exe' - - '/c ' - - 'http' #Will capture both http and https - - '://*%AppData%' + - 'http' # captures both http and https + - '://' + - '%AppData%' condition: selection fields: - CommandLine From 34e64a657052fd61e1a5cd16aac126071055e060 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:42:27 +0100 Subject: [PATCH 1183/1335] Update win_susp_codepage_switch.yml --- .../process_creation/win_susp_codepage_switch.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml index bf33cd53e..09f0a7870 100644 --- a/rules/windows/process_creation/win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/win_susp_codepage_switch.yml @@ -2,8 +2,9 @@ title: Suspicious Code Page Switch id: c7942406-33dd-4377-a564-0f62db0593a3 status: experimental description: Detects a code page switch in command line or batch scripts to a rare language -author: Florian Roth, Jonhnathan Ribeiro +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/10/14 +modified: 2020/11/28 references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 @@ -12,12 +13,11 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'chcp' + Image|endswith: '\chcp.com' CommandLine|endswith: - - ' 936' # Chinese + - ' 936' # Chinese # - ' 1256' # Arabic - - ' 1258' # Vietnamese + - ' 1258' # Vietnamese # - ' 855' # Russian # - ' 866' # Russian # - ' 864' # Arabic From 38e7853891f0415d78ca93e1d549280d82897d2e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:44:54 +0100 Subject: [PATCH 1184/1335] Update win_susp_copy_lateral_movement.yml --- .../win_susp_copy_lateral_movement.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 3b0611bcf..7041aa9dc 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -7,7 +7,7 @@ references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2019/12/30 -modified: 2020/10/05 +modified: 2020/11/28 tags: - attack.lateral_movement - attack.collection @@ -25,21 +25,19 @@ detection: - '\robocopy.exe' - '\xcopy.exe' selection2: - Image|endswith: - - '\cmd.exe' - CommandLine|contains: - - 'copy' + Image|endswith: '\cmd.exe' + CommandLine|contains: 'copy' selection3: - Image|contains: - - '\powershell' + Image|contains: '\powershell' CommandLine|contains: - 'copy-item' - 'copy' - 'cpi ' - ' cp ' selection4: - CommandLine|contains: - - '\\\\*\*$*' + CommandLine|contains|all: + - '\\\\' + - '$' condition: (selection1 or selection2 or selection3) and selection4 fields: - CommandLine From 5d7f42a4a6f7c54bdadffd8f7c28888393055041 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:53:00 +0100 Subject: [PATCH 1185/1335] Update win_susp_crackmapexec_execution.yml --- .../win_susp_crackmapexec_execution.yml | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index 7f2ca4db2..d18f3ca47 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -19,13 +19,27 @@ logsource: product: windows detection: selection: - CommandLine|contains: + - CommandLine|contains|all: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' + - 'cmd.exe /Q /c' + - '1> \\\\' + - '\\' + - '\\' + - '2>&1' + - CommandLine|contains|all: # cme/protocols/smb/atexec.py:109 (fileless output via share) - - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' + - 'cmd.exe /C' + - '> \\\\' + - '\\' + - '\\' + - '2>&1' + - CommandLine|contains|all: # cme/protocols/smb/atexec.py:111 (fileless output via share) - - 'cmd.exe /C * > *\\Temp\\* 2>&1' + - 'cmd.exe /C' + - '>' + - '\\Temp\\' + - '2>&1' + - CommandLine|contains: # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) From c4a35036a0f8a9f2a793ec10d1088e125067432e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 12:54:18 +0100 Subject: [PATCH 1186/1335] Update win_susp_csc.yml --- rules/windows/process_creation/win_susp_csc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 2fb450a31..ffd20896d 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1094924091256176641 author: Florian Roth date: 2019/02/11 -modified: 2020/09/05 +modified: 2020/11/28 tags: - attack.execution - attack.t1059.005 @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - Image|contains: '\csc.exe' + Image|endswith: '\csc.exe' ParentImage|endswith: - '\wscript.exe' - '\cscript.exe' From 201377fa29f64425239fb71893f4c8946d6704a8 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:01:03 +0100 Subject: [PATCH 1187/1335] Update win_susp_csc_folder.yml --- .../process_creation/win_susp_csc_folder.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 7f56bff15..a0c8be97a 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -18,15 +18,15 @@ logsource: product: windows detection: selection: - Image|endsswith: '\csc.exe' + Image|endswith: '\csc.exe' CommandLine|contains: - - '\AppData\\' - - '\Windows\Temp\\' + - '\AppData\' + - '\Windows\Temp\' filter: - ParentImage: - - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 + - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - ParentImage|endswith: + - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 condition: selection and not filter falsepositives: - https://twitter.com/gN3mes1s/status/1206874118282448897 From 77cf5d2563b41f6e50adc6f31f721fab790d7b5e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:04:05 +0100 Subject: [PATCH 1188/1335] Update win_susp_exec_folder.yml --- .../process_creation/win_susp_exec_folder.yml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index ea52dab2c..e203e5eea 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process starts of binaries from a suspicious folder author: Florian Roth date: 2017/10/14 -modified: 2019/02/21 +modified: 2020/11/28 references: - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses @@ -18,24 +18,24 @@ logsource: product: windows detection: selection: - Image|startswith: - - C:\PerfLogs\\ - - C:\$Recycle.bin\\ - - C:\Intel\Logs\\ - - C:\Users\Default\\ - - C:\Users\Public\\ - - C:\Users\NetworkService\\ - - C:\Windows\Fonts\\ - - C:\Windows\Debug\\ - - C:\Windows\Media\\ - - C:\Windows\Help\\ - - C:\Windows\addins\\ - - C:\Windows\repair\\ - - C:\Windows\security\\ - - '*\RSA\MachineKeys\\' - - C:\Windows\system32\config\systemprofile\\ - - C:\Windows\Tasks\\ - - C:\Windows\System32\Tasks\\ + - Image|startswith: + - 'C:\PerfLogs\' + - 'C:\$Recycle.bin\' + - 'C:\Intel\Logs\' + - 'C:\Users\Default\' + - 'C:\Users\Public\' + - 'C:\Users\NetworkService\' + - 'C:\Windows\Fonts\' + - 'C:\Windows\Debug\' + - 'C:\Windows\Media\' + - 'C:\Windows\Help\' + - 'C:\Windows\addins\' + - 'C:\Windows\repair\' + - 'C:\Windows\security\' + - 'C:\Windows\system32\config\systemprofile\' + - 'C:\Windows\Tasks\' + - 'C:\Windows\System32\Tasks\' + - Image|contains: '\RSA\MachineKeys\' condition: selection falsepositives: - Unknown From 43543031745c02ffe870400599928a3e4d9405da Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:07:22 +0100 Subject: [PATCH 1189/1335] Update win_susp_execution_path.yml --- .../win_susp_execution_path.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 08423563d..9cb886b81 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a suspicious exection from an uncommon folder author: Florian Roth date: 2019/01/16 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 @@ -12,16 +13,16 @@ logsource: product: windows detection: selection: - Image|contains: - - '\$Recycle.bin' - - '\Users\All Users\\' - - '\Users\Default\\' - - '\Users\Public\\' - - 'C:\Perflogs\\' - - '\config\systemprofile\\' - - '\Windows\Fonts\\' - - '\Windows\IME\\' - - '\Windows\addins\\' + - Image|contains: + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' condition: selection fields: - CommandLine From 4e59fc0dfd2b885d2144a723b4ddeb84e160f3d7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 09:08:09 -0300 Subject: [PATCH 1190/1335] Update win_renamed_binary_highly_relevant.yml --- .../win_renamed_binary_highly_relevant.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9e4d26755..ec8c67dc1 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -33,20 +33,20 @@ detection: - "cmstp.exe" - "msiexec.exe" filter: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\psexec.exe' - - '*\psexec64.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' condition: selection and not filter falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist From 2bf4644b4806311f768f7a4bcb19853dc26928a3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 09:08:48 -0300 Subject: [PATCH 1191/1335] Update win_renamed_paexec.yml --- rules/windows/process_creation/win_renamed_paexec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index e605a412d..b062debd0 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -22,8 +22,8 @@ logsource: product: windows detection: selection1: - Product: - - '*PAExec*' + Product|contains: + - 'PAExec' selection2: Imphash: - 11D40A7B7876288F919AB819CC2D9802 From 4411fc5b0e857cee12c589d909bd809de46d566a Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 09:14:56 -0300 Subject: [PATCH 1192/1335] Update win_susp_commands_recon_activity.yml --- .../win_susp_commands_recon_activity.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 8810516ab..9665f1892 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -19,24 +19,25 @@ logsource: product: windows detection: selection: - CommandLine: + - CommandLine: - tasklist - net time - systeminfo - whoami - nbtstat - net start - - '*\net1 start' - qprocess - nslookup - hostname.exe - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - netstat -an + - CommandLine|endswith: + - '\net1 start' + - '\net1 user /domain' + - '\net1 group /domain' + - '\net1 group "domain admins" /domain' + - '\net1 group "Exchange Trusted Subsystem" /domain' + - '\net1 accounts /domain' + - '\net1 user net localgroup administrators' + - 'netstat -an' timeframe: 15s condition: selection | count() by CommandLine > 4 falsepositives: From 1896a45572c70f944f39ef10896af719c762d5e2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:28:00 +0100 Subject: [PATCH 1193/1335] Update win_susp_ntdsutil.yml --- rules/windows/process_creation/win_susp_ntdsutil.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index c38270c4f..1651ac8c0 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -6,6 +6,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke date: 2019/01/16 +modified: 2020/11/28 tags: - attack.credential_access - attack.t1003.003 @@ -15,7 +16,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: '\ntdsutil' + Image|endswith: '\ntdsutil.exe' condition: selection falsepositives: - NTDS maintenance From 8293fd8e5b511bd50cf0ede83e0ee3ebbb59af2b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:30:27 +0100 Subject: [PATCH 1194/1335] Update win_susp_iss_module_install.yml --- .../process_creation/win_susp_iss_module_install.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 79e0debe3..269e18518 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -6,6 +6,7 @@ references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth date: 2012/12/11 +modified: 2020/11/28 tags: - attack.persistence - attack.t1505.003 @@ -15,8 +16,11 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - '\APPCMD.EXE install module /name:' + Image|endswith: '\appcmd.exe' + CommandLine|contains|all: + - 'install' + - 'module' + - '/name:' condition: selection falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules From 501791945f8c9cd4733e0ef5cec4a31816067ab1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:32:01 +0100 Subject: [PATCH 1195/1335] Update win_susp_msiexec_web_install.yml --- .../process_creation/win_susp_msiexec_web_install.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 6d02d1374..a4f8e0219 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -11,14 +11,15 @@ tags: - attack.t1105 author: Florian Roth date: 2018/02/09 -modified: 2020/08/30 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: - - ' msiexec*://' + CommandLine|contains|all: + - ' msiexec' + - '://' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 36299f5139c5979653d9fad0eaffc36d847ed4a6 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:33:30 +0100 Subject: [PATCH 1196/1335] Update win_susp_net_execution.yml --- rules/windows/process_creation/win_susp_net_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index fea0d6045..5773c4244 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -9,7 +9,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) date: 2019/01/16 -modified: 2020/08/30 +modified: 2020/11/28 tags: - attack.discovery - attack.t1049 @@ -40,7 +40,6 @@ detection: - ' view' - ' share' - ' accounts' - - ' use' - ' stop ' condition: selection and cmdline fields: From 245a0d3438b9218b327a488996a0e110efa6377a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 13:34:57 +0100 Subject: [PATCH 1197/1335] Update win_susp_outlook.yml --- rules/windows/process_creation/win_susp_outlook.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml index b35fe972e..4401ff162 100644 --- a/rules/windows/process_creation/win_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -11,6 +11,7 @@ tags: - attack.t1202 author: Markus Neis date: 2018/12/27 +modified: 2020/11/28 logsource: category: process_creation product: windows @@ -19,7 +20,10 @@ detection: CommandLine|contains: 'EnableUnsafeClientMailRules' outlookExec: ParentImage|endswith: '\outlook.exe' - CommandLine: \\\\*\\*.exe + CommandLine|contains|all: + - '\\\\' + - '\\' + - '.exe' condition: clientMailRules or outlookExec falsepositives: - unknown From 3481b0dd9e574c60e3627ecc923acd98e9d99873 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 12:31:55 -0300 Subject: [PATCH 1198/1335] Update win_susp_curl_start_combo.yml --- rules/windows/process_creation/win_susp_curl_start_combo.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml index 57092fbb0..94584f795 100644 --- a/rules/windows/process_creation/win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml @@ -18,7 +18,9 @@ logsource: detection: condition: selection selection: - CommandLine|contains: 'curl* start ' + CommandLine|contains|all: + - 'curl' + - ' start ' falsepositives: - Administrative scripts (installers) fields: From 63adc6fc091cbfccfc72462097692e0706a9bbbc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 12:32:35 -0300 Subject: [PATCH 1199/1335] Update win_susp_direct_asep_reg_keys_modification.yml --- .../win_susp_direct_asep_reg_keys_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 2737be5c0..810f8be98 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection_1: - Image|endswith: '*\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules selection_2: CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys From 198bdb96598bcbc2414191ddbfe11ee32b9ae999 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 12:34:06 -0300 Subject: [PATCH 1200/1335] Remove Additional backslash --- .../win_susp_execution_path_webserver.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index 6a5363957..f1ab6a6e3 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -14,14 +14,14 @@ logsource: detection: selection: Image|contains: - - '\wwwroot\\' - - '\wmpub\\' - - '\htdocs\\' + - '\wwwroot\' + - '\wmpub\' + - '\htdocs\' filter: Image|contains: - - 'bin\\' - - '\Tools\\' - - '\SMSComponent\\' + - 'bin\' + - '\Tools\' + - '\SMSComponent\' ParentImage|endswith: - '\services.exe' condition: selection and not filter From 1c56dc463ad25bd219834a3ca1428a6876293755 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 12:38:19 -0300 Subject: [PATCH 1201/1335] Remove additional backslash --- rules/windows/process_creation/win_susp_msiexec_cwd.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 54125b4da..a22a717cd 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -18,9 +18,9 @@ detection: Image|endswith: '\msiexec.exe' filter: Image|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\SysWOW64\\' - - 'C:\Windows\WinSxS\\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unknown From b24945999edc2f2718255b1b4dfe469c3fbbcbc3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:01:24 -0300 Subject: [PATCH 1202/1335] Update win_susp_ping_hex_ip.yml --- rules/windows/process_creation/win_susp_ping_hex_ip.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 204c2b0ac..379c08d4d 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: + Image|endswith: '\ping.exe' CommandLine|contains: - - '\ping.exe 0x' - - '\ping 0x' + - ' 0x' condition: selection fields: - ParentCommandLine From 53e1201bea809a29d0b4bd8a5060660ed13c122c Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:01:42 -0300 Subject: [PATCH 1203/1335] Update win_susp_ping_hex_ip.yml --- rules/windows/process_creation/win_susp_ping_hex_ip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 379c08d4d..b65de49c8 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -17,7 +17,7 @@ detection: selection: Image|endswith: '\ping.exe' CommandLine|contains: - - ' 0x' + - '0x' condition: selection fields: - ParentCommandLine From f4f8174199f210dacf34fb518cc10c1832789497 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:04:36 -0300 Subject: [PATCH 1204/1335] Update win_susp_powershell_enc_cmd.yml --- .../process_creation/win_susp_powershell_enc_cmd.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 69dfbe117..042310763 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -17,15 +17,12 @@ logsource: detection: selection: CommandLine|contains: - - ' -e' - - ' -en' - - ' -enc' + - ' -e' #Covers -en and -enc - ' -w hidden -e' selection2: - 'JAB' selection3: - - '-e' - - '-enc' + - '-e' #Covers -en and -enc selection4: - ' BA^J' - ' SUVYI' From 2364e9870d93390dcdc690e6a5cbf0b81326d4a7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:05:47 -0300 Subject: [PATCH 1205/1335] Update win_susp_powershell_enc_cmd.yml --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 042310763..d6a6b5995 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -20,10 +20,13 @@ detection: - ' -e' #Covers -en and -enc - ' -w hidden -e' selection2: + CommandLine|contains: - 'JAB' selection3: + CommandLine|contains: - '-e' #Covers -en and -enc selection4: + CommandLine|contains: - ' BA^J' - ' SUVYI' - ' aWV4I' From c9461506f2f33f23cba7e6c1aa82e3ab08d799f0 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:06:10 -0300 Subject: [PATCH 1206/1335] Update win_susp_powershell_enc_cmd.yml --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index d6a6b5995..ff3daef5b 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -4,7 +4,7 @@ description: Detects suspicious powershell process starts with base64 encoded co status: experimental references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2018/09/03 modified: 2019/12/16 tags: From b61707e7f30176d4249adafe95e32d7e6baf9130 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:07:06 -0300 Subject: [PATCH 1207/1335] Remove additional backslash --- .../process_creation/win_susp_powershell_parent_combo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 556e286e1..c0ae01395 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -21,7 +21,7 @@ detection: Image|endswith: - '\powershell.exe' falsepositive|contains: - CurrentDirectory: '\Health Service State\\' + CurrentDirectory: '\Health Service State\' condition: selection and not falsepositive fields: - CommandLine From 27f47a8ffc45f2d955baf23ea27b1af59e35da07 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:08:21 -0300 Subject: [PATCH 1208/1335] Update win_susp_procdump.yml --- rules/windows/process_creation/win_susp_procdump.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index b2fdbe2ce..b3574a29b 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -25,8 +25,9 @@ detection: CommandLine|contains: - ' lsass' selection3: - CommandLine|contains: - - ' -ma ls' + CommandLine|contains|all: + - ' -ma ' + - 'ls' condition: ( selection1 and selection2 ) or selection3 falsepositives: - Unlikely, because no one should dump an lsass process memory From a78eb61d920145925af0630b63a6e55e43b78450 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:08:51 -0300 Subject: [PATCH 1209/1335] Remove additional backslash --- .../win_susp_prog_location_process_starts.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml index 14c137892..55ff7ff2b 100644 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -16,12 +16,12 @@ detection: selection: Image|contains: - '\$Recycle.bin' - - '\Users\Public\\' - - 'C:\Perflogs\\' - - '\Windows\Fonts\\' - - '\Windows\IME\\' - - '\Windows\addins\\' - - '\Windows\debug\\' + - '\Users\Public\' + - 'C:\Perflogs\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - '\Windows\debug\' condition: selection falsepositives: - unknown From fc842c22b2e661d7e6e84970360138ff16b6a968 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:11:15 -0300 Subject: [PATCH 1210/1335] Update win_susp_prog_location_process_starts.yml --- .../win_susp_prog_location_process_starts.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml index 55ff7ff2b..47c3e24d0 100644 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -14,14 +14,16 @@ logsource: product: windows detection: selection: - Image|contains: - - '\$Recycle.bin' + - Image|contains: - '\Users\Public\' - - 'C:\Perflogs\' - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - '\Windows\debug\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' condition: selection falsepositives: - unknown From e99f63f8117e10e3ea585b02236902e3401ec04d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:15:24 -0300 Subject: [PATCH 1211/1335] Update win_susp_ps_appdata.yml --- rules/windows/process_creation/win_susp_ps_appdata.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index dd8f53802..76e9b638f 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -9,16 +9,19 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/01/09 logsource: category: process_creation product: windows detection: selection: + CommandLine|contains|all: + - '/c' + - 'powershell' CommandLine|contains: - - ' /c powershell*\AppData\Local\\' - - ' /c powershell*\AppData\Roaming\\' + - '\AppData\Local\' + - '\AppData\Roaming\' condition: selection falsepositives: - Administrative scripts From 5cbefe37378f40b51b9db9e79f0a31946d224a34 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:18:38 -0300 Subject: [PATCH 1212/1335] Update win_susp_regsvr32_anomalies.yml --- .../process_creation/win_susp_regsvr32_anomalies.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 6760f65c3..25e41f838 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -2,7 +2,7 @@ title: Regsvr32 Anomaly id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental description: Detects various anomalies in relation to regsvr32.exe -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/01/16 modified: 2020/08/28 references: @@ -21,7 +21,7 @@ logsource: detection: selection1: Image|endswith: '\regsvr32.exe' - CommandLine|contains: '\Temp\\' + CommandLine|contains: '\Temp\' selection2: Image|endswith: '\regsvr32.exe' ParentImage|endswith: '\powershell.exe' @@ -30,9 +30,11 @@ detection: ParentImage|endswith: '\cmd.exe' selection4: Image|endswith: '\regsvr32.exe' + CommandLine|contains: + - '/i:http' + - '/i:ftp' CommandLine|endswith: - - '/i:http* scrobj.dll' - - '/i:ftp* scrobj.dll' + - 'scrobj.dll' selection5: Image|endswith: '\wscript.exe' ParentImage|endswith: '\regsvr32.exe' From f70bd415a3081a02d1897a4cf835fa643424fa99 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:21:04 -0300 Subject: [PATCH 1213/1335] Update win_susp_run_locations.yml --- .../win_susp_run_locations.yml | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index c00c297d4..060bc195c 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -4,7 +4,7 @@ description: Detects suspicious process run from unusual locations status: experimental references: - https://car.mitre.org/wiki/CAR-2013-05-002 -author: juju4 +author: juju4, oscd.community, Jonhnathan Ribeiro date: 2019/01/16 tags: - attack.defense_evasion @@ -15,17 +15,18 @@ logsource: product: windows detection: selection: - Image: - - '*:\RECYCLER\\*' - - '*:\SystemVolumeInformation\\*' - - 'C:\\Windows\\Tasks\\*' - - 'C:\\Windows\\debug\\*' - - 'C:\\Windows\\fonts\\*' - - 'C:\\Windows\\help\\*' - - 'C:\\Windows\\drivers\\*' - - 'C:\\Windows\\addins\\*' - - 'C:\\Windows\\cursors\\*' - - 'C:\\Windows\\system32\tasks\\*' + - Image|contains: + - ':\RECYCLER\' + - ':\SystemVolumeInformation\' + - Image|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' condition: selection falsepositives: From 0357472635b6b52b8c0d0716b1b82ec2707cdf61 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:24:38 -0300 Subject: [PATCH 1214/1335] Update win_susp_squirrel_lolbin.yml --- .../win_susp_squirrel_lolbin.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index b07788187..1b8e6658f 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -9,7 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218 -author: Karneades / Markus Neis +author: Karneades / Markus Neis, oscd.community, Jonhnathan Ribeiro date: 2019/11/12 modified: 2020/08/28 falsepositives: @@ -51,10 +51,12 @@ logsource: product: windows detection: selection: - Image: - - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) - CommandLine: - - '*--processStart*.exe*' - - '*--processStartAndWait*.exe*' - - '*--createShortcut*.exe*' + Image|endswith: + - '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + CommandLine|contains: + - '--processStart' + - '--processStartAndWait' + - '--createShortcut' + CommandLine|endswith: + - '.exe' condition: selection From 7aa831eac30eba85b2a1fcb9e246715e3bae87f2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:25:28 -0300 Subject: [PATCH 1215/1335] Remove additional backslash --- rules/windows/process_creation/win_susp_sysprep_appdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index daf98b204..56694bf67 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -17,7 +17,7 @@ detection: selection: CommandLine|contains|all: - 'sysprep.exe' - - '\AppData\\' + - '\AppData\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 66a504078b7b2ef1cc42d932255fe52d6b955bf2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:25:52 +0100 Subject: [PATCH 1216/1335] Update win_susp_ping_hex_ip.yml --- rules/windows/process_creation/win_susp_ping_hex_ip.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index b65de49c8..3039c5724 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth date: 2018/03/23 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1140 @@ -16,8 +17,7 @@ logsource: detection: selection: Image|endswith: '\ping.exe' - CommandLine|contains: - - '0x' + CommandLine|contains: '0x' condition: selection fields: - ParentCommandLine From 88b4d4c4e5b1e42159d23de6f0e86be277bdb8ac Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:26:22 -0300 Subject: [PATCH 1217/1335] Update win_susp_sysvol_access.yml --- rules/windows/process_creation/win_susp_sysvol_access.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 1177796f2..f8519e258 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -5,7 +5,7 @@ description: Detects Access to Domain Group Policies stored in SYSVOL references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis +author: Markus Neis, oscd.community, Jonhnathan Ribeiro date: 2018/04/09 modified: 2020/08/28 tags: @@ -17,7 +17,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: '\SYSVOL\\*\policies\\' + CommandLine|contains|all: + - '\SYSVOL\' + - '\policies\' condition: selection falsepositives: - administrative activity From f6117eebc78d12e5d4b669132f217fa6910d2c0e Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:27:28 -0300 Subject: [PATCH 1218/1335] Update win_susp_sysvol_access.yml --- rules/windows/process_creation/win_susp_sysvol_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index f8519e258..ed593df00 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -5,7 +5,7 @@ description: Detects Access to Domain Group Policies stored in SYSVOL references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis, oscd.community, Jonhnathan Ribeiro +author: Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/04/09 modified: 2020/08/28 tags: From c01c05b82665cfb1d5e07f82501fdeb22363865f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:29:15 +0100 Subject: [PATCH 1219/1335] Update win_susp_powershell_enc_cmd.yml --- .../win_susp_powershell_enc_cmd.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index ff3daef5b..e9c4b06d4 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -6,7 +6,7 @@ references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2018/09/03 -modified: 2019/12/16 +modified: 2020/11/28 tags: - attack.execution - attack.t1059.001 @@ -16,15 +16,15 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - ' -e' #Covers -en and -enc - - ' -w hidden -e' + - CommandLine|contains: ' -e' + - CommandLine|contains|all: + - ' -w' + - 'hidden' + - ' -e' selection2: - CommandLine|contains: - - 'JAB' + CommandLine|contains: 'JAB' selection3: - CommandLine|contains: - - '-e' #Covers -en and -enc + CommandLine|contains: '-e' #Covers -en and -enc selection4: CommandLine|contains: - ' BA^J' @@ -37,6 +37,8 @@ detection: - ' SQBFAFgA' - ' aQBlAHgA' falsepositive1: - CommandLine|contains: ' -ExecutionPolicy remotesigned ' + CommandLine|contains|all: + - ' -ExecutionPolicy' + - 'remotesigned ' condition: (selection and selection2) or (selection3 and selection4) and not falsepositive1 level: high From c9b5ba10f8db6abc823bda887bd8183f19c857dd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:30:34 -0300 Subject: [PATCH 1220/1335] Update win_susp_wmi_execution.yml --- .../process_creation/win_susp_wmi_execution.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index 67f7ce39d..aa5a84943 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -6,7 +6,7 @@ references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -author: Michael Haag, Florian Roth, juju4 +author: Michael Haag, Florian Roth, juju4, oscd.community date: 2019/01/16 logsource: category: process_creation @@ -15,12 +15,15 @@ detection: selection: Image|endswith: - '\wmic.exe' - CommandLine|contains: - - '/NODE:*process call create ' + selection2: + - CommandLine|contains|all: + - '/NODE:' + - 'process call create ' + - CommandLine|contains: - ' path AntiVirusProduct get ' - ' path FirewallProduct get ' - ' shadowcopy delete ' - condition: selection + condition: selection and selection2 fields: - CommandLine - ParentCommandLine From a3e436363ecfae16c9a4beacee1424bdc1e33301 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:31:37 +0100 Subject: [PATCH 1221/1335] Update win_susp_powershell_parent_combo.yml --- .../process_creation/win_susp_powershell_parent_combo.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index c0ae01395..d135cc636 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -4,6 +4,7 @@ status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth date: 2019/01/16 +modified: 2020/11/28 references: - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ tags: @@ -18,10 +19,9 @@ detection: ParentImage|endswith: - '\wscript.exe' - '\cscript.exe' - Image|endswith: - - '\powershell.exe' - falsepositive|contains: - CurrentDirectory: '\Health Service State\' + Image|endswith: '\powershell.exe' + falsepositive: + CurrentDirectory|contains: '\Health Service State\' condition: selection and not falsepositive fields: - CommandLine From 0d0f58c8305ef8a654d135b5ea019773c5eebd09 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:32:44 -0300 Subject: [PATCH 1222/1335] Update win_system_exe_anomaly.yml --- .../win_system_exe_anomaly.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index 1a7f614fb..fecb43bfd 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a Windows program executable started in a suspicious folder references: - https://twitter.com/GelosSnake/status/934900723426439170 -author: Florian Roth, Patrick Bareiss +author: Florian Roth, Patrick Bareiss, oscd.community date: 2017/11/27 tags: - attack.defense_evasion @@ -38,15 +38,16 @@ detection: - '\audiodg.exe' - '\wlanext.exe' filter: - Image|startswith: - - 'C:\Windows\System32\\' - - 'C:\Windows\system32\\' - - 'C:\Windows\SysWow64\\' - - 'C:\Windows\SysWOW64\\' + - Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWow64\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\winsxs\' + - 'C:\Windows\WinSxS\' + - '\SystemRoot\System32\' + - Image: - 'C:\Windows\explorer.exe' - - 'C:\Windows\winsxs\\' - - 'C:\Windows\WinSxS\\' - - '\SystemRoot\System32\\' condition: selection and not filter fields: - ComputerName From 2ed4b262915c59f177da0d105d3e7712f1ccd4c1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:33:02 +0100 Subject: [PATCH 1223/1335] Update win_susp_procdump.yml --- rules/windows/process_creation/win_susp_procdump.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index b3574a29b..887677ecc 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth date: 2018/10/30 -modified: 2019/10/14 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 @@ -19,11 +19,9 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - ' -ma ' + CommandLine|contains: ' -ma ' selection2: - CommandLine|contains: - - ' lsass' + CommandLine|contains: ' lsass' selection3: CommandLine|contains|all: - ' -ma ' From bcf62fba7292b103607f8ea13f8018c408e990a5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:34:34 +0100 Subject: [PATCH 1224/1335] Update win_susp_ps_appdata.yml --- rules/windows/process_creation/win_susp_ps_appdata.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 76e9b638f..f07e84b98 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -9,8 +9,9 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one -author: Florian Roth, oscd.community, Jonhnathan Ribeiro +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 +modified: 2020/11/28 logsource: category: process_creation product: windows @@ -19,9 +20,10 @@ detection: CommandLine|contains|all: - '/c' - 'powershell' + - '\AppData\' CommandLine|contains: - - '\AppData\Local\' - - '\AppData\Roaming\' + - 'Local\' + - 'Roaming\' condition: selection falsepositives: - Administrative scripts From 9f4bbb7e653e5a0edc781e9a72c143019839c737 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:35:50 -0300 Subject: [PATCH 1225/1335] Update win_webshell_detection.yml --- .../process_creation/win_webshell_detection.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 49f1bdfae..e3b75ba3a 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -1,7 +1,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community reference: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html date: 2017/01/01 @@ -16,13 +16,15 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\apache*' - - '\tomcat*' + - ParentImage|endswith: - '\w3wp.exe' - '\php-cgi.exe' - '\nginx.exe' - '\httpd.exe' + - ParentImage|contains: + - '\apache' + - '\tomcat' + selection2: CommandLine|contains: - 'whoami' - 'net user ' @@ -30,7 +32,7 @@ detection: - 'systeminfo' - '&cd&echo' - 'cd /d' # https://www.computerhope.com/cdhlp.htm - condition: selection + condition: selection and selection2 fields: - CommandLine - ParentCommandLine From f0bf3d13b5fa0da4503828ff6b5602d97eeadad1 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:38:34 -0300 Subject: [PATCH 1226/1335] Update win_webshell_detection.yml --- .../process_creation/win_webshell_detection.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index e3b75ba3a..9f6d8db77 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -25,13 +25,19 @@ detection: - '\apache' - '\tomcat' selection2: - CommandLine|contains: + - CommandLine|contains: - 'whoami' - - 'net user ' - - 'ping -n ' - 'systeminfo' - '&cd&echo' - - 'cd /d' # https://www.computerhope.com/cdhlp.htm + - CommandLine|contains|all: + - 'net' + - 'user' + - CommandLine|contains|all: + - 'cd' # https://www.computerhope.com/cdhlp.htm + - '/d' + - CommandLine|contains|all: + - 'ping' + - '-n' condition: selection and selection2 fields: - CommandLine From ea550cf5519656cc98997a4121adb827d805a6f6 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:40:40 +0100 Subject: [PATCH 1227/1335] Update win_susp_regsvr32_anomalies.yml --- .../process_creation/win_susp_regsvr32_anomalies.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 25e41f838..8f8353422 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community date: 2019/01/16 -modified: 2020/08/28 +modified: 2020/11/28 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: @@ -14,7 +14,6 @@ tags: - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 - logsource: category: process_creation product: windows @@ -30,11 +29,12 @@ detection: ParentImage|endswith: '\cmd.exe' selection4: Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' CommandLine|contains: - - '/i:http' - - '/i:ftp' - CommandLine|endswith: - - 'scrobj.dll' + - 'http' + - 'ftp' + CommandLine|endswith: 'scrobj.dll' selection5: Image|endswith: '\wscript.exe' ParentImage|endswith: '\regsvr32.exe' From fe3ed329ef952e526aa907365fe6f292f20b4ebc Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:41:11 -0300 Subject: [PATCH 1228/1335] Update win_webshell_recon_detection.yml --- .../process_creation/win_webshell_recon_detection.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index 5ecc3568d..20eab67aa 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -16,13 +16,15 @@ logsource: product: windows detection: selection: - ParentImage|contains: + - ParentImage|contains: - '\apache' - '\tomcat' + - ParentImage|endswith: - '\w3wp.exe' - '\php-cgi.exe' - '\nginx.exe' - '\httpd.exe' + selection2: Image|endswith: - '\cmd.exe' CommandLine|contains: @@ -30,7 +32,7 @@ detection: - 'python --help' - 'wget --help' - 'perl -h' - condition: selection + condition: selection and selection2 fields: - Image - CommandLine From f1455e0c38138ef517e4d876365c891705692a44 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:42:30 -0300 Subject: [PATCH 1229/1335] Update win_win10_sched_task_0day.yml --- .../windows/process_creation/win_win10_sched_task_0day.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 42a387ec3..282891345 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -13,7 +13,11 @@ logsource: detection: selection: Image|endswith: '\schtasks.exe' - CommandLine|contains: '/change*/TN*/RU*/RP' + CommandLine|contains|all: + - '/change' + - '/TN' + - '/RU' + - '/RP' condition: selection falsepositives: - Unknown From ca0a6547fbd87d775165ecaac5e634017c9f6ecc Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:42:47 +0100 Subject: [PATCH 1230/1335] Update win_susp_run_locations.yml --- rules/windows/process_creation/win_susp_run_locations.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index 060bc195c..2119c1e0e 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -4,8 +4,9 @@ description: Detects suspicious process run from unusual locations status: experimental references: - https://car.mitre.org/wiki/CAR-2013-05-002 -author: juju4, oscd.community, Jonhnathan Ribeiro +author: juju4, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 @@ -27,7 +28,6 @@ detection: - 'C:\Windows\addins\' - 'C:\Windows\cursors\' - 'C:\Windows\system32\tasks\' - condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 42f27a41cbce690c3eaccc8fab6ff03a1308279d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:44:30 +0100 Subject: [PATCH 1231/1335] Update win_susp_rundll32_by_ordinal.yml --- .../process_creation/win_susp_rundll32_by_ordinal.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 64c953780..d9d7e136b 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -13,13 +13,15 @@ tags: - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: '\rundll32.exe' - CommandLine|contains: ',#' + CommandLine|contains|all: + - '\rundll32.exe' + - ',#' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 06cc5049a4204922b6b1d25f1c1a641a6a06a4e4 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:46:02 -0300 Subject: [PATCH 1232/1335] Update sysmon_dns_serverlevelplugindll.yml --- .../registry_event/sysmon_dns_serverlevelplugindll.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index 03283b219..fd7d5d2c1 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -38,5 +38,8 @@ logsource: product: windows detection: dnsadmin: - CommandLine|startswith: 'dnscmd.exe /config /serverlevelplugindll ' + Image|endswith: '\dnscmd.exe' + CommandLine|contains|all: + - '/config' + - '/serverlevelplugindll' condition: 1 of them From 3c75bc922a14f3907b0bab3485ee8f19a523b08b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:47:16 +0100 Subject: [PATCH 1233/1335] Update win_susp_squirrel_lolbin.yml --- .../process_creation/win_susp_squirrel_lolbin.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index 1b8e6658f..f64de8c5d 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -9,9 +9,9 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218 -author: Karneades / Markus Neis, oscd.community, Jonhnathan Ribeiro +author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2020/08/28 +modified: 2020/11/28 falsepositives: - 1Clipboard - Beaker Browser @@ -51,12 +51,11 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) CommandLine|contains: - '--processStart' - '--processStartAndWait' - '--createShortcut' - CommandLine|endswith: + CommandLine|contains|all: - '.exe' condition: selection From ef34c94e6a3b6ec0505e57f388bcdac9dc2003ee Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:49:18 -0300 Subject: [PATCH 1234/1335] Update sysmon_registry_persistence_search_order.yml --- .../sysmon_registry_persistence_search_order.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index ae431d0e2..cfdc15df8 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -18,12 +18,18 @@ detection: selection: # Detect new COM servers in the user hive TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' filter: - Details|contains: # Exclude privileged directories and observed FPs + - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' - - '\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' - - '\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' - - '\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' + - Details|contains|all: + - '\AppData\Local\Microsoft\OneDrive\' + - '\FileCoAuthLib64.dll' + - Details|contains|all: + - '\AppData\Local\Microsoft\OneDrive\' + - '\FileSyncShell64.dll' + - Details|contains|all: + - '\AppData\Local\Microsoft\TeamsMeetingAddin\' + - '\Microsoft.Teams.AddinLoader.dll' condition: selection and not filter falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From c0c74a05df80a5ff76a056787f34f9fb99691b8b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 17:49:21 +0100 Subject: [PATCH 1235/1335] Update win_susp_sysvol_access.yml --- rules/windows/process_creation/win_susp_sysvol_access.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index ed593df00..f6ac9d331 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -5,9 +5,9 @@ description: Detects Access to Domain Group Policies stored in SYSVOL references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +author: Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2018/04/09 -modified: 2020/08/28 +modified: 2020/11/28 tags: - attack.credential_access - attack.t1552.006 From 986800056c730c86e7e2d539dd08f26057cc7f15 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:50:13 -0300 Subject: [PATCH 1236/1335] Update sysmon_stickykey_like_backdoor.yml --- rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 5f406210d..00b75537b 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -41,7 +41,7 @@ detection: selection_process: ParentImage|endswith: - '\winlogon.exe' - CommandLine|contains|all: + Image|contains|all: - 'cmd.exe' CommandLine|contains: - 'sethc.exe' From f504ccc33fe19cb385ebf8b6922d2c31c564a89d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:52:36 -0300 Subject: [PATCH 1237/1335] Update sysmon_susp_reg_persist_explorer_run.yml --- .../sysmon_susp_reg_persist_explorer_run.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 0ecd0dfe1..2c6ae5ca2 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -author: Florian Roth +author: Florian Roth, oscd.community date: 2018/07/18 modified: 2020/09/06 references: @@ -13,15 +13,17 @@ logsource: detection: selection: TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details|startswith: + selection2: + - Details|startswith: - 'C:\Windows\Temp\' - 'C:\ProgramData\' - - '*\AppData\' - 'C:\$Recycle.bin\' - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - condition: selection + - Details|contains: + - '\AppData\' + condition: selection and selection2 tags: - attack.persistence - attack.t1060 # an old one From 95eb7424aacc9baf82cf7d4ac691426cf195b6b2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:54:59 -0300 Subject: [PATCH 1238/1335] Update sysmon_susp_run_key_img_folder.yml --- .../registry_event/sysmon_susp_run_key_img_folder.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 8faa52d1f..af430e49a 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -19,17 +19,19 @@ detection: TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' - Details|contains: + selection2: + - Details|contains: - 'C:\Windows\Temp\' - 'C:\$Recycle.bin\' - 'C:\Temp\' - 'C:\Users\Public\' - - '%Public%\' - 'C:\Users\Default\' - 'C:\Users\Desktop\' + - Details|startswith: + - '%Public%\' - 'wscript' - 'cscript' - condition: selection + condition: selection and selection2 fields: - Image falsepositives: From 258334d6d1d8e7efdbb5dc2989eb2f1f1130fe41 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:01:06 +0100 Subject: [PATCH 1239/1335] Update win_susp_wmi_execution.yml --- .../win_susp_wmi_execution.yml | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index aa5a84943..4fec4caa2 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -8,22 +8,30 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ author: Michael Haag, Florian Roth, juju4, oscd.community date: 2019/01/16 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - Image|endswith: - - '\wmic.exe' + Image|endswith: '\wmic.exe' selection2: - - CommandLine|contains|all: + CommandLine|contains|all: - '/NODE:' - - 'process call create ' - - CommandLine|contains: - - ' path AntiVirusProduct get ' - - ' path FirewallProduct get ' - - ' shadowcopy delete ' - condition: selection and selection2 + - 'process' + - 'call' + - 'create ' + recon_part1: + CommandLine|contains: ' path ' + recon_part2: + CommandLine|contains: + - 'AntiVirus' + - 'Firewall' + CommandLine|contains|all: + - 'Product' + - ' get ' + condition: selection and selection2 or + selection and recon_part1 and recon_part2 fields: - CommandLine - ParentCommandLine From c761d05a17be09d5d470c49dce008beea6184642 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:03:19 +0100 Subject: [PATCH 1241/1335] Update win_system_exe_anomaly.yml --- rules/windows/process_creation/win_system_exe_anomaly.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index fecb43bfd..914730b9c 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, oscd.community date: 2017/11/27 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 @@ -46,8 +47,7 @@ detection: - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' - - Image: - - 'C:\Windows\explorer.exe' + - Image: 'C:\Windows\explorer.exe' condition: selection and not filter fields: - ComputerName From 9f8ef95571309a15907697595598dce710ecf1ba Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:25:09 +0100 Subject: [PATCH 1242/1335] Update win_webshell_detection.yml --- .../win_webshell_detection.yml | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 9f6d8db77..f9ba29bd7 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -5,7 +5,7 @@ author: Florian Roth, Jonhnathan Ribeiro, oscd.community reference: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html date: 2017/01/01 -modified: 2019/10/26 +modified: 2019/11/28 tags: - attack.persistence - attack.t1505.003 @@ -25,20 +25,23 @@ detection: - '\apache' - '\tomcat' selection2: - - CommandLine|contains: - - 'whoami' - - 'systeminfo' - - '&cd&echo' - - CommandLine|contains|all: - - 'net' - - 'user' + Image|endswith: + - '\whoami.exe' + - '\systeminfo.exe' + selection3: + Image|endswith: + - '\net1.exe' + - '\net.exe' + CommandLine|contains: 'user' + selection4: - CommandLine|contains|all: - 'cd' # https://www.computerhope.com/cdhlp.htm - '/d' - - CommandLine|contains|all: - - 'ping' - - '-n' - condition: selection and selection2 + - CommandLine|contains: '&cd&echo' + selection5: + Image|endswith: '\ping.exe' + CommandLine|contains: '-n' + condition: selection and ( selection2 or selection3 or selection4 or selection5 ) fields: - CommandLine - ParentCommandLine From 39c2258848b3d05f324f05056b57209b18a517fd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:30:41 +0100 Subject: [PATCH 1243/1335] Update sysmon_registry_persistence_search_order.yml --- .../sysmon_registry_persistence_search_order.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index cfdc15df8..8e31caf6f 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,9 +4,9 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut) +author: Maxime Thiebaut (@0xThiebaut), oscd.community date: 2020/04/14 -modified: 2020/09/06 +modified: 2020/11/28 tags: - attack.persistence - attack.t1038 # an old one @@ -16,7 +16,10 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive - TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' + TargetObject|contains|all: + - 'HKU\' + - '_Classes\CLSID\' + - '\InProcServer32\(Default)' filter: - Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' From 5196926d60ac2fbf4ee91f83f532ccb275fdeb72 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:33:21 +0100 Subject: [PATCH 1244/1335] Update sysmon_stickykey_like_backdoor.yml --- .../registry_event/sysmon_stickykey_like_backdoor.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 00b75537b..7a6b78194 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -12,9 +12,9 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 -author: Florian Roth, @twjackomo, Jonhnathan Ribeiro +author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 -modified: 2020/09/06 +modified: 2020/11/28 falsepositives: - Unlikely level: critical @@ -39,10 +39,8 @@ logsource: product: windows detection: selection_process: - ParentImage|endswith: - - '\winlogon.exe' - Image|contains|all: - - 'cmd.exe' + ParentImage|endswith: '\winlogon.exe' + Image|endswith: '\cmd.exe' CommandLine|contains: - 'sethc.exe' - 'utilman.exe' From 7dc5233dd973f648f4f36888fa5902143500c04b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:43:04 +0100 Subject: [PATCH 1245/1335] Update win_susp_commands_recon_activity.yml --- .../process_creation/win_susp_commands_recon_activity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 9665f1892..1f1037f95 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -8,7 +8,7 @@ references: - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html author: Florian Roth, Markus Neis date: 2018/08/22 -modified: 2018/12/11 +modified: 2020/11/28 tags: - attack.discovery - attack.t1087 @@ -29,6 +29,7 @@ detection: - qprocess - nslookup - hostname.exe + - 'netstat -an' - CommandLine|endswith: - '\net1 start' - '\net1 user /domain' @@ -37,7 +38,6 @@ detection: - '\net1 group "Exchange Trusted Subsystem" /domain' - '\net1 accounts /domain' - '\net1 user net localgroup administrators' - - 'netstat -an' timeframe: 15s condition: selection | count() by CommandLine > 4 falsepositives: From 5afb445b8b09591b5b0e9b7226bafe9dc54a2631 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:52:43 +0100 Subject: [PATCH 1246/1335] restored the rule --- rules/linux/lnx_setgid_setuid.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/lnx_setgid_setuid.yml index 84472e44f..80d7deb2f 100644 --- a/rules/linux/lnx_setgid_setuid.yml +++ b/rules/linux/lnx_setgid_setuid.yml @@ -10,12 +10,12 @@ references: logsource: product: linux detection: - selection1|contains: - - 'chown root' - selection2|contains: - - ' chmod u+s' + selection1: + - '*chown root*' + selection2: + - '* chmod u+s*' selection3|contains: - - ' chmod g+s' + - '* chmod g+s*' condition: (selection1 and selection2) or (selection1 and selection3) falsepositives: - Legitimate administration activities From 8c2f8845040b701f3662c9fc36392231ae41ee16 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:53:13 +0100 Subject: [PATCH 1247/1335] restore the rule --- rules/linux/lnx_setgid_setuid.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/lnx_setgid_setuid.yml index 80d7deb2f..50fda753c 100644 --- a/rules/linux/lnx_setgid_setuid.yml +++ b/rules/linux/lnx_setgid_setuid.yml @@ -11,10 +11,10 @@ logsource: product: linux detection: selection1: - - '*chown root*' + - '*chown root*' selection2: - '* chmod u+s*' - selection3|contains: + selection3: - '* chmod g+s*' condition: (selection1 and selection2) or (selection1 and selection3) falsepositives: From 207623d2d7426807cdbf49ed89de69b33817f3eb Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 18:59:00 +0100 Subject: [PATCH 1248/1335] Update proxy_susp_flash_download_loc.yml --- rules/proxy/proxy_susp_flash_download_loc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index dc9f44869..521ab197a 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -4,15 +4,15 @@ status: experimental description: Detects a flashplayer update from an unofficial location author: Florian Roth date: 2017/10/25 +modified: 2020/11/28 references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb logsource: category: proxy detection: selection: - c-uri-query|contains: - - '/install_flash_player.exe' - - '/flash_install.php' + - c-uri-query|contains: '/flash_install.php' + - c-uri-query|endswith: '/install_flash_player.exe' filter: c-uri-stem|contains: '.adobe.com/' condition: selection and not filter From 68a62a5428a6b2f5bc4a92619f2bbc2b8ddb2018 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 19:02:53 +0100 Subject: [PATCH 1249/1335] Update zeek_smb_converted_win_impacket_secretdump.yml --- .../zeek/zeek_smb_converted_win_impacket_secretdump.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index f7ee7e2b5..44d812ee7 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -16,8 +16,11 @@ logsource: service: smb_files detection: selection: - path: '\\*ADMIN$' - name|endswith: 'SYSTEM32\\*.tmp' + path|contains|all: + - '\' + - 'ADMIN$' + name|contains: 'SYSTEM32\' + name|endswith: '.tmp' condition: selection falsepositives: - 'unknown' From e97c4b0ac5868b16df1c6009d076943d589d3c88 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 19:05:22 +0100 Subject: [PATCH 1250/1335] Update zeek_smb_converted_win_susp_psexec.yml --- rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index be8707fc1..34da2addf 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -14,13 +14,17 @@ logsource: service: smb_files detection: selection1: - path: \\*\IPC$ + path|contains|all: + - '\\' + - '\IPC$' name|endswith: - '-stdin' - '-stdout' - '-stderr' selection2: - name: \\*\IPC$ + name|contains|all: + - '\\' + - '\IPC$' path|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: From e932eda645dd86908e626052ff571df23338f8c0 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 19:07:07 +0100 Subject: [PATCH 1252/1335] Update proxy_cobalt_onedrive.yml --- rules/proxy/proxy_cobalt_onedrive.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 6967944c5..30975e58a 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Malleable OneDrive Profile author: Markus Neis date: 2019/11/12 -modified: 2020/09/02 +modified: 2020/11/28 references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile logsource: @@ -15,7 +15,8 @@ detection: c-uri|endswith: '?manifest=wac' cs-host: 'onedrive.live.com' filter: - c-uri|startswith: 'http*://onedrive.live.com/' + c-uri|startswith: 'http' + c-uri|contains: '://onedrive.live.com/' condition: selection and not filter falsepositives: - Unknown From 02ea91ec8bfbce2277e6ca585d78b657c5e49ce2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sat, 28 Nov 2020 19:09:07 +0100 Subject: [PATCH 1253/1335] Update proxy_ursnif_malware.yml --- rules/proxy/proxy_ursnif_malware.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml index 09bf0edac..1445ed4f3 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -4,12 +4,15 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 -modified: 2020/09/03 +modified: 2020/11/28 logsource: category: proxy detection: selection: - c-uri|endswith: '/*.php?l=*.cab' + c-uri|contains|all: + - '/' + - '.php?l=' + c-uri|endswith: '.cab' sc-status: 200 condition: selection fields: From 769ef23ccf921cb94c3d2f3f92bec5d8fe5a08b2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 29 Nov 2020 21:30:50 +0100 Subject: [PATCH 1254/1335] restore the original file --- rules/linux/lnx_susp_ssh.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 941033356..c5ea7448e 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -12,18 +12,18 @@ logsource: product: linux service: sshd detection: - keywords|contains: - - 'unexpected internal error' - - 'unknown or unsupported key type' - - 'invalid certificate signing key' - - 'invalid elliptic curve value' - - 'incorrect signature' - - 'error in libcrypto' - - 'unexpected bytes remain after decoding' - - 'fatal: buffer_get_string: bad string' - - 'Local: crc32 compensation attack' - - 'bad client public DH value' - - 'Corrupted MAC on input' + keywords: + - '*unexpected internal error*' + - '*unknown or unsupported key type*' + - '*invalid certificate signing key*' + - '*invalid elliptic curve value*' + - '*incorrect signature*' + - '*error in libcrypto*' + - '*unexpected bytes remain after decoding*' + - '*fatal: buffer_get_string: bad string*' + - '*Local: crc32 compensation attack*' + - '*bad client public DH value*' + - '*Corrupted MAC on input*' condition: keywords falsepositives: - Unknown From 871f9651096847923ff0762163d43dbd8c19ea27 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 29 Nov 2020 21:31:54 +0100 Subject: [PATCH 1255/1335] Update lnx_susp_named.yml --- rules/linux/lnx_susp_named.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 6e6709240..128300cc2 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -10,10 +10,10 @@ logsource: product: linux service: syslog detection: - keywords|contains: - - ' dropping source port zero packet from ' - - ' denied AXFR from ' - - ' exiting (due to fatal error)' + keywords: + - '* dropping source port zero packet from *' + - '* denied AXFR from *' + - '* exiting (due to fatal error)*' condition: keywords falsepositives: - Unknown From 69de4598fd27f8ea0e49718b0c1b415732687d36 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 29 Nov 2020 21:32:46 +0100 Subject: [PATCH 1256/1335] restore the original file --- rules/linux/lnx_sudo_cve_2019_14287.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index d75d4d0f9..bbd9d785d 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -19,11 +19,15 @@ tags: - attack.privilege_escalation - attack.t1068 - attack.t1169 +--- +detection: + selection_keywords: + - '* -u#*' + condition: selection_keywords +--- detection: - selection_keyword|contains: - - ' -u#' selection_user: USER: - '#-*' - '#*4294967295' - condition: selection_keywords or selection_user + condition: selection_user From 50623544a2c36515dc31e94395af5513a1a06010 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Sun, 29 Nov 2020 22:03:19 +0100 Subject: [PATCH 1257/1335] remove possible duplicate filter --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index e9c4b06d4..4aee5a4b6 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -20,7 +20,6 @@ detection: - CommandLine|contains|all: - ' -w' - 'hidden' - - ' -e' selection2: CommandLine|contains: 'JAB' selection3: From e1cd98c97d94f1bc70b089755821f01955e7a233 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 30 Nov 2020 01:31:00 +0100 Subject: [PATCH 1259/1335] restore original rule --- rules/linux/lnx_clamav.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index d312a287c..cd19a25a4 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -10,15 +10,13 @@ logsource: product: linux service: clamav detection: - keywords|contains: - - 'Trojan' - - 'VirTool' - - 'Webshell' - - 'Rootkit' - - 'Htran' - filter: - - 'FOUND' - condition: keywords and filter + keywords: + - 'Trojan*FOUND' + - 'VirTool*FOUND' + - 'Webshell*FOUND' + - 'Rootkit*FOUND' + - 'Htran*FOUND' + condition: keywords falsepositives: - Unknown level: high From 424f1523d87f7769cf0d66655c0402a32d02bc99 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 30 Nov 2020 01:32:06 +0100 Subject: [PATCH 1260/1335] restore original rule --- rules/linux/lnx_proxy_connection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/lnx_proxy_connection.yml index 827d7ab72..2caeba777 100644 --- a/rules/linux/lnx_proxy_connection.yml +++ b/rules/linux/lnx_proxy_connection.yml @@ -9,9 +9,9 @@ references: logsource: product: linux detection: - keyword|startswith: - - 'http_proxy=' - - 'https_proxy=' + keyword: + - 'http_proxy=*' + - 'https_proxy=*' condition: keyword falsepositives: - Legitimate administration activities From f4c9ff037d02a80716971ded31fdb07196dd4470 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1261/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From a62d0669e70a9f15247e8064796d3f2f4b1de997 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1262/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 1417d0332dd0ed318582d9b0b181f5b732e193cd Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1263/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 73ce8b2e3b876e6219eae727a1aebb7064ff5aba Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1264/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 38154c014e7490843f0788255e4af32f76a09b8a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1265/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 4179c21bbb4d318e03699b612a49e3a9a8a9034c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1266/1335] add sigma-test.yml --- .github/workflows/sigma-test.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/sigma-test.yml diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml new file mode 100644 index 000000000..28931b92e --- /dev/null +++ b/.github/workflows/sigma-test.yml @@ -0,0 +1,31 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Sigma Tools and Rule Tests + +on: + push: + branches: + - "*" + pull_request: + branches: [ master ] + +jobs: + test-sigma: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Python 3.8 + uses: actions/setup-python@v1 + with: + python-version: 3.8 + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r tools/requirements.txt -r tools/requirements-devel.txt + - name: Test Sigma Tools and Rules + run: | + make test + - name: Test SQL(ite) Backend + run: | + make test-backend-sql From 353546d970df4a1f68a2cb75f168f2acf09e6797 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1268/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 56f94a19f772644d1b1f465917551315802a86fc Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 30 Nov 2020 02:08:54 +0100 Subject: [PATCH 1269/1335] Update win_regedit_export_keys.yml --- .../win_regedit_export_keys.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml index 70bc2a50f..e3454faf4 100644 --- a/rules/windows/process_creation/win_regedit_export_keys.yml +++ b/rules/windows/process_creation/win_regedit_export_keys.yml @@ -17,15 +17,15 @@ detection: selection: Image|endswith: '\regedit.exe' CommandLine|contains: ' /E ' - filter_1: # filters to avoid intersection with critical keys rule - CommandLine|contains: - - 'hklm' - - 'hkey_local_machine' - filter_2: - CommandLine|endswith: - - '\system' - - '\sam' - - '\security' + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + filter_2: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' condition: selection and not (filter_1 and filter_2) fields: - ParentImage From 68cf2a441a48f6d5368f705a97a30e976df47ddf Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1270/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 68153b237fc80cedc4c3ac0a1d56ab90ac3c327e Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1271/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a5..28931b92e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 38a58ec3e741c08625f155d7738d93a477092e91 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1272/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 9649cccfbc03a18fb765d037e01ccf15313be0da Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1273/1335] restore tests --- .github/workflows/sigma-test.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/sigma-test.yml diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml new file mode 100644 index 000000000..d451debbd --- /dev/null +++ b/.github/workflows/sigma-test.yml @@ -0,0 +1,31 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Sigma Tools and Rule Tests + +on: + push: + branches: + - "*" + pull_request: + branches: [ master, oscd ] + +jobs: + test-sigma: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Python 3.8 + uses: actions/setup-python@v1 + with: + python-version: 3.8 + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r tools/requirements.txt -r tools/requirements-devel.txt + - name: Test Sigma Tools and Rules + run: | + make test + - name: Test SQL(ite) Backend + run: | + make test-backend-sql From 6e690ad31359d04ef6ebc40a107e50f7fe12ac4b Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1275/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From 2e4c98115d22812b6f23a7ea5171fd9c4f828268 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 1276/1335] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 8703e1bfd..d451debbd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql From cf8d195c5c788414db0c4641bf1245f98890bb6b Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Mon, 30 Nov 2020 11:49:42 +0300 Subject: [PATCH 1277/1335] Update win_susp_multiple_files_renamed_or_deleted.yml --- .../file_event/win_susp_multiple_files_renamed_or_deleted.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index fddb210e8..488512208 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -22,5 +22,6 @@ detection: timeframe: 30s condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Unlikely + - Software uninstallation + - Files restore activities level: high From 816ce5937c6224dd50ea896ae8212bf748096d6f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 01:29:35 +0100 Subject: [PATCH 1278/1335] Update win_susp_crackmapexec_execution.yml --- .../process_creation/win_susp_crackmapexec_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index d18f3ca47..ed44d56c4 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -23,14 +23,14 @@ detection: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - 'cmd.exe /Q /c' - '1> \\\\' - - '\\' + - '\' - '\\' - '2>&1' - CommandLine|contains|all: # cme/protocols/smb/atexec.py:109 (fileless output via share) - 'cmd.exe /C' - '> \\\\' - - '\\' + - '\' - '\\' - '2>&1' - CommandLine|contains|all: From 3cbc2f0aec8d3fb0b51f92e1c6eecf90b43e9083 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 01:47:23 +0100 Subject: [PATCH 1279/1335] Update win_susp_powershell_enc_cmd.yml --- .../win_susp_powershell_enc_cmd.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 4aee5a4b6..5f5bedd3b 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -4,9 +4,9 @@ description: Detects suspicious powershell process starts with base64 encoded co status: experimental references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, oscd.community +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/09/03 -modified: 2020/11/28 +modified: 2020/12/01 tags: - attack.execution - attack.t1059.001 @@ -16,14 +16,13 @@ logsource: product: windows detection: selection: - - CommandLine|contains: ' -e' - - CommandLine|contains|all: - - ' -w' - - 'hidden' + CommandLine|contains: '-e' # covers -en and -enc selection2: CommandLine|contains: 'JAB' selection3: - CommandLine|contains: '-e' #Covers -en and -enc + CommandLine|contains|all: + - ' -w' + - 'hidden' selection4: CommandLine|contains: - ' BA^J' @@ -39,5 +38,5 @@ detection: CommandLine|contains|all: - ' -ExecutionPolicy' - 'remotesigned ' - condition: (selection and selection2) or (selection3 and selection4) and not falsepositive1 + condition: (selection and selection2) or (selection2 and selection3) or (selection and selection4) and not falsepositive1 level: high From d1b625d0807c98c6f607442b8fedd3579fe61ada Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 01:51:47 +0100 Subject: [PATCH 1280/1335] Update win_susp_powershell_enc_cmd.yml --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 5f5bedd3b..5bbc4e2a6 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -32,7 +32,6 @@ detection: - ' aQBlAHgA' - ' SUVYI' - ' aWV4I' - - ' SQBFAFgA' - ' aQBlAHgA' falsepositive1: CommandLine|contains|all: From 64941038391e7124e2d65e6d985f1ce24665defe Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 01:54:51 +0100 Subject: [PATCH 1281/1335] Update win_susp_powershell_enc_cmd.yml --- rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 5bbc4e2a6..31c0e3c89 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -27,12 +27,9 @@ detection: CommandLine|contains: - ' BA^J' - ' SUVYI' - - ' aWV4I' - ' SQBFAFgA' - ' aQBlAHgA' - - ' SUVYI' - ' aWV4I' - - ' aQBlAHgA' falsepositive1: CommandLine|contains|all: - ' -ExecutionPolicy' From 30ecc8bd26103b9b4752efdceed6033c891a1ced Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 02:08:52 +0100 Subject: [PATCH 1282/1335] Update win_malware_script_dropper.yml --- rules/windows/process_creation/win_malware_script_dropper.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index a2b13a35a..b71fe3c3b 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -11,6 +11,9 @@ tags: - attack.t1059.007 - attack.defense_evasion # an old one - attack.t1064 # an old one +logsource: + category: process_creation + product: windows detection: selection1: Image|endswith: From 0188e45925042dd84df05d102d378c05261c6d7c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 02:12:53 +0100 Subject: [PATCH 1283/1335] Update win_malware_script_dropper.yml --- rules/windows/process_creation/win_malware_script_dropper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index b71fe3c3b..45961cad4 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -11,8 +11,8 @@ tags: - attack.t1059.007 - attack.defense_evasion # an old one - attack.t1064 # an old one -logsource: - category: process_creation +logsource: + category: process_creation product: windows detection: selection1: From 36754ae3d5158b9584fbedcbd2babd10b1c2651c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 02:16:22 +0100 Subject: [PATCH 1284/1335] Update win_vul_cve_2020_0688.yml --- rules/windows/builtin/win_vul_cve_2020_0688.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index f89fdb6a0..38b8e95e6 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -17,8 +17,8 @@ detection: EventID: 4 Source: MSExchange Control Panel Level: Error - selection2|contains: - - '&__VIEWSTATE=' + selection2: + - '*&__VIEWSTATE=*' condition: selection1 and selection2 falsepositives: - Unknown From 7309fb7d0e0b622f9a2451fb1b84257e767a7272 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 02:23:02 +0100 Subject: [PATCH 1285/1335] Update powershell_winlogon_helper_dll.yml --- .../powershell/powershell_winlogon_helper_dll.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 9cb140f78..9555ba0d5 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -4,6 +4,7 @@ status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 +modified: 2020/12/01 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml logsource: @@ -13,12 +14,12 @@ logsource: detection: selection: EventID: 4104 - keyword1|contains: - - 'Set-ItemProperty' - - 'New-Item' - keyword2|contains: - - 'CurrentVersion\Winlogon' - condition: selection and ( keyword1 and keyword2 ) + ScriptBlockText|contains: 'CurrentVersion\Winlogon' + selection2: + ScriptBlockText|contains: + - 'Set-ItemProperty' + - 'New-Item' + condition: selection and selection2 falsepositives: - Unknown level: medium From a028cdf1eec963c84f26f74c4f694bb70c86893d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 1 Dec 2020 02:24:35 +0100 Subject: [PATCH 1286/1335] Update powershell_shellcode_b64.yml --- .../powershell/powershell_shellcode_b64.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index 33670742a..ba269aca2 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -13,7 +13,7 @@ tags: - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 -modified: 2020/08/24 +modified: 2020/12/01 logsource: product: windows service: powershell @@ -21,12 +21,12 @@ logsource: detection: selection: EventID: 4104 - keyword1|contains: - - 'AAAAYInlM' - keyword2|contains: - - 'OiCAAAAYInlM' - - 'OiJAAAAYInlM' - condition: selection and keyword1 and keyword2 + ScriptBlockText|contains: 'AAAAYInlM' + selection2: + ScriptBlockText|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' + condition: selection and selection2 falsepositives: - Unknown level: critical From d0bb6e9e81d842da3da6ce52ec325e24e791698a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 1 Dec 2020 21:24:57 +0300 Subject: [PATCH 1287/1335] Update lnx_file_deletion.yml --- rules/linux/lnx_file_deletion.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index a35f14015..e0648ec82 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -10,15 +10,13 @@ logsource: product: linux category: process_creation detection: - keywords: - - Commands|contains: - - 'rm ' - - 'shred -u' - - 'rmdir' - - 'unlink' - - 'busybox rm -f *' - - 'find * -delete' - condition: keywords + selection: + - ProcessName|endswith: + - '/rm' + - '/shred' + - '/unlink' + - '/busybox' + condition: selection falsepositives: - Legitimate administration activities level: low From 4ab522815bc6a1075418f85874a957e9258cf9a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 1 Dec 2020 21:28:12 +0300 Subject: [PATCH 1288/1335] Update lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index cc1b9fcb3..4ddc74613 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -10,16 +10,18 @@ logsource: product: linux category: process_creation detection: - keywords: - - Commands|contains: - - 'rm * /var/log*' - - 'shred -u /var/log*' - - 'echo * > /var/log*' - - 'rmdir * /var/log*' - - 'rm * /private/var/audit/*' - - 'rm * /private/var/log/system.log*' - - 'echo * /var/spool/mail/*' - condition: keywords + selection1: + - ProcessName|endswith: + - '/rm' + - 'shred' + - 'echo' + - 'rmdir' + selection2: + CommandLine|contains: + - '/var/log' + - '/private/var/audit' + - '/private/var/log/' + condition: selection1 and selection2 falsepositives: - Legitimate administration activities level: medium From 1c4c5af99fb80028e097a1088fe638e3c41f1583 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 2 Dec 2020 01:24:59 +0100 Subject: [PATCH 1289/1335] Update lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index 4ddc74613..8908c3daa 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -5,26 +5,22 @@ description: Detects clear logs author: Ömer Günal, oscd.community date: 2020/10/07 references: - - https://attack.mitre.org/techniques/T1070/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md logsource: product: linux category: process_creation detection: selection1: - - ProcessName|endswith: - - '/rm' - - 'shred' - - 'echo' - - 'rmdir' - selection2: - CommandLine|contains: - - '/var/log' - - '/private/var/audit' - - '/private/var/log/' + ProcessName|endswith: + - '/rm' # covers /rmdir as well + - '/shred' + CommandLine|contains: + - '/var/log' + - '/var/spool/mail' condition: selection1 and selection2 falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.defense_evasion - attack.t1070.002 From 6ce08935bbb036f915b5b31e934eedc147c1675e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 2 Dec 2020 01:27:35 +0100 Subject: [PATCH 1290/1335] Update lnx_file_deletion.yml --- rules/linux/lnx_file_deletion.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index e0648ec82..bc4c2ad39 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -11,11 +11,9 @@ logsource: category: process_creation detection: selection: - - ProcessName|endswith: - - '/rm' - - '/shred' - - '/unlink' - - '/busybox' + ProcessName|endswith: + - '/rm' # covers /rmdir as well + - '/shred' condition: selection falsepositives: - Legitimate administration activities From 378f663502e5c99b17bce8872c058c964a277a39 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 2 Dec 2020 01:28:29 +0100 Subject: [PATCH 1291/1335] Update lnx_clear_logs.yml --- rules/linux/lnx_clear_logs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index 8908c3daa..e6c71f424 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -10,14 +10,14 @@ logsource: product: linux category: process_creation detection: - selection1: + selection: ProcessName|endswith: - '/rm' # covers /rmdir as well - '/shred' CommandLine|contains: - '/var/log' - '/var/spool/mail' - condition: selection1 and selection2 + condition: selection falsepositives: - Legitimate administration activities level: low From ff373b0f330bbdd0e89c6f9d265ca841586a401a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Jan 2021 23:03:41 +0300 Subject: [PATCH 1292/1335] Update win_nltest_query.yml --- rules/windows/process_creation/win_nltest_query.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml index 071ea68e2..b42648cc4 100644 --- a/rules/windows/process_creation/win_nltest_query.yml +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -5,7 +5,7 @@ references: - https://twitter.com/sysopfb/status/986799053668139009 - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml date: 2018/04/18 -modified: 2020/10/06 +modified: 2021/01/05 tags: - attack.credential_access - attack.t1003 @@ -16,10 +16,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '/nltest.exe' - CommandLine|contains: - - \query + Image|endswith: '\nltest.exe' + CommandLine|contains: '\query' condition: selection falsepositives: - Legitimate administration From da5ec4e952f93ddf5e665cc764fb862f29a5ea92 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Wed, 6 Jan 2021 16:50:28 +0300 Subject: [PATCH 1293/1335] Update win_wmi_persistence.yml Removed sequence of EIDs in Windows Security section. --- rules/windows/other/win_wmi_persistence.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 5ffcb0df8..405e657b8 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -38,13 +38,8 @@ logsource: product: windows service: security detection: - network_logon: - EventID: 4624 - LogonType: 3 - privileges_assigned: - EventID: 4672 wmi_subscription: EventID: 4662 ObjectType: 'WMI Namespace' ObjectName|contains: 'subscription' - condition: network_logon and privileges_assigned and wmi_subscription + condition: wmi_subscription From 3f519ffa2050910d1138f172634ce294a7be1196 Mon Sep 17 00:00:00 2001 From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com> Date: Thu, 7 Jan 2021 21:31:51 +0300 Subject: [PATCH 1294/1335] Just Check --- rules/windows/other/win_wmi_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 405e657b8..f3b476046 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -2,7 +2,7 @@ action: global title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 modified: 2020/10/13 From 1a124f919324014269859449a1f16ef7374617c6 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 2 Feb 2021 23:34:10 +1100 Subject: [PATCH 1295/1335] Added win_ad_find_discovery.yml Rule to detect the most commons switches used in AdFind tool --- .../win_ad_find_discovery.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/windows/process_creation/win_ad_find_discovery.yml diff --git a/rules/windows/process_creation/win_ad_find_discovery.yml b/rules/windows/process_creation/win_ad_find_discovery.yml new file mode 100644 index 000000000..4b6665aaf --- /dev/null +++ b/rules/windows/process_creation/win_ad_find_discovery.yml @@ -0,0 +1,43 @@ +title: AdFind Usage Detection +id: 9a132afa-654e-11eb-ae93-0242ac130002 +description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +author: Janantha Marasinghe (https://github.com/blueteam0ps) +references: + - https://thedfirreport.com/2020/05/08/adfind-recon/ + - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +date: 2021/02/02 +modified: 2021/02/02 +tags: + - attack.discovery + - attack.t1482 + - attack.t1018 +level: high +status: experimental +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'domainlist' + - 'trustdmp' + - 'dcmodes' + - 'adinfo' + - 'dclist' + - 'computer_pwdnotreqd' + - 'objectcategory=' + - '-subnets -f' + - 'name="Domain Admins"' + - '-sc u:' + - 'domainncs' + - 'dompol' + - 'oudmp' + - 'subnetdmp' + - 'gpodmp' + - 'fspdmp' + - 'users_noexpire' + - 'computers_active' + condition: selection +falsepositives: + - Admin activity From 96afd5845a0ec3b2611f5ccc9af9cd5af8b7ffea Mon Sep 17 00:00:00 2001 From: Anton Kutepov Date: Thu, 25 Feb 2021 01:20:09 +0300 Subject: [PATCH 1296/1335] Merged identical rules. Added the author of the deleted rule to another rule. --- .../win_pe_exec_vsjitdebugger.yml | 21 ------------------- .../win_susp_use_of_vsjitdebugger_bin.yml | 2 +- 2 files changed, 1 insertion(+), 22 deletions(-) delete mode 100644 rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml diff --git a/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml b/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml deleted file mode 100644 index 99cbcbf56..000000000 --- a/rules/windows/process_creation/win_pe_exec_vsjitdebugger.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: PE File Execution via Vsjitdebugger -id: 4b51f73f-1583-4202-a8e0-2d4bbf4beeee -status: experimental -description: Detects the execution of Vsjitdebugger tool as parent process which is utilized like proxy for other PE files executions. -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ -author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/08 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\vsjitdebugger.exe' - condition: selection -falsepositives: - - Legitimate usage of software developer/tester -level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index e78117439..72a59a20f 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -9,7 +9,7 @@ references: tags: - attack.t1218 - attack.defense_evasion -author: 'Agro (@agro_sev) oscd.community' +author: 'Agro (@agro_sev)', 'Ensar Şamil (@sblmsrsn)', oscd.community date: 2020/10/14 logsource: category: process_creation From 98cc0252084042ecc70ec11a37e54ef21404e7de Mon Sep 17 00:00:00 2001 From: Anton Kutepov Date: Thu, 25 Feb 2021 01:57:26 +0300 Subject: [PATCH 1297/1335] Renamed ProcessName field to Image for the process_creation category. --- rules/linux/lnx_base64_decode.yml | 2 +- rules/linux/lnx_clear_logs.yml | 2 +- .../lnx_file_and_directory_discovery.yml | 8 +++--- rules/linux/lnx_file_deletion.yml | 2 +- rules/linux/lnx_install_root_certificate.yml | 2 +- rules/linux/lnx_local_account.yml | 8 +++--- rules/linux/lnx_local_groups.yml | 4 +-- rules/linux/lnx_network_service_scanning.yml | 4 +-- rules/linux/lnx_process_discovery.yml | 2 +- rules/linux/lnx_remote_system_discovery.yml | 4 +-- rules/linux/lnx_schedule_task_job_cron.yml | 2 +- .../linux/lnx_security_software_discovery.yml | 2 +- rules/linux/lnx_security_tools_disabling.yml | 26 +++++++++---------- rules/linux/lnx_system_info_discovery.yml | 2 +- ...x_system_network_connections_discovery.yml | 2 +- rules/linux/lnx_system_network_discovery.yml | 4 +-- rules/linux/macos_applescript.yml | 2 +- rules/linux/macos_base64_decode.yml | 2 +- rules/linux/macos_binary_padding.yml | 4 +-- rules/linux/macos_change_file_time_attr.yml | 2 +- rules/linux/macos_clear_system_logs.yml | 2 +- rules/linux/macos_create_account.yml | 2 +- rules/linux/macos_create_hidden_account.yml | 2 +- rules/linux/macos_disable_security_tools.yml | 4 +-- .../macos_file_and_directory_discovery.yml | 10 +++---- rules/linux/macos_find_cred_in_files.yml | 2 +- rules/linux/macos_gui_input_capture.yml | 2 +- rules/linux/macos_local_account.yml | 10 +++---- rules/linux/macos_local_groups.yml | 6 ++--- .../linux/macos_network_service_scanning.yml | 4 +-- rules/linux/macos_network_sniffing.yml | 2 +- rules/linux/macos_remote_system_discovery.yml | 4 +-- rules/linux/macos_schedule_task_job_cron.yml | 2 +- rules/linux/macos_screencapture.yml | 2 +- .../macos_security_software_discovery.yml | 2 +- rules/linux/macos_split_file_into_pieces.yml | 2 +- ...s_system_network_connections_discovery.yml | 2 +- .../linux/macos_system_network_discovery.yml | 4 +-- rules/linux/macos_system_shutdown_reboot.yml | 2 +- rules/linux/macos_xattr_gatekeeper_bypass.yml | 2 +- rules/windows/malware/win_mal_ryuk.yml | 2 +- .../process_creation/win_apt_slingshot.yml | 2 +- .../process_creation/win_malware_dridex.yml | 6 ++--- 43 files changed, 82 insertions(+), 82 deletions(-) diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml index b9ae9bc78..62620cf4b 100644 --- a/rules/linux/lnx_base64_decode.yml +++ b/rules/linux/lnx_base64_decode.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: base64_execution: - ProcessName|endswith: '/base64' + Image|endswith: '/base64' CommandLine|contains: '-d' condition: base64_execution falsepositives: diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index e6c71f424..11e904054 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/rm' # covers /rmdir as well - '/shred' CommandLine|contains: diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml index 9b1a70130..61d35d415 100644 --- a/rules/linux/lnx_file_and_directory_discovery.yml +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -11,15 +11,15 @@ logsource: product: linux detection: file_with_asterisk: - ProcessName|endswith: '/file' + Image|endswith: '/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline recursive_ls: - ProcessName|endswith: '/ls' + Image|endswith: '/ls' CommandLine|contains: '-R' find_execution: - ProcessName|endswith: '/find' + Image|endswith: '/find' tree_execution: - ProcessName|endswith: '/tree' + Image|endswith: '/tree' condition: 1 of them falsepositives: - Legitimate activities diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index bc4c2ad39..b909a853c 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/rm' # covers /rmdir as well - '/shred' condition: selection diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 3595fb437..b1a9f61ee 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -14,7 +14,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/update-ca-certificates' - '/update-ca-trust' condition: selection diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index c470ca6cb..2e31f466d 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -11,22 +11,22 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/lastlog' selection_2: CommandLine|contains: - "'x:0:'" selection_3: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - ProcessName|endswith: + Image|endswith: - '/id' selection_5: - ProcessName|endswith: + Image|endswith: - '/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml index 3ca19f538..8df8a8157 100644 --- a/rules/linux/lnx_local_groups.yml +++ b/rules/linux/lnx_local_groups.yml @@ -11,10 +11,10 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/groups' selection_2: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/group' diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index 40ad7cd2a..831c1dac9 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -20,11 +20,11 @@ logsource: definition: 'Detect netcat and filter our listening mode' detection: netcat: - ProcessName|endswith: + Image|endswith: - '/nc' - '/netcat' network_scanning_tools: - ProcessName|endswith: + Image|endswith: - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning - '/nmap' netcat_listen_flag: diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 863879928..bee127ac9 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - - ProcessName|endswith: + - Image|endswith: - '/ps' - '/top' condition: selection diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml index b48af1122..218053e15 100644 --- a/rules/linux/lnx_remote_system_discovery.yml +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -11,10 +11,10 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: '/arp' + Image|endswith: '/arp' CommandLine|contains: '-a' selection_2: - ProcessName|endswith: '/ping' + Image|endswith: '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 - ' 192.168.' #192.168.0.0/16 diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml index dc37f2270..cd2540f96 100644 --- a/rules/linux/lnx_schedule_task_job_cron.yml +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - ProcessName|endswith: + Image|endswith: - 'crontab' CommandLine|contains: - '/tmp/' diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml index 5a94b29c0..37a7f7871 100644 --- a/rules/linux/lnx_security_software_discovery.yml +++ b/rules/linux/lnx_security_software_discovery.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: grep_execution: - ProcessName|endswith: '/grep' + Image|endswith: '/grep' security_services_and_processes: CommandLine|contains: - 'nessusd' # nessus vulnerability scanner diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8f812b387..8d1f16177 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -20,65 +20,65 @@ logsource: product: linux detection: iptables_1: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' iptables_2: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' iptables_3: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' iptables_4: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' firewall_1: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' firewall_2: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' carbonblack_1: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_2: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' carbonblack_3: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_4: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' selinux: - ProcessName|endswith: '/setenforce' + Image|endswith: '/setenforce' CommandLine|contains: '0' crowdstrike_1: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - 'falcon-sensor' crowdstrike_2: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - 'falcon-sensor' diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index eabff7636..c74cb3010 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,7 +19,7 @@ logsource: categories: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/uname' - '/hostname' - '/uptime' diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml index 1bab3e4c7..5f9642370 100644 --- a/rules/linux/lnx_system_network_connections_discovery.yml +++ b/rules/linux/lnx_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - ProcessName|endswith: + Image|endswith: - '/who' - '/w' - '/last' diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index af22539c4..541737062 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md logsource: category: process_creation - product: unix + product: linux detection: selection1: - ProcessName|endswith: + Image|endswith: - '/firewall-cmd' - '/ufw' - '/iptables' diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml index 6596c27d5..38daf676a 100644 --- a/rules/linux/macos_applescript.yml +++ b/rules/linux/macos_applescript.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/osascript' CommandLine|contains|all: - '-e' diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml index 7d7488048..4afeec596 100644 --- a/rules/linux/macos_base64_decode.yml +++ b/rules/linux/macos_base64_decode.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: base64_execution: - ProcessName: '/usr/bin/base64' + Image: '/usr/bin/base64' CommandLine|contains: '-d' condition: base64_execution falsepositives: diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml index b4c676db0..843b2aa61 100644 --- a/rules/linux/macos_binary_padding.yml +++ b/rules/linux/macos_binary_padding.yml @@ -13,12 +13,12 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: + Image|endswith: - '/truncate' CommandLine|contains: - '-s' selection2: - ProcessName|endswith: + Image|endswith: - '/dd' CommandLine|contains: - 'if=' diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index 1267cb82c..f30750331 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: '/touch' + Image|endswith: '/touch' selection2: CommandLine|contains: - '-t' diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index e5aecc052..055cc98e9 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection1: - - ProcessName|endswith: '/rm' + - Image|endswith: '/rm' selection2: CommandLine|contains: '/var/log' selection3: diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index 915f90488..6bde23a2a 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains: - 'create' diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 3a97aab8e..95890a4bf 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: dscl_create: - ProcessName|endswith: '/dscl' + Image|endswith: '/dscl' CommandLine|contains: 'create' id_below_500: CommandLine|contains: UniqueID diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 8a84e85ce..2c983500b 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: launchctl_unload: - ProcessName: '/bin/launchctl' + Image: '/bin/launchctl' CommandLine|contains: 'unload' security_plists: CommandLine|contains: @@ -31,7 +31,7 @@ detection: - 'packetbeat' # elastic network logger/shipper - 'td-agent' # fluentd log shipper disable_gatekeeper: - ProcessName: '/usr/sbin/spctl' + Image: '/usr/sbin/spctl' CommandLine|contains: 'disable' condition: (launchctl_unload and security_plists) or disable_gatekeeper falsepositives: diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml index dca23a49d..6e16e85d8 100644 --- a/rules/linux/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -11,17 +11,17 @@ logsource: product: macos detection: file_with_asterisk: - ProcessName: '/usr/bin/file' + Image: '/usr/bin/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline recursive_ls: - ProcessName: '/bin/ls' + Image: '/bin/ls' CommandLine|contains: '-R' find_execution: - ProcessName: '/usr/bin/find' + Image: '/usr/bin/find' mdfind_execution: - ProcessName: '/usr/bin/mdfind' + Image: '/usr/bin/mdfind' tree_execution|endswith: - ProcessName: '/tree' + Image: '/tree' condition: 1 of them falsepositives: - Legitimate activities diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 5fd340fb5..2f47f1034 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: + Image|endswith: - '/grep' CommandLine|contains: - 'password' diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml index 711705d36..22b42e1c4 100644 --- a/rules/linux/macos_gui_input_capture.yml +++ b/rules/linux/macos_gui_input_capture.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection1: - ProcessName: + Image: - '/usr/sbin/osascript' selection2: Commandline|contains|all: diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index 97aecfc82..638fb1ba9 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -11,13 +11,13 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains|all: - 'list' - '/users' selection_2: - ProcessName|endswith: + Image|endswith: - '/dscacheutil' CommandLine|contains|all: - '-q' @@ -26,16 +26,16 @@ detection: CommandLine|contains: - "'x:0:'" selection_4: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - ProcessName|endswith: + Image|endswith: - '/id' selection_6: - ProcessName|endswith: + Image|endswith: - '/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index e914d3326..2c26fc45f 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -11,18 +11,18 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/dscacheutil' CommandLine|contains|all: - '-q' - 'group' selection_2: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/group' selection_3: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains|all: - '-list' diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index 09bcef383..8faa5b721 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -11,11 +11,11 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/nc' - '/netcat' selection_2: - ProcessName|endswith: + Image|endswith: - '/nmap' - '/telnet' filter: diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml index a30534aef..cf316429b 100644 --- a/rules/linux/macos_network_sniffing.yml +++ b/rules/linux/macos_network_sniffing.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/tcpdump' - '/tshark' condition: selection diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index 6ec947914..dbe79e461 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -11,12 +11,12 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/arp' CommandLine|contains: - '-a' selection_2: - ProcessName|endswith: + Image|endswith: - '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml index 9746a0ff6..c757d014f 100644 --- a/rules/linux/macos_schedule_task_job_cron.yml +++ b/rules/linux/macos_schedule_task_job_cron.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/crontab' CommandLine|contains: - '/tmp/' diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml index 7cc9bc983..18fb1bf32 100644 --- a/rules/linux/macos_screencapture.yml +++ b/rules/linux/macos_screencapture.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection: - ProcessName: '/usr/sbin/screencapture' + Image: '/usr/sbin/screencapture' condition: selection falsepositives: - Legitimate user activity taking screenshots diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml index 320eb89fd..b26fbcd16 100644 --- a/rules/linux/macos_security_software_discovery.yml +++ b/rules/linux/macos_security_software_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: grep_execution: - ProcessName: '/usr/bin/grep' + Image: '/usr/bin/grep' security_services_and_processes: CommandLine|contains: - 'nessusd' # nessus vulnerability scanner diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index 5f6a20269..b19c5aeab 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: '/split' + Image|endswith: '/split' condition: selection falsepositives: - 'Legitimate administrative activity' diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml index 32f1ad5bf..8503e7803 100644 --- a/rules/linux/macos_system_network_connections_discovery.yml +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName: + Image: - '/usr/bin/who' - '/usr/bin/w' - '/usr/bin/last' diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index 2bf068e4e..f754a1e3c 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection1: - ProcessName: + Image: - '/usr/sbin/netstat' - '/sbin/ifconfig' - '/usr/sbin/ipconfig' @@ -19,7 +19,7 @@ detection: - '/usr/sbin/networksetup' - '/usr/sbin/arp' selection2: - ProcessName: '/usr/bin/defaults' + Image: '/usr/bin/defaults' Commandline|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index e461aed89..e7b463653 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/shutdown' - '/reboot' - '/halt' diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml index 989190a43..8c4ac76c2 100644 --- a/rules/linux/macos_xattr_gatekeeper_bypass.yml +++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: '/xattr' + Image|endswith: '/xattr' CommandLine|contains|all: - '-r' - 'com.apple.quarantine' diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index bed167c16..02603871b 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - ProcessName|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains|all: diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 90bcb4c4b..faf030a3d 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -21,7 +21,7 @@ logsource: product: windows detection: selection1: - ProcessName|endswith: '\schtasks.exe' + Image|endswith: '\schtasks.exe' CommandLine|contains|all: - '/delete' - 'Defrag\ScheduledDefrag' diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 4c322dfd6..7d90d5575 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -19,17 +19,17 @@ logsource: product: windows detection: selection1: - ProcessName|endswith: '\svchost.exe' + Image|endswith: '\svchost.exe' CommandLine|contains|all: - 'C:\Users\' - '\Desktop\' selection2: ParentImage|endswith: '\svchost.exe' selection3: - ProcessName|endswith: '\whoami.exe' + Image|endswith: '\whoami.exe' CommandLine|contains: 'all' selection4: - ProcessName|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: 'view' From 120fd413b882d6070f73d223417b8de5eef477e1 Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Thu, 25 Feb 2021 02:17:28 +0300 Subject: [PATCH 1298/1335] fix author field --- .../process_creation/win_susp_use_of_vsjitdebugger_bin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 72a59a20f..28e943f3e 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -9,7 +9,7 @@ references: tags: - attack.t1218 - attack.defense_evasion -author: 'Agro (@agro_sev)', 'Ensar Şamil (@sblmsrsn)', oscd.community +author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 logsource: category: process_creation From f461becc58007173effb81de55c8ceebc1a97452 Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Tue, 2 Mar 2021 23:34:34 +0300 Subject: [PATCH 1299/1335] Added missed changes in win_net_ntlm_downgrade and merged duplicate rules --- .../builtin/win_net_ntlm_downgrade.yml | 2 +- .../process_creation/win_susp_finger.yml | 23 ------------------- .../win_webshell_detection.yml | 2 +- 3 files changed, 2 insertions(+), 25 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_finger.yml diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 8987fb7d8..2883f3df2 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -50,4 +50,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/process_creation/win_susp_finger.yml b/rules/windows/process_creation/win_susp_finger.yml deleted file mode 100644 index a6451adfc..000000000 --- a/rules/windows/process_creation/win_susp_finger.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Suspicious Use Finger.exe -id: 248f5697-2f46-4005-9bb6-b4fc643332a9 -status: experimental -description: finger.exe for data exfiltration or download file -references: - - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt -author: omkar72, oscd.community -date: 2020/10/11 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.command_and_control - - attack.t1071 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\finger.exe' - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 99241d3bb..09d432656 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community -reference: +references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ date: 2017/01/01 From ff6f10b4843ea83708c1b6db3754c2e13049fe8b Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Sun, 7 Mar 2021 23:20:21 +0300 Subject: [PATCH 1300/1335] Added the author of the duplicated rule (finger.exe) --- rules/windows/process_creation/win_susp_finger_usage.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml index 0290955b0..87fd5ff30 100644 --- a/rules/windows/process_creation/win_susp_finger_usage.yml +++ b/rules/windows/process_creation/win_susp_finger_usage.yml @@ -1,11 +1,12 @@ title: Finger.exe Suspicious Invocation id: af491bca-e752-4b44-9c86-df5680533dbc description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays -author: Florian Roth +author: Florian Roth, omkar72, oscd.community date: 2021/02/24 references: - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ + - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt tags: - attack.command_and_control - attack.t1105 From 626d7ebd61cc40201fa6d0295029b6bba7b6321c Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Sun, 7 Mar 2021 23:40:08 +0300 Subject: [PATCH 1301/1335] Applied the fixes made by the participants during the second sprint. --- .../process_creation/win_susp_procdump_lsass.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml index 30676b8de..299ed2930 100644 --- a/rules/windows/process_creation/win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -19,14 +19,13 @@ logsource: product: windows detection: selection1: - CommandLine: - - '* -ma *' + CommandLine|contains: ' -ma ' selection2: - CommandLine: - - '* lsass*' + CommandLine|contains: ' lsass' selection3: - CommandLine: - - '* -ma ls*' + CommandLine|contains|all: + - ' -ma ' + - ' ls' condition: ( selection1 and selection2 ) or selection3 falsepositives: - Unlikely, because no one should dump an lsass process memory From 26a5300208bcdad45a52c3ca599ded2f0c2fe61e Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 9 Mar 2021 08:22:36 +1100 Subject: [PATCH 1302/1335] added spaces for oudmp and dclist --- rules/windows/process_creation/win_ad_find_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_ad_find_discovery.yml b/rules/windows/process_creation/win_ad_find_discovery.yml index 4b6665aaf..2e6f5b93f 100644 --- a/rules/windows/process_creation/win_ad_find_discovery.yml +++ b/rules/windows/process_creation/win_ad_find_discovery.yml @@ -24,7 +24,7 @@ detection: - 'trustdmp' - 'dcmodes' - 'adinfo' - - 'dclist' + - ' dclist ' - 'computer_pwdnotreqd' - 'objectcategory=' - '-subnets -f' @@ -32,7 +32,7 @@ detection: - '-sc u:' - 'domainncs' - 'dompol' - - 'oudmp' + - ' oudmp ' - 'subnetdmp' - 'gpodmp' - 'fspdmp' From 4e5a9a58a50555d2a88c99cdc67ea8b026b65841 Mon Sep 17 00:00:00 2001 From: Johnny Walker <10174710+iosonogio@users.noreply.github.com> Date: Tue, 9 Mar 2021 17:41:54 +0100 Subject: [PATCH 1303/1335] Update netwitness-epl.py nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax --- tools/sigma/backends/netwitness-epl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py index e580b259c..62506337b 100644 --- a/tools/sigma/backends/netwitness-epl.py +++ b/tools/sigma/backends/netwitness-epl.py @@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend): listSeparator = ", " valueExpression = "\'%s\'" keyExpression = "%s" - nullExpression = "%s exists" - notNullExpression = "%s exists" + nullExpression = "%s is null" + notNullExpression = "%s is not null" mapExpression = "(%s=%s)" mapListsSpecialHandling = True From 0873c57acf1d5b8b93bb654681bbdd2550a189ad Mon Sep 17 00:00:00 2001 From: Johnny Walker <10174710+iosonogio@users.noreply.github.com> Date: Tue, 9 Mar 2021 17:43:44 +0100 Subject: [PATCH 1304/1335] Update netwitness.py nullExpression fixed to be really null (missing exclamation mark) --- tools/sigma/backends/netwitness.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py index 25aed08d0..c8898ec67 100644 --- a/tools/sigma/backends/netwitness.py +++ b/tools/sigma/backends/netwitness.py @@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend): listSeparator = ", " valueExpression = "\'%s\'" keyExpression = "%s" - nullExpression = "%s exists" + nullExpression = "%s !exists" notNullExpression = "%s exists" mapExpression = "(%s=%s)" mapListsSpecialHandling = True From b73815e883afea595e3dd39faf7a2f61db67e446 Mon Sep 17 00:00:00 2001 From: concorde18 <71894515+concorde18@users.noreply.github.com> Date: Wed, 10 Mar 2021 11:25:13 +0300 Subject: [PATCH 1305/1335] Update win_susp_Register_cimprovider.yml --- .../process_creation/win_susp_Register_cimprovider.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index a8d2134d4..aee7498bd 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -16,13 +16,13 @@ logsource: definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: - Image|endswith: '\register-cimprovider.exe' - CommandLine|contains|all: - - '-path' - - 'dll' + Image|endswith: '\register-cimprovider.exe' + CommandLine|contains|all: + - '-path' + - 'dll' condition: selection fields: - CommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From f694de74aa3f5e7a41107bf3667ae96d6542cfa4 Mon Sep 17 00:00:00 2001 From: concorde18 <71894515+concorde18@users.noreply.github.com> Date: Wed, 10 Mar 2021 11:33:12 +0300 Subject: [PATCH 1306/1335] Create win_susp_diskshadow.yml --- .../process_creation/win_susp_diskshadow.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_diskshadow.yml diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml new file mode 100644 index 000000000..6c57237ed --- /dev/null +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -0,0 +1,27 @@ +title: Execution via Diskshadow.exe +id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 +status: experimental +description: Detects using Diskshadow.exe to execute arbitrary code in text file +references: + - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +tags: + - attack.execution + - attack.t1218 +author: Ivan Dyachkov, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image|endswith: '\diskshadow.exe' + CommandLine|contains: + - '/s' + - '-s' + condition: selection +fields: + - CommandLine +falsepositives: + - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. +level: high From a58c5ed7cc81894d53838209dbf0c5ac74376099 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 10 Mar 2021 18:05:15 +0545 Subject: [PATCH 1307/1335] Added rule for CVE-2021-21978 in VMware View Planner --- ...2021_21978_vmware_view_planner_exploit.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml new file mode 100644 index 000000000..8a240ab40 --- /dev/null +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -0,0 +1,30 @@ +title: CVE-2021-21978 Exploitation Attempt +id: 77586a7f-7ea4-4c41-b19c-820140b84ca9 +status: experimental +description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 +author: Bhabesh Raj +date: 2020/03/10 +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978 + - https://twitter.com/wugeej/status/1369476795255320580 + - https://paper.seebug.org/1495/ +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains|all: + - 'logupload' + - 'logMetaData' + - 'wsgi_log_upload.py' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - None +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-21978 \ No newline at end of file From f138a2742635b939e28c00ec0dd373a30a6d1f0e Mon Sep 17 00:00:00 2001 From: Cyb3rPandaH Date: Mon, 15 Mar 2021 00:33:47 -0400 Subject: [PATCH 1308/1335] CVE-2021-27065 - Set OabVirtualDirectory ExternalUrl Property Rule to detect an adversary setting OabVirtualDirectory External URL property to a script --- ...in_set_oabvirtualdirectory_externalurl.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml new file mode 100644 index 000000000..7285cc243 --- /dev/null +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -0,0 +1,27 @@ +title: Set OabVirtualDirectory ExternalUrl Property +id: 9db37458-4df2-46a5-95ab-307e7f29e675 +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script +author: Jose Rodriguez @Cyb3rPandaH +status: experimental +date: 2021/03/15 +references: + - https://twitter.com/OTR_Community/status/1371053369071132675 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + service: msexchange-management +detection: + keywords: + Message: + - "*Set-OabVirtualDirectory*" + - "*ExternalUrl*" + - "*Page_Load*" + - "*script*" + selection: + EventID: 1 + condition: keywords and selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 334dd9a058eb3bd2031fecbc6821ee22d4875dc5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 20 Mar 2021 08:34:02 +0100 Subject: [PATCH 1309/1335] Update win_set_oabvirtualdirectory_externalurl.yml --- .../win_set_oabvirtualdirectory_externalurl.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml index 7285cc243..a00956dad 100644 --- a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -13,15 +13,13 @@ logsource: product: windows service: msexchange-management detection: - keywords: - Message: - - "*Set-OabVirtualDirectory*" - - "*ExternalUrl*" - - "*Page_Load*" - - "*script*" selection: - EventID: 1 - condition: keywords and selection + Message|contains|all: + - 'Set-OabVirtualDirectory' + - 'ExternalUrl' + - 'Page_Load' + - 'script' + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high From e0666036a4f153bb0f46109f69b4e6e630fc134a Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 24 Mar 2021 17:58:50 -0700 Subject: [PATCH 1310/1335] Add option to support different LimaCharlie targets. --- tools/sigma/backends/limacharlie.py | 298 ++++++++++++++++------------ 1 file changed, 170 insertions(+), 128 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 854dec74c..4ae813633 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -23,11 +23,16 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier # A few helper functions for cases where field mapping cannot be done # as easily one by one, or can be done more efficiently. -def _windowsEventLogFieldName(fieldName): +def _windowsEventLogArtifactFieldName(fieldName): if 'EventID' == fieldName: return 'Event/System/EventID' return 'Event/EventData/%s' % (fieldName,) +def _windowsEventLogEDRFieldName(fieldName): + if 'EventID' == fieldName: + return 'event/EVENT/System/EventID' + return 'event/EVENT/EventData/%s' % (fieldName,) + def _mapProcessCreationOperations(node): # Here we fix some common pitfalls found in rules # in a consistent fashion (already processed to D&R rule). @@ -65,132 +70,160 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'postOpMapper', ]) _allFieldMappings = { - "windows/process_creation/": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is windows", - }, - fieldMappings = { - "CommandLine": "event/COMMAND_LINE", - "Image": "event/FILE_PATH", - "ParentImage": "event/PARENT/FILE_PATH", - "ParentCommandLine": "event/PARENT/COMMAND_LINE", - "User": "event/USER_NAME", - "OriginalFileName": "event/ORIGINAL_FILE_NAME", - # Custom field names coming from somewhere unknown. - "NewProcessName": "event/FILE_PATH", - "ProcessCommandLine": "event/COMMAND_LINE", - # Another one-off command line. - "Command": "event/COMMAND_LINE", - }, - isAllStringValues = False, - keywordField = "event/COMMAND_LINE", - postOpMapper = _mapProcessCreationOperations - ), - "windows//": SigmaLCConfig( - topLevelParams = { - "target": "log", - "log type": "wel", - }, - preConditions = None, - fieldMappings = _windowsEventLogFieldName, - isAllStringValues = True, - keywordField = None, - postOpMapper = None - ), - "windows_defender//": SigmaLCConfig( - topLevelParams = { - "target": "log", - "log type": "wel", - }, - preConditions = None, - fieldMappings = _windowsEventLogFieldName, - isAllStringValues = True, - keywordField = None, - postOpMapper = None - ), - "dns//": SigmaLCConfig( - topLevelParams = { - "event": "DNS_REQUEST", - }, - preConditions = None, - fieldMappings = { - "query": "event/DOMAIN_NAME", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), - "linux//": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is linux", - }, - fieldMappings = { - "exe": "event/FILE_PATH", - "type": None, - }, - isAllStringValues = False, - keywordField = 'event/COMMAND_LINE', - postOpMapper = None - ), - "unix//": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is linux", - }, - fieldMappings = { - "exe": "event/FILE_PATH", - "type": None, - }, - isAllStringValues = False, - keywordField = 'event/COMMAND_LINE', - postOpMapper = None - ), - "netflow//": SigmaLCConfig( - topLevelParams = { - "event": "NETWORK_CONNECTIONS", - }, - preConditions = None, - fieldMappings = { - "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT", - "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), - "/proxy/": SigmaLCConfig( - topLevelParams = { - "event": "HTTP_REQUEST", - }, - preConditions = None, - fieldMappings = { - "c-uri|contains": "event/URL", - "c-uri": "event/URL", - "URL": "event/URL", - "cs-uri-query": "event/URL", - "cs-uri-stem": "event/URL", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), + 'edr': { + "windows//": SigmaLCConfig( + topLevelParams = { + "event": "WEL", + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = _windowsEventLogEDRFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None + ), + "windows_defender//": SigmaLCConfig( + topLevelParams = { + "event": "WEL", + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = _windowsEventLogEDRFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None + ), + "windows/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations + ), + "dns//": SigmaLCConfig( + topLevelParams = { + "event": "DNS_REQUEST", + }, + preConditions = None, + fieldMappings = { + "query": "event/DOMAIN_NAME", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None + ), + "linux//": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is linux", + }, + fieldMappings = { + "exe": "event/FILE_PATH", + "type": None, + }, + isAllStringValues = False, + keywordField = 'event/COMMAND_LINE', + postOpMapper = None + ), + "unix//": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is linux", + }, + fieldMappings = { + "exe": "event/FILE_PATH", + "type": None, + }, + isAllStringValues = False, + keywordField = 'event/COMMAND_LINE', + postOpMapper = None + ), + "netflow//": SigmaLCConfig( + topLevelParams = { + "event": "NETWORK_CONNECTIONS", + }, + preConditions = None, + fieldMappings = { + "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT", + "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None + ), + "/proxy/": SigmaLCConfig( + topLevelParams = { + "event": "HTTP_REQUEST", + }, + preConditions = None, + fieldMappings = { + "c-uri|contains": "event/URL", + "c-uri": "event/URL", + "URL": "event/URL", + "cs-uri-query": "event/URL", + "cs-uri-stem": "event/URL", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None + ), + }, + "artifact": { + "windows//": SigmaLCConfig( + topLevelParams = { + "target": "log", + "log type": "wel", + }, + preConditions = None, + fieldMappings = _windowsEventLogArtifactFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None + ), + "windows_defender//": SigmaLCConfig( + topLevelParams = { + "target": "log", + "log type": "wel", + }, + preConditions = None, + fieldMappings = _windowsEventLogArtifactFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None + ), + } } class LimaCharlieBackend(BaseBackend): @@ -200,6 +233,15 @@ class LimaCharlieBackend(BaseBackend): config_required = False default_config = ["limacharlie"] + options = ( + ( + "lc_target", + "edr", + "Generate LimaCharlie D&R rules for the following target, one of: edr, artifact.", + None, + ), + ) + def generate(self, sigmaparser): # Take the log source information and figure out which set of mappings to use. ruleConfig = sigmaparser.parsedyaml @@ -230,7 +272,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) From 8916459bab6b9e0b58841614635c1a11858ae95e Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Thu, 25 Mar 2021 22:44:24 +1100 Subject: [PATCH 1311/1335] Added additional CS signatures --- rules/windows/malware/av_exploiting.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 929879772..8d6957ee8 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -25,6 +25,10 @@ detection: - "*Swrort*" - "*Rozena*" - "*Backdoor.Cobalt*" + - "*CobaltStr*" + - "*COBEACON*" + - "*Cometer*" + - "*Razy*" condition: selection fields: - FileName From 6ef5f0a0a25c07be6e5cb6cd360abe3101883feb Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Sat, 27 Mar 2021 07:34:05 +1100 Subject: [PATCH 1312/1335] Added detection for Dumpert -Dumpert based LSASS dump using DLL -Dumpert.exe detection --- rules/windows/malware/av_password_dumper.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 77cc9d433..094f10d4a 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -28,6 +28,8 @@ detection: - "*PShlSpy*" - "*Rubeus*" - "*Kekeo*" + - "*LsassDump*" + - "*Outflank*" condition: selection fields: - FileName From 30ab2aad753c3c9e3c56ba70c8b8c04e3ad6f91c Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 30 Mar 2021 10:15:10 -0400 Subject: [PATCH 1313/1335] Map CommandLine appropriately Args is an array of the exploded command line and causes many rules to misfire. --- tools/config/winlogbeat-modules-enabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a70d4d1a2..07bef1889 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -84,7 +84,7 @@ fieldmappings: CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace Channel: winlog.channel - CommandLine: process.args + CommandLine: process.command_line ComputerName: winlog.ComputerName CurrentDirectory: process.working_directory Description: winlog.event_data.Description @@ -125,7 +125,7 @@ fieldmappings: ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: process.parent.args + ParentCommandLine: process.parent.command_line ParentProcessName: process.parent.name ParentImage: process.parent.executable Path: winlog.event_data.Path From 3fd396f4db1aae16e42da5ac76fd2728ea801866 Mon Sep 17 00:00:00 2001 From: JohnConnorRF Date: Tue, 30 Mar 2021 13:21:14 -0400 Subject: [PATCH 1314/1335] Updated winlogbeat configuration file to support File Product details --- tools/config/winlogbeat.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 74e991b7d..9bb3c5559 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -121,6 +121,7 @@ fieldmappings: PipeName: winlog.event_data.PipeName ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: winlog.event_data.ProcessName + Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SAMAccountName: winlog.event_data.SamAccountName From 0448e468705715cc3ba7e06c1afaffbf7c06862d Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Tue, 30 Mar 2021 23:41:48 -0400 Subject: [PATCH 1315/1335] Implement Elastic threshold detection rules Transform supported count() aggregations (> and >=, no count field, optionally a group by field) into a threshold detection rule. --- tools/sigma/backends/elasticsearch.py | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index b901be0da..e7bf3ec21 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -25,7 +25,7 @@ from distutils.util import strtobool import sigma import yaml from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier -from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression +from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser from sigma.config.mapping import ConditionalFieldMapping from .base import BaseBackend, SingleTextQueryBackend @@ -1220,6 +1220,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): super().__init__(*args, **kwargs) self.tactics = self._load_mitre_file("tactics") self.techniques = self._load_mitre_file("techniques") + self.rule_type = "query" + self.rule_threshold = {} def _load_mitre_file(self, mitre_type): try: @@ -1246,6 +1248,20 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule = self.create_rule(configs, index) return rule + def generateAggregation(self, agg): + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: + if agg.cond_op not in [">", ">="]: + raise NotImplementedError("Threshold rules can only handle > and >= operators") + if agg.aggfield: + raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield) + self.rule_type = "threshold" + self.rule_threshold = { + "field": agg.groupfield if agg.groupfield else [], + "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1 + } + return "" + raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans) + def create_threat_description(self, tactics_list, techniques_list): threat_list = list() for tactic in tactics_list: @@ -1351,10 +1367,12 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): "severity": configs.get("level", "medium"), "tags": new_tags, "to": "now", - "type": "query", + "type": self.rule_type, "threat": threat, "version": 1 } + if self.rule_type == "threshold": + rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) return json.dumps(rule) From 7923852cc3fe69158f5e21f512094f18911ff1b7 Mon Sep 17 00:00:00 2001 From: Joshua Roys Date: Wed, 31 Mar 2021 16:01:05 -0400 Subject: [PATCH 1316/1335] Elastic: raise an error from the base backend if a rule has multiple conditions --- tools/sigma/backends/base.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 1ef7e175a..e9901e06d 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -114,6 +114,8 @@ class BaseBackend: def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + if len(sigmaparser.condparsed) > 1: + raise NotImplementedError("Base backend doesn't support multiple conditions") for parsed in sigmaparser.condparsed: query = self.generateQuery(parsed) before = self.generateBefore(parsed) From 109b7890db8ad5b49901e61376a29d94914ae85d Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 31 Mar 2021 14:02:14 +0200 Subject: [PATCH 1317/1335] fix: taking windows security 4688 events into account for filter out --- .../process_creation/win_wmiprvse_spawning_process.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index bf99d9eb3..042df7de0 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -20,13 +20,18 @@ detection: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives + - SubjectLogonId: + - '0x3e7' # LUID 999 for SYSTEM + - 'null' # too many false positives - User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - filter_null: # some backends need the null value in a seperate expression + filter_null1: # some backends need the null value in a seperate expression LogonId: null - condition: selection and not filter and not filter_null + filter_null2: # some backends need the null value in a seperate expression + SubjectLogonId: null + condition: selection and not filter and not filter_null1 and not filter_null2 falsepositives: - Unknown level: high From 2cab121c71193e3022daa85d8eedfe8b32fa185d Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 31 Mar 2021 16:12:38 +0200 Subject: [PATCH 1318/1335] refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap --- .../process_creation/win_susp_exec_folder.yml | 42 ------------------- .../win_susp_execution_path.yml | 22 +++++++++- .../win_susp_prog_location_process_starts.yml | 28 ------------- 3 files changed, 20 insertions(+), 72 deletions(-) delete mode 100644 rules/windows/process_creation/win_susp_exec_folder.yml delete mode 100644 rules/windows/process_creation/win_susp_prog_location_process_starts.yml diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml deleted file mode 100644 index f42c4c82d..000000000 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Executables Started in Suspicious Folder -id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254 -status: experimental -description: Detects process starts of binaries from a suspicious folder -author: Florian Roth -date: 2017/10/14 -modified: 2019/02/21 -references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md -tags: - - attack.defense_evasion - - attack.t1036 -logsource: - category: process_creation - product: windows -detection: - selection: - Image: - - C:\PerfLogs\\* - - C:\$Recycle.bin\\* - - C:\Intel\Logs\\* - - C:\Users\Default\\* - - C:\Users\Public\\* - - C:\Users\NetworkService\\* - - C:\Windows\Fonts\\* - - C:\Windows\Debug\\* - - C:\Windows\Media\\* - - C:\Windows\Help\\* - - C:\Windows\addins\\* - - C:\Windows\repair\\* - - C:\Windows\security\\* - - '*\RSA\MachineKeys\\*' - - C:\Windows\system32\config\systemprofile\\* - - C:\Windows\Tasks\\* - - C:\Windows\System32\Tasks\\* - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 69c3fa09e..18f4ad210 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -1,9 +1,15 @@ -title: Execution in Non-Executable Folder +title: Execution from Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 status: experimental description: Detects a suspicious execution from an uncommon folder author: Florian Roth date: 2019/01/16 +modified: 2021/03/31 +references: + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md tags: - attack.defense_evasion - attack.t1036 @@ -13,7 +19,7 @@ logsource: detection: selection: Image: - - '*\$Recycle.bin' + - '*\$Recycle.bin\\*' - '*\Users\All Users\\*' - '*\Users\Default\\*' - '*\Users\Public\\*' @@ -22,6 +28,18 @@ detection: - '*\Windows\Fonts\\*' - '*\Windows\IME\\*' - '*\Windows\addins\\*' + - '*\Intel\Logs\\*' + - '*\Users\NetworkService\\*' + - '*\Windows\debug\\*' + - '*\Windows\Media\\*' + - '*\Windows\Help\\*' + - '*\Windows\repair\\*' + - '*\Windows\security\\*' + - '*\RSA\MachineKeys\\*' + - '*\Windows\system32\config\systemprofile\\*' + - '*\Windows\Tasks\\*' + - '*\Windows\System32\Tasks\\*' + condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml deleted file mode 100644 index fef504ffc..000000000 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Suspicious Program Location Process Starts -id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5 -status: experimental -description: Detects programs running in suspicious files system locations -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -tags: - - attack.defense_evasion - - attack.t1036 -author: Florian Roth -date: 2019/01/15 -logsource: - category: process_creation - product: windows -detection: - selection: - Image: - - '*\$Recycle.bin' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Windows\debug\\*' - condition: selection -falsepositives: - - unknown -level: high From 65bc62d4014f98ecb9c99b25d17c839120ffcb94 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 10:39:40 +0200 Subject: [PATCH 1319/1335] fix: adding filter out for CamMute.exe --- .../windows/process_creation/win_plugx_susp_exe_locations.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 557ac9154..ff2d5fe2d 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -19,7 +19,9 @@ detection: selection_cammute: Image: '*\CamMute.exe' filter_cammute: - Image: '*\Lenovo\Communication Utility\\*' + Image: + - '*\Lenovo\Communication Utility\\*' + - '*\Lenovo\Communications Utility\\*' selection_chrome_frame: Image: '*\chrome_frame_helper.exe' filter_chrome_frame: From bd5ba2ae016a6669555f603d1ebd3710033a6f34 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 11:13:59 +0200 Subject: [PATCH 1320/1335] fix: adding only as a known false positive as it cannot be filtered out in a generic and public way --- rules/windows/sysmon/sysmon_password_dumper_lsass.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index a8d8db9b7..b26ae3c35 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -6,6 +6,7 @@ references: status: stable author: Thomas Patzke date: 2017/02/19 +modified: 2021/04/01 logsource: product: windows service: sysmon @@ -21,5 +22,5 @@ tags: - attack.s0005 - attack.t1003.001 falsepositives: - - unknown + - Antivirus products level: high From 43be8c8cbae36fa433ab40204e171e35c8164b49 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 12:20:09 +0200 Subject: [PATCH 1321/1335] refactor: make use of value modifiers --- .../win_susp_execution_path.yml | 43 ++++++++++--------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 18f4ad210..077714592 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -18,27 +18,28 @@ logsource: product: windows detection: selection: - Image: - - '*\$Recycle.bin\\*' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Intel\Logs\\*' - - '*\Users\NetworkService\\*' - - '*\Windows\debug\\*' - - '*\Windows\Media\\*' - - '*\Windows\Help\\*' - - '*\Windows\repair\\*' - - '*\Windows\security\\*' - - '*\RSA\MachineKeys\\*' - - '*\Windows\system32\config\systemprofile\\*' - - '*\Windows\Tasks\\*' - - '*\Windows\System32\Tasks\\*' + - Image|contains: + - '\$Recycle.bin\' + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - '\Intel\Logs\' + - '\Users\NetworkService\' + - '\Windows\debug\' + - '\Windows\Media\' + - '\Windows\Help\' + - '\Windows\repair\' + - '\Windows\security\' + - '\RSA\MachineKeys\' + - '\Windows\system32\config\systemprofile\' + - '\Windows\Tasks\' + - '\Windows\System32\Tasks\' + - Image|startswith: + - 'C:\Perflogs\' condition: selection fields: From 794865c79d8427c36a745e0e8da25e8d2f92c28b Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 13:41:28 +0200 Subject: [PATCH 1322/1335] fix: adding filter to condition and reintroducing the users folder constraint --- .../win_office_spawn_exe_from_users_directory.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index 637f34842..e5b6df657 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -26,9 +26,11 @@ detection: - '*\MSPUB.exe' - '*\VISIO.exe' # - '*\OUTLOOK.EXE' too many FPs + Image: + - 'C:\users\\*.exe' filter: Image|endswith: '\Teams.exe' - condition: selection + condition: selection and not filter fields: - CommandLine - ParentCommandLine From 8b4234de3bd4511cfd6816eb7d4d8801cadd4f92 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 13:43:23 +0200 Subject: [PATCH 1323/1335] refactor: make use of value modifiers --- ...win_office_spawn_exe_from_users_directory.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index e5b6df657..b7e375a79 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -13,19 +13,19 @@ tags: - car.2013-05-002 author: Jason Lynch date: 2019/04/02 -modified: 2021/03/13 +modified: 2021/04/01 logsource: category: process_creation product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - # - '*\OUTLOOK.EXE' too many FPs + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + # - '\OUTLOOK.EXE' too many FPs Image: - 'C:\users\\*.exe' filter: From 4934f806011edefd0dac697f5bef615c37bfff60 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 1 Apr 2021 14:32:43 +0200 Subject: [PATCH 1324/1335] fix: FP tuning for IIS Express and making use of value modifiers --- .../win_sdbinst_shim_persistence.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 3abe5ff23..66b939845 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -11,17 +11,20 @@ tags: - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 -modified: 2020/09/06 +modified: 2021/04/01 logsource: category: process_creation product: windows detection: selection: - Image: - - '*\sdbinst.exe' - CommandLine: - - '*.sdb*' - condition: selection + Image|endswith: + - '\sdbinst.exe' + CommandLine|contains: + - '.sdb' + filter: + - CommandLine|contains: + - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + condition: selection and not filter falsepositives: - Unknown level: high From 1f3ee87e554786d43966077690566f9fb282f052 Mon Sep 17 00:00:00 2001 From: JohnConnorRF Date: Thu, 1 Apr 2021 09:19:21 -0400 Subject: [PATCH 1325/1335] Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product --- tools/config/winlogbeat-modules-enabled.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index a70d4d1a2..8f16ed539 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -132,6 +132,7 @@ fieldmappings: PipeName: file.name ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: process.executable + Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SecurityID: winlog.event_data.SecurityID From 477f05c5f2cda27b305f154fb3b19249b8746d09 Mon Sep 17 00:00:00 2001 From: JohnConnorRF Date: Thu, 1 Apr 2021 09:24:24 -0400 Subject: [PATCH 1326/1335] Added in Product entry for winlogbeat-old --- tools/config/winlogbeat-old.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 8f88f05cb..34fef1fdd 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -117,6 +117,7 @@ fieldmappings: PipeName: event_data.PipeName ProcessCommandLine: event_data.ProcessCommandLine ProcessName: event_data.ProcessName + Product: event_data.Product Properties: event_data.Properties SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName From fb1bb91c3c9200a9df1bdd1b58c172836ac59e96 Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 1 Apr 2021 16:01:38 +0100 Subject: [PATCH 1327/1335] Apply changes to Defender for Endpoint backend --- tools/sigma/backends/mdatp.py | 59 ++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index 348227bb1..a9173275b 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -42,10 +42,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): active = True config_required = False - # \ -> \\ - # \* -> \* - # \\* -> \\* - reEscape = re.compile('("|(?', val) val = re.sub('\\*', '.*', val) val = re.sub('\\?', '.', val) - else: # value possibly only starts and/or ends with *, use prefix/postfix match + else: + # value possibly only starts and/or ends with *, use prefix/postfix match if val.endswith("*") and val.startswith("*"): op = "contains" val = self.cleanValue(val[1:-1]) @@ -215,6 +217,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): return "%s \"%s\"" % (op, val) + def porttype_mapping(self, val): + return "%s \"%s\"" % ("==", val) + def logontype_mapping(self, src): """Value mapping for logon events to reduced ATP LogonType set""" logontype_mapping = { @@ -299,6 +304,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): return "%s" % generated return generated + def cleanValue(self, val): + if self.reEscape: + val = self.reEscape.sub(self.escapeSubst, val) + return val def mapEventId(self, event_id): if self.product == "windows": From 30c6d753fdefc0d38b68b373e27bab42acbe22e5 Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 1 Apr 2021 16:08:22 +0100 Subject: [PATCH 1328/1335] Removed unnecessary imports --- tools/sigma/backends/mdatp.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index a9173275b..9a2a6387f 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -19,8 +19,6 @@ from functools import wraps from .base import SingleTextQueryBackend from .exceptions import NotSupportedError from ..parser.modifiers.base import SigmaTypeModifier -from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier -from ..parser.modifiers.type import SigmaRegularExpressionModifier def wrapper(method): From 90efe974b831ee235f96faa7c71e285789e1ae41 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 3 Apr 2021 00:00:43 +0200 Subject: [PATCH 1329/1335] Fixes and improvements --- rules/linux/lnx_clear_logs.yml | 2 +- .../lnx_file_and_directory_discovery.yml | 4 +- rules/linux/lnx_file_deletion.yml | 2 +- rules/linux/lnx_process_discovery.yml | 2 +- rules/linux/lnx_split_file_into_pieces.yml | 2 +- rules/linux/lnx_system_info_discovery.yml | 2 +- rules/linux/lnx_system_network_discovery.yml | 2 +- rules/linux/lnx_system_shutdown_reboot.yml | 2 +- rules/linux/macos_clear_system_logs.yml | 2 +- rules/linux/macos_create_account.yml | 2 +- rules/linux/macos_create_hidden_account.yml | 4 +- rules/linux/macos_disable_security_tools.yml | 4 +- .../macos_file_and_directory_discovery.yml | 4 +- rules/linux/macos_local_groups.yml | 2 +- rules/linux/macos_network_sniffing.yml | 4 +- rules/linux/macos_remote_system_discovery.yml | 4 +- .../macos_security_software_discovery.yml | 8 +- rules/linux/macos_split_file_into_pieces.yml | 2 +- rules/linux/macos_startup_items.yml | 2 +- ...s_system_network_connections_discovery.yml | 4 +- .../linux/macos_system_network_discovery.yml | 4 +- rules/linux/macos_system_shutdown_reboot.yml | 2 +- .../driver_load/sysmon_susp_driver_load.yml | 4 +- ...susp_multiple_files_renamed_or_deleted.yml | 2 +- ...sysmon_svchost_dll_search_order_hijack.yml | 2 +- .../image_load/sysmon_uac_bypass_via_dism.yml | 6 +- .../silenttrinity_stager_msbuild_activity.yml | 0 ...wershell_cmdline_specific_comb_methods.yml | 2 +- .../powershell_invoke_obfuscation_clip+.yml | 8 +- .../powershell_invoke_obfuscation_stdin+.yml | 8 +- .../powershell_invoke_obfuscation_var+.yml | 8 +- ...rshell_invoke_obfuscation_via_compress.yml | 2 +- ...wershell_invoke_obfuscation_via_rundll.yml | 2 +- ...owershell_invoke_obfuscation_via_stdin.yml | 8 +- ...rshell_invoke_obfuscation_via_use_clip.yml | 8 +- ...shell_invoke_obfuscation_via_use_mhsta.yml | 8 +- ...ll_invoke_obfuscation_via_use_rundll32.yml | 10 +-- .../powershell/powershell_shellcode_b64.yml | 2 +- .../sysmon_in_memory_assembly_execution.yml | 4 +- ...ndocumented_autoelevated_com_interface.yml | 6 +- .../process_creation/cmstp_execution.yml | 2 +- .../process_creation_dotnet.yml | 4 +- .../process_creation_msdeploy.yml | 4 +- .../sysmon_abusing_debug_privilege.yml | 4 +- ...levated_msi_spawned_cmd_and_powershell.yml | 12 +-- ...d_cmd_and_powershell_spawned_processes.yml | 10 +-- .../sysmon_long_powershell_commandline.yml | 4 +- .../win_apt_lazarus_session_highjack.yml | 4 +- .../process_creation/win_apt_zxshell.yml | 4 +- .../win_hktl_createminidump.yml | 4 +- .../win_invoke_obfuscation_clip+.yml | 2 +- .../win_invoke_obfuscation_stdin+.yml | 2 +- .../win_invoke_obfuscation_var+.yml | 2 +- .../win_invoke_obfuscation_via_compress.yml | 4 +- .../win_invoke_obfuscation_via_rundll.yml | 4 +- .../win_invoke_obfuscation_via_stdin.yml | 2 +- .../win_invoke_obfuscation_via_use_clip.yml | 2 +- .../win_invoke_obfuscation_via_use_mhsta.yml | 2 +- ...in_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../win_invoke_obfuscation_via_var++.yml | 2 +- .../process_creation/win_malware_wannacry.yml | 3 +- ..._office_spawn_exe_from_users_directory.yml | 7 +- .../win_susp_Register_cimprovider.yml | 12 +-- .../process_creation/win_susp_atbroker.yml | 2 +- .../win_susp_certutil_command.yml | 15 +--- .../win_susp_control_dll_load.yml | 2 +- .../win_susp_crackmapexec_execution.yml | 31 +++----- .../windows/process_creation/win_susp_gup.yml | 8 +- .../win_susp_mounted_share_deletion.yml | 2 +- .../process_creation/win_susp_ntdsutil.yml | 4 +- .../process_creation/win_susp_ps_appdata.yml | 2 +- .../win_susp_rundll32_by_ordinal.yml | 4 +- .../win_susp_runonce_execution.yml | 2 +- .../win_susp_sqldumper_activity.yml | 2 +- .../win_susp_sysprep_appdata.yml | 5 +- .../win_susp_use_of_sqlps_bin.yml | 14 ++-- .../win_susp_use_of_sqltoolsps_bin.yml | 14 ++-- .../win_susp_use_of_te_bin.yml | 10 +-- .../win_susp_use_of_vsjitdebugger_bin.yml | 8 +- .../process_creation/win_susp_whoami.yml | 3 +- .../win_syncappvpublishingserver_exe.yml | 8 +- ..._wmi_backdoor_exchange_transport_agent.yml | 2 +- .../sysmon_asep_reg_keys_modification.yml | 78 +++++++++---------- .../registry_event/sysmon_cmstp_execution.yml | 11 +-- .../registry_event/sysmon_hack_wce_reg.yml | 2 +- .../sysmon_stickykey_like_backdoor.yml | 4 +- .../sysmon_susp_atbroker_change.yml | 4 +- .../sysmon_susp_download_run_key.yml | 4 +- 88 files changed, 227 insertions(+), 268 deletions(-) rename rules/windows/{sysmon => network_connection}/silenttrinity_stager_msbuild_activity.yml (100%) diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index 11e904054..39899711a 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1070.002 diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml index 61d35d415..af52c7765 100644 --- a/rules/linux/lnx_file_and_directory_discovery.yml +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -18,12 +18,12 @@ detection: CommandLine|contains: '-R' find_execution: Image|endswith: '/find' - tree_execution: + tree_execution: Image|endswith: '/tree' condition: 1 of them falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1083 \ No newline at end of file diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index b909a853c..391975730 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index bee127ac9..1785e7ef8 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1057 diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml index 99f26d7c8..36b1a82db 100644 --- a/rules/linux/lnx_split_file_into_pieces.yml +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: low tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index c74cb3010..43f8f6563 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 541737062..fa5c6f748 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -26,7 +26,7 @@ detection: condition: selection1 or selection2 falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml index 1e1abcf27..88c476d4b 100644 --- a/rules/linux/lnx_system_shutdown_reboot.yml +++ b/rules/linux/lnx_system_shutdown_reboot.yml @@ -34,7 +34,7 @@ detection: condition: selection1 or (selection2 and selection3) falsepositives: - 'Legitimate administrative activity' -level: high +level: informational tags: - attack.impact - attack.t1529 diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index 055cc98e9..33ce525a3 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -21,7 +21,7 @@ detection: condition: selection1 and (selection2 or selection3) falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1070.002 diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index 6bde23a2a..42d1d4931 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 95890a4bf..56cf55fdf 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -1,7 +1,7 @@ title: Hidden User Creation id: b22a5b36-2431-493a-8be1-0bae56c28ef3 status: experimental -description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option author: Daniil Yugoslavskiy, oscd.community date: 2020/10/10 references: @@ -27,7 +27,7 @@ detection: dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1564.002 \ No newline at end of file diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 2c983500b..0f843c789 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -21,7 +21,7 @@ detection: - 'com.carbonblack.defense.daemon.plist' # carbon black - 'com.carbonblack.daemon.plist' # carbon black - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility - - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus + - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon @@ -36,7 +36,7 @@ detection: condition: (launchctl_unload and security_plists) or disable_gatekeeper falsepositives: - Legitimate activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1562.001 \ No newline at end of file diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml index 6e16e85d8..025babc38 100644 --- a/rules/linux/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -20,12 +20,12 @@ detection: Image: '/usr/bin/find' mdfind_execution: Image: '/usr/bin/mdfind' - tree_execution|endswith: + tree_execution|endswith: Image: '/tree' condition: 1 of them falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1083 \ No newline at end of file diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index 2c26fc45f..7cffce09d 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -30,7 +30,7 @@ detection: condition: 1 of them falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1069.001 diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml index cf316429b..ef95ea36d 100644 --- a/rules/linux/macos_network_sniffing.yml +++ b/rules/linux/macos_network_sniffing.yml @@ -11,13 +11,13 @@ logsource: product: macos detection: selection: - Image|endswith: + Image|endswith: - '/tcpdump' - '/tshark' condition: selection falsepositives: - Legitimate administration activities -level: medium +level: informational tags: - attack.discovery - attack.credential_access diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index dbe79e461..a7a1fdf22 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -40,9 +40,9 @@ detection: - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 condition: 1 of them -falsepositives: +falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1018 diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml index b26fbcd16..ae896a953 100644 --- a/rules/linux/macos_security_software_discovery.yml +++ b/rules/linux/macos_security_software_discovery.yml @@ -13,7 +13,7 @@ detection: grep_execution: Image: '/usr/bin/grep' security_services_and_processes: - CommandLine|contains: + CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'santad' # google santa - 'CbDefense' # carbon black @@ -26,14 +26,14 @@ detection: - 'BlockBlock' # Objective-See persistence locations watcher/blocker - 'LuLu' # Objective-See firewall management utility little_snitch_process: # Objective Development Software firewall management utility - CommandLine|contains|all: + CommandLine|contains|all: - 'Little' - 'Snitch' - condition: grep_execution and security_services_and_processes or + condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process falsepositives: - Legitimate activities -level: low +level: medium tags: - attack.discovery - attack.t1518.001 \ No newline at end of file diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index b19c5aeab..f65d96dee 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: low tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml index 2153bd39d..89102e3ff 100644 --- a/rules/linux/macos_startup_items.yml +++ b/rules/linux/macos_startup_items.yml @@ -17,7 +17,7 @@ detection: condition: selection_1 and selection_2 falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml index 8503e7803..1a3fb7d41 100644 --- a/rules/linux/macos_system_network_connections_discovery.yml +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - Image: + Image: - '/usr/bin/who' - '/usr/bin/w' - '/usr/bin/last' @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1049 \ No newline at end of file diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index f754a1e3c..40b2f33d5 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -20,13 +20,13 @@ detection: - '/usr/sbin/arp' selection2: Image: '/usr/bin/defaults' - Commandline|contains|all: + Commandline|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index e7b463653..fe4d4b645 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: informational tags: - attack.impact - attack.t1529 diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml index 73f423d2a..083b9f7f5 100755 --- a/rules/windows/driver_load/sysmon_susp_driver_load.yml +++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml @@ -13,9 +13,9 @@ logsource: category: driver_load product: windows detection: - selection: + selection: ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment -level: medium +level: high diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 488512208..6304043ad 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -24,4 +24,4 @@ detection: falsepositives: - Software uninstallation - Files restore activities -level: high +level: medium diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 02e3ae288..6247ee4f9 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -29,7 +29,7 @@ detection: - '\wlbsctrl.dll' filter: ImageLoaded|startswith: - - 'C:\Windows\WinSxS\' + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml index f339f382e..46200f57b 100644 --- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -12,9 +12,9 @@ tags: - attack.t1574.002 author: oscd.community, Dmitry Uchakin date: 2020/10/06 -logsource: - category: image_load - product: windows +logsource: + category: image_load + product: windows detection: selection: Image|endswith: diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml similarity index 100% rename from rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml rename to rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 8bbb7d5be..6bfa956ee 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -52,4 +52,4 @@ detection: condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - Unlikely -level: high +level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index a6e7e1743..7d9b4abc9 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index c73b781b5..7e2b0ef2d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index c6c6bceec..9c2ab871f 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index bb6ba2b99..365149a58 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -21,7 +21,7 @@ detection: selection_2: EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection_1 or selection_2 + condition: 1 of them falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index 4dc879bcc..793dc3c14 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -21,7 +21,7 @@ detection: selection_2: EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection_1 or selection_2 + condition: 1 of them falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 266887248..ab358c642 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' selection_2: - - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 6e67ecd32..5f514bc69 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' selection_2: - - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index eb5f0e924..45764546f 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' selection_2: - - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index bce2ea533..a0abb7616 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: +references: - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' selection_2: - - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca2..3d7988b68 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -23,7 +23,7 @@ detection: EventID: 4104 ScriptBlockText|contains: 'AAAAYInlM' selection2: - ScriptBlockText|contains: + ScriptBlockText|contains|all: - 'OiCAAAAYInlM' - 'OiJAAAAYInlM' condition: selection and selection2 diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index c313d0afc..615b10461 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -32,7 +32,7 @@ detection: - "UNKNOWN(" - ")|UNKNOWN(" CallTrace|endswith: ")" - selection3: + selection3: CallTrace|contains: "UNKNOWN" granted_access: GrantedAccess: @@ -44,7 +44,7 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: (selection1 OR selection2) or (selection3 AND granted_access) + condition: (selection1 or selection2) or (selection3 and granted_access) fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 85f1f5fb7..703f86b32 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -3,7 +3,7 @@ id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: experimental description: COM interface (EditionUpgradeManager) that is not used by standard executables. references: - - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 tags: - attack.defense_evasion @@ -11,9 +11,9 @@ tags: - attack.t1548.002 author: oscd.community, Dmitry Uchakin date: 2020/10/07 -logsource: +logsource: category: process_access - product: windows + product: windows detection: selection: CallTrace|contains: 'editionupgrademanagerobj.dll' diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml index 007077507..7a27dc2f2 100644 --- a/rules/windows/process_creation/cmstp_execution.yml +++ b/rules/windows/process_creation/cmstp_execution.yml @@ -27,5 +27,5 @@ logsource: detection: # CMSTP Spawning Child Process selection: - ParentImage|contains: '\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' condition: selection diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 9182bb218..bbc19c20a 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -26,8 +26,8 @@ fields: - ComputerName - User - CommandLine - - ParentCommandLine + - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 236e747d3..cf35510fa 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -27,8 +27,8 @@ fields: - ComputerName - User - CommandLine - - ParentCommandLine + - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 0bfa8ec82..399103d25 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -24,11 +24,11 @@ detection: - '\spoolsv.exe' - '\searchindexer.exe' selection2: - Image|endswith: + Image|endswith: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\SYSTEM' #NT AUTHORITY\SYSTEM same result with NT AUTHORITY\\SYSTEM + User: 'NT AUTHORITY\SYSTEM' filter: CommandLine|contains|all: - ' route ' diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index 56efab11b..73a21e295 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -1,10 +1,10 @@ title: Always Install Elevated MSI Spawned Cmd And Powershell id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa -description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -references: +references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg tags: - attack.privilege_escalation @@ -14,19 +14,19 @@ logsource: category: process_creation detection: image: - Image|contains: + Image|endswith: - '\cmd.exe' - '\powershell.exe' parent_image: - ParentImage|contains|all: + ParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentImage|endswith: + ParentImage|endswith: - 'tmp' condition: image and parent_image fields: - Image - ParentImage falsepositives: - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 1bfb4d988..cd2d7a6d6 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -4,7 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) sp status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -references: +references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg tags: - attack.privilege_escalation @@ -14,21 +14,21 @@ logsource: category: process_creation detection: parent_image: - ParentImage|contains: + ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' parent_of_parent_image: - ParentOfParentImage|contains|all: + ParentOfParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentOfParentImage|endswith: + ParentOfParentImage|endswith: - 'tmp' condition: parent_image and parent_of_parent_image fields: - ParentImage - ParentOfParentImage falsepositives: - - Penetration test + - Penetration test level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index f80cbcfcc..2feca4fc3 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -14,13 +14,13 @@ logsource: product: windows detection: Powershell_selection: - - CommandLine|contains: + - CommandLine|contains: - 'powershell' - 'pwsh' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' Length_selection: - CommandLine|re: '(.){1000,}' + CommandLine|re: '.{1000,}' condition: all of them falsepositives: Unknown level: medium diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index f2ec5d31d..41edce51f 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\mstdc.exe' + Image|endswith: + - '\msdtc.exe' - '\gpvc.exe' filter: Image|startswith: diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 4bd1603ba..515d541e7 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'rundll32.exe' + Image|endswith: + - '\rundll32.exe' CommandLine|contains: - 'zxFunction' - 'RemoteDiskXXXXX' diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 13239e5f1..b1e40cded 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -18,7 +18,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection1: Image|contains: '\CreateMiniDump.exe' selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' @@ -30,5 +30,5 @@ logsource: detection: selection: EventID: 11 - TargetFilename|contains: '\lsass.dmp' + TargetFilename|endswith: '\lsass.dmp' condition: 1 of them diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml index 57469abe2..cc229f08e 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml index 18ac9ca90..dbdb4cbaa 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml index 531fed7c7..63ae15f8c 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml index 00527484d..60a494a55 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection falsepositives: - unknown -level: medium \ No newline at end of file +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml index 4883f3265..d8b91c93c 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection falsepositives: - Unknown -level: medium +level: medium diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml index 8f6466f93..71f178496 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml index c59540cf6..ce8d6bfc8 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index cec51806e..95f4633a1 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 67aceabbf..169d86471 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index 1fd2993b4..248c69830 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 35833f3bd..815de36f2 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -39,8 +39,7 @@ detection: - CommandLine|contains|all: - 'icacls' - '/grant' - - 'Everyone:' - - 'F' + - 'Everyone:F' - '/T' - '/C' - '/Q' diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index fb3a33036..ed87b52e3 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -11,7 +11,7 @@ tags: - attack.t1204.002 - FIN7 - car.2013-05-002 -author: Jason Lynch +author: Jason Lynch date: 2019/04/02 modified: 2020/09/01 logsource: @@ -26,9 +26,8 @@ detection: - '\MSPUB.exe' - '\VISIO.exe' - '\OUTLOOK.EXE' - Image|contains|all: - - 'C:\users\' - - '.exe' + Image|startswith: 'C:\users\' + Image|endswith: '.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index aee7498bd..5244e22ff 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -1,4 +1,4 @@ -title: DLL Execution Via Register-cimprovider.exe +title: DLL Execution Via Register-cimprovider.exe id: a2910908-e86f-4687-aeba-76a5f996e652 status: experimental description: Detects using register-cimprovider.exe to execute arbitrary dll file. @@ -7,12 +7,12 @@ references: - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md tags: - attack.defense_evasion - - attack.t1574 + - attack.t1574 author: Ivan Dyachkov, Yulia Fomina, oscd.community -date: 2020/10/07 -logsource: - category: process_creation - product: windows +date: 2020/10/07 +logsource: + category: process_creation + product: windows definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml index ca842b913..ac9584df3 100644 --- a/rules/windows/process_creation/win_susp_atbroker.yml +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -49,5 +49,5 @@ detection: - windowtrackingzorder condition: selection1 and selection2 and not filter falsepositives: - - Legitimate, non-deafualt Assistive Technology applications execution + - Legitimate, non-default assistive technology applications execution level: high diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 08eff719f..8137eafe6 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -18,28 +18,19 @@ logsource: category: process_creation product: windows detection: - suffixes_1: - CommandLine|contains: - - ' -' - - ' /' - selection: + parameters: CommandLine|contains: - 'decode ' - 'decodehex ' - 'urlcache ' - 'verifyctl ' - 'encode ' - suffixes_2: - CommandLine|contains: - - '-' - - '/' certutil: Image|endswith: '\certutil.exe' CommandLine|contains: - 'URL' - 'ping' - condition: suffixes_1 and selection or - suffixes_2 and certutil + condition: parameters or certutil fields: - CommandLine - ParentCommandLine @@ -54,7 +45,7 @@ tags: - attack.g0045 - attack.g0049 - attack.g0075 - - attack.g0096 + - attack.g0096 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index ed63ad947..726bb7ce1 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -17,7 +17,7 @@ logsource: detection: selection: ParentImage|endswith: '\System32\control.exe' - CommandLine|contains: '\rundll32.exe ' + Image|endswith: '\rundll32.exe ' filter: CommandLine|contains: 'Shell32.dll' condition: selection and not filter diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index ed44d56c4..e5d69a30a 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -1,6 +1,6 @@ title: CrackMapExec Command Execution id: 058f4380-962d-40a5-afce-50207d36d7e2 -status: experimental +status: stable description: Detect various execution methods of the CrackMapExec pentesting framework references: - https://github.com/byt3bl33d3r/CrackMapExec @@ -8,7 +8,7 @@ tags: - attack.execution - attack.t1047 - attack.t1053 - - attack.t1059.003 + - attack.t1059.003 - attack.t1059.001 - attack.s0106 - attack.t1086 # an old one @@ -19,31 +19,18 @@ logsource: product: windows detection: selection: - - CommandLine|contains|all: + CommandLine|endswith: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - - 'cmd.exe /Q /c' - - '1> \\\\' - - '\' - - '\\' - - '2>&1' - - CommandLine|contains|all: + - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:109 (fileless output via share) - - 'cmd.exe /C' - - '> \\\\' - - '\' - - '\\' - - '2>&1' - - CommandLine|contains|all: + - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:111 (fileless output via share) - - 'cmd.exe /C' - - '>' - - '\\Temp\\' - - '2>&1' - - CommandLine|contains: + - 'cmd.exe /C * > *\\Temp\\* 2>&1' + CommandLine|contains: # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' + - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) - - 'powershell.exe -noni -nop -w 1 -enc ' + - '*powershell.exe -noni -nop -w 1 -enc *' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 8b34c2dd6..a6d7d8e3f 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -19,10 +19,10 @@ detection: Image|endswith: '\GUP.exe' filter: Image|endswith: - - ':\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - ':\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - - ':\Program Files\Notepad++\updater\GUP.exe' - - ':\Program Files (x86)\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' + - '\Program Files\Notepad++\updater\GUP.exe' + - '\Program Files (x86)\Notepad++\updater\GUP.exe' condition: selection and not filter falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index aa89d6de3..e609f086e 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Administrators or Power users may remove their shares via cmd line -level: medium +level: low diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 1651ac8c0..45e867f75 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -10,7 +10,7 @@ modified: 2020/11/28 tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one + - attack.t1003 # an old one logsource: category: process_creation product: windows @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - NTDS maintenance -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index f07e84b98..bf9c48a62 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,7 +8,7 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one + - attack.t1086 # an old one author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2020/11/28 diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 04e207f6c..2a850916d 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -1,7 +1,7 @@ title: Suspicious Call by Ordinal id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -status: experimental +status: stable references: - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ - https://github.com/Neo23x0/DLLRunner @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '\rundll32.exe' - ',#' condition: selection diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml index 1f4b7f1b9..f36b66f6f 100644 --- a/rules/windows/process_creation/win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/win_susp_runonce_execution.yml @@ -26,4 +26,4 @@ detection: condition: (process_name or process_description) and command_line falsepositives: - Unknown -level: medium +level: low diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml index 93087628f..41b2a3c2e 100644 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -11,7 +11,7 @@ author: Kirill Kiryanov, oscd.community date: 2020/10/08 tags: - attack.credential_access - - attack.t1003.001 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index 56694bf67..dea91d765 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -15,8 +15,9 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'sysprep.exe' + Image|endswith: + - '\sysprep.exe' + CommandLine|contains: - '\AppData\' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 2a90f98cd..28b3928a0 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -1,15 +1,15 @@ -title: Detection of PowerShell Execution via Sqlps.exe -id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 +title: Detection of PowerShell Execution via Sqlps.exe +id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: experimental -description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 + - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense_evasion - attack.t1127 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 @@ -19,7 +19,7 @@ logsource: detection: selection1: Image|endswith: '\sqlps.exe' - selection2: + selection2: ParentImage|endswith: '\sqlps.exe' selection3: OriginalFileName: '\sqlps.exe' @@ -28,4 +28,4 @@ detection: condition: selection1 or selection2 or selection3 and not reduction falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. -level: medium +level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index 1f240db80..0e74bea2b 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -1,14 +1,14 @@ title: SQL Client Tools PowerShell Session Detection -id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 +id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: experimental -description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - - https://twitter.com/pabraeken/status/993298228840992768 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml + - https://twitter.com/pabraeken/status/993298228840992768 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense_evasion - attack.t1127 author: 'Agro (@agro_sev) oscd.communitly' date: 2020/10/13 @@ -18,7 +18,7 @@ logsource: detection: selection1: Image|endswith: '\sqltoolsps.exe' - selection2: + selection2: ParentImage|endswith: '\sqltoolsps.exe' selection3: OriginalFileName: '\sqltoolsps.exe' @@ -27,5 +27,5 @@ detection: condition: selection1 or selection2 or selection3 and not reduction falsepositives: - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. -level: medium +level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index 357380c7b..d74b74b0b 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -1,10 +1,10 @@ title: Malicious Windows Script Components File Execution by TAEF Detection -id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b +id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b status: experimental description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml - - https://twitter.com/pabraeken/status/993298228840992768 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml + - https://twitter.com/pabraeken/status/993298228840992768 - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ tags: - attack.t1218 @@ -16,11 +16,11 @@ logsource: detection: selection1: Image|endswith: '\te.exe' - selection2: + selection2: ParentImage|endswith: '\te.exe' selection3: OriginalFileName: '\te.exe' - condition: selection1 or selection2 or selection3 + condition: selection1 or selection2 or selection3 falsepositives: - It's not an uncommon to use te.exe directly to execute legal TAEF tests level: low diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 28e943f3e..529aff91d 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -1,7 +1,7 @@ title: Malicious PE Execution by Microsoft Visual Studio Debugger id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 status: experimental -description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. +description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. references: - https://twitter.com/pabraeken/status/990758590020452353 - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -15,7 +15,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection: ParentImage|endswith: '\vsjitdebugger.exe' reduction1: ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' @@ -23,6 +23,6 @@ detection: ChildImage|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - - the process spawned by vsjitdebugger.exe is uncommon. -level: medium + - the process spawned by vsjitdebugger.exe is uncommon. +level: medium diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 97238db4f..5fab95fae 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -23,4 +23,5 @@ detection: falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment -level: high + - Monitoring activity +level: medium diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml index d1e5e4769..203fefb92 100644 --- a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -4,13 +4,13 @@ id: fde7929d-8beb-4a4c-b922-be9974671667 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 tags: - attack.defense_evasion - attack.t1218 detection: - condition: 1 of them + condition: selection falsepositives: - App-V clients level: medium @@ -19,12 +19,12 @@ logsource: product: windows category: process_creation detection: - selection1: + selection: Image|endswith: '\SyncAppvPublishingServer.exe' --- logsource: product: windows service: powershell detection: - selection2: + selection: Message|contains: 'SyncAppvPublishingServer.exe' \ No newline at end of file diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 4ed71d3f9..4e8ce30d6 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -1,7 +1,7 @@ title: WMI Backdoor Exchange Transport Agent id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b status: experimental -description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters +description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters author: Florian Roth date: 2019/10/11 references: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index a3e03568d..a8bb54d79 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -3,7 +3,7 @@ id: 17f878b8-9968-4578-b814-c4217fc5768c description: Detects modification of autostart extensibility point (ASEP) in registry. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys tags: @@ -15,10 +15,10 @@ modified: 2020/11/04 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community logsource: category: registry_event - product: windows + product: windows level: medium detection: - main_selection: + main_selection: TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' @@ -38,9 +38,9 @@ detection: - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' - '\Control Panel\Desktop\Scrnsave.exe' + session_manager_base: + TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: - TargetObject|contains|all: - - '\System\CurrentControlSet\Control\Session Manager' TargetObject|contains: - '\SetupExecute' - '\S0InitialCommand' @@ -48,9 +48,9 @@ detection: - '\Execute' - '\BootExecute' - '\AppCertDlls' + current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows\CurrentVersion' TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -68,9 +68,9 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' + nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' TargetObject|contains: - '\Winlogon\VmApplet' - '\Winlogon\Userinit' @@ -86,9 +86,9 @@ detection: - '\Drivers32' - '\Windows\Run' - '\Windows\Load' + wow_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -97,16 +97,16 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' + wow_nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' TargetObject|contains: - '\Windows\Appinit_Dlls' - '\Image File Execution Options' - '\Drivers32' - wow_office: + wow_office: TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office' - office: + office: TargetObject|contains: '\Software\Microsoft\Office' wow_office_details: TargetObject|contains: @@ -117,7 +117,7 @@ detection: - '\Excel\Addins' - '\Access\Addins' - 'test\Special\Perf' - wow_ie: + wow_ie: TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer' ie: TargetObject|contains: '\Software\Microsoft\Internet Explorer' @@ -126,9 +126,9 @@ detection: - '\Toolbar' - '\Extensions' - '\Explorer Bars' + wow_classes_base: + TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: - TargetObject|contains|all: - - '\Software\Wow6432Node\Classes' TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -142,9 +142,9 @@ detection: - '\AllFileSystemObjects\ShellEx\DragDropHandlers' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' + classes_base: + TargetObject|contains: '\Software\Classes' classes: - TargetObject|contains|all: - - '\Software\Classes' TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -162,23 +162,23 @@ detection: - '\.cmd' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' + scripts_base: + TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: - TargetObject|contains|all: - - '\Software\Policies\Microsoft\Windows\System\Scripts' TargetObject|contains: - '\Startup' - '\Shutdown' - '\Logon' - '\Logoff' + winsock_parameters_base: + TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: - TargetObject|contains|all: - - '\System\CurrentControlSet\Services\WinSock2\Parameters' TargetObject|contains: - '\Protocol_Catalog9\Catalog_Entries' - '\NameSpace_Catalog5\Catalog_Entries' + system_control_base: + TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: - TargetObject|contains|all: - - '\SYSTEM\CurrentControlSet\Control' TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' @@ -190,19 +190,19 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' - condition: main_selection OR - session_manager OR - current_version OR - nt_current_version OR - wow_current_version OR - wow_nt_current_version OR - (wow_office OR office) AND wow_office_details OR - (wow_ie OR ie) AND wow_ie_details OR - wow_classes OR - classes OR - scripts OR - winsock_parameters OR - system_control + condition: main_selection OR + session_manager_base AND session_manager OR + current_version_base AND current_version OR + nt_current_version_base AND nt_current_version OR + wow_current_version_base AND wow_current_version OR + wow_nt_current_version_base AND wow_nt_current_version OR + (wow_office OR office) AND wow_office_details OR + (wow_ie OR ie) AND wow_ie_details OR + wow_classes_base AND wow_classes OR + classes_base AND classes OR + scripts_base AND scripts OR + winsock_parameters_base AND winsock_parameters OR + system_control_base AND system_control fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml index 81dd64679..10c7f0b17 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml @@ -25,11 +25,6 @@ logsource: category: registry_event product: windows detection: - # Registry Object Add - selection1: - TargetObject|contains: '\cmmgr32.exe*' - EventType: 'CreateKey' - # Registry Object Value Set - selection2: - TargetObject|contains: '\cmmgr32.exe*' - condition: 1 of them + selection: + TargetObject|contains: '\cmmgr32.exe' + condition: selection diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 88b35f834..e3f50de16 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: Services\WCESERVICE\Start condition: selection falsepositives: diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 7a6b78194..667c8448a 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -23,8 +23,8 @@ logsource: category: registry_event product: windows detection: - selection_registry: - TargetObject|endswith: + selection_registry: + TargetObject|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index e060cdb8f..9f36c3763 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -15,11 +15,11 @@ logsource: category: registry_event product: windows detection: - creation: + creation: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' persistance: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' condition: creation or persistance falsepositives: - - Creation of non-default, legitimate AT. + - Creation of non-default, legitimate AT. level: High diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index 9d55cf0a7..fcc8c3b45 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -1,4 +1,4 @@ -title: Suspicious RUN Key from Download +title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: experimental description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Image|contains: + Image|contains: - '\Downloads\' - '\Temporary Internet Files\Content.Outlook\' - '\Local Settings\Temporary Internet Files\' From 5f2ff99eead4dc320c288025fa50a434693d7755 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 3 Apr 2021 00:58:15 +0200 Subject: [PATCH 1330/1335] Replaced pip requirements with pipenv --- .github/workflows/sigma-test.yml | 3 +- Pipfile | 2 +- Pipfile.lock | 394 +++++++++++++++++-------------- README.md | 36 +-- tools/requirements-devel.txt | 10 - tools/requirements.txt | 5 - 6 files changed, 237 insertions(+), 213 deletions(-) delete mode 100644 tools/requirements-devel.txt delete mode 100644 tools/requirements.txt diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 28931b92e..b5871f027 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -22,7 +22,8 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r tools/requirements.txt -r tools/requirements-devel.txt + pip install pipenv + pipenv install --dev --deploy --system - name: Test Sigma Tools and Rules run: | make test diff --git a/Pipfile b/Pipfile index d50536fb3..085c96887 100644 --- a/Pipfile +++ b/Pipfile @@ -19,4 +19,4 @@ pymisp = "~=2.4.123" PyYAML = "~=5.1" [requires] -python_version = "~=3.8.2" +python_version = "3.8" diff --git a/Pipfile.lock b/Pipfile.lock index 6f4696320..5fd8dd8e3 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a" + "sha256": "e101cf0d543e90c8c9f87347917b9ee06e19ba82aa0016d77f7e43ade1eab9fc" }, "pipfile-spec": 6, "requires": { - "python_version": "3.6" + "python_version": "3.8" }, "sources": [ { @@ -21,6 +21,7 @@ "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==20.3.0" }, "certifi": { @@ -32,33 +33,28 @@ }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" }, "deprecated": { "hashes": [ - "sha256:471ec32b2755172046e28102cd46c481f21c6036a0ec027521eba8521aa4ef35", - "sha256:924b6921f822b64ec54f49be6700a126bab0640cfafca78f22c9d429ed590560" + "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", + "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" ], - "version": "==1.2.11" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==1.2.12" }, "idna": { "hashes": [ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, - "importlib-metadata": { - "hashes": [ - "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa", - "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614" - ], - "markers": "python_version < '3.8'", - "version": "==3.7.0" - }, "jsonschema": { "hashes": [ "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", @@ -68,24 +64,25 @@ }, "progressbar2": { "hashes": [ - "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772", - "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928" + "sha256:ef72be284e7f2b61ac0894b44165926f13f5d995b2bf3cd8a8dedc6224b255a7", + "sha256:fe2738e7ecb7df52ad76307fe610c460c52b50f5335fd26c3ab80ff7655ba1e0" ], "index": "pypi", - "version": "==3.50.1" + "version": "==3.53.1" }, "pymisp": { "hashes": [ - "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd", - "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3" + "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a", + "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2" ], "index": "pypi", - "version": "==2.4.123" + "version": "==2.4.141.1" }, "pyrsistent": { "hashes": [ "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e" ], + "markers": "python_version >= '3.5'", "version": "==0.17.3" }, "python-dateutil": { @@ -93,6 +90,7 @@ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.8.1" }, "python-utils": { @@ -104,116 +102,120 @@ }, "pyyaml": { "hashes": [ - "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c", - "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95", - "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2", - "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4", - "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad", - "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba", - "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1", - "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e", - "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673", - "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13", - "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" ], "index": "pypi", - "version": "==5.1" + "version": "==5.4.1" }, "requests": { "hashes": [ - "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee", - "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6" + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "index": "pypi", - "version": "==2.23.0" + "version": "==2.25.1" }, "six": { "hashes": [ "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.15.0" }, - "typing-extensions": { - "hashes": [ - "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", - "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", - "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" - ], - "markers": "python_version < '3.8'", - "version": "==3.7.4.3" - }, "urllib3": { "hashes": [ - "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", - "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" + "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", + "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" ], "index": "pypi", - "version": "==1.25.8" + "version": "==1.26.4" }, "wrapt": { "hashes": [ "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" ], "version": "==1.12.1" - }, - "zipp": { - "hashes": [ - "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108", - "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb" - ], - "version": "==3.4.0" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:119feb2bd551e58d83d1b38bfa4cb921af8ddedec9fad7183132db334c3133e0", - "sha256:16d0683ef8a6d803207f02b899c928223eb219111bd52420ef3d7a8aa76227b6", - "sha256:2eb3efe243e0f4ecbb654b08444ae6ffab37ac0ef8f69d3a2ffb958905379daf", - "sha256:2ffea7904e70350da429568113ae422c88d2234ae776519549513c8f217f58a9", - "sha256:40bd1b101b71a18a528ffce812cc14ff77d4a2a1272dfb8b11b200967489ef3e", - "sha256:418597633b5cd9639e514b1d748f358832c08cd5d9ef0870026535bd5eaefdd0", - "sha256:481d4b96969fbfdcc3ff35eea5305d8565a8300410d3d269ccac69e7256b1329", - "sha256:4c1bdbfdd231a20eee3e56bd0ac1cd88c4ff41b64ab679ed65b75c9c74b6c5c2", - "sha256:5563ad7fde451b1986d42b9bb9140e2599ecf4f8e42241f6da0d3d624b776f40", - "sha256:58c62152c4c8731a3152e7e650b29ace18304d086cb5552d317a54ff2749d32a", - "sha256:5b50e0b9460100fe05d7472264d1975f21ac007b35dcd6fd50279b72925a27f4", - "sha256:5d84ecc73141d0a0d61ece0742bb7ff5751b0657dab8405f899d3ceb104cc7de", - "sha256:5dde6d24bacac480be03f4f864e9a67faac5032e28841b00533cd168ab39cad9", - "sha256:5e91e927003d1ed9283dee9abcb989334fc8e72cf89ebe94dc3e07e3ff0b11e9", - "sha256:62bc216eafac3204877241569209d9ba6226185aa6d561c19159f2e1cbb6abfb", - "sha256:6c8200abc9dc5f27203986100579fc19ccad7a832c07d2bc151ce4ff17190076", - "sha256:6ca56bdfaf825f4439e9e3673775e1032d8b6ea63b8953d3812c71bd6a8b81de", - "sha256:71680321a8a7176a58dfbc230789790639db78dad61a6e120b39f314f43f1907", - "sha256:7c7820099e8b3171e54e7eedc33e9450afe7cd08172632d32128bd527f8cb77d", - "sha256:7dbd087ff2f4046b9b37ba28ed73f15fd0bc9f4fdc8ef6781913da7f808d9536", - "sha256:822bd4fd21abaa7b28d65fc9871ecabaddc42767884a626317ef5b75c20e8a2d", - "sha256:8ec1a38074f68d66ccb467ed9a673a726bb397142c273f90d4ba954666e87d54", - "sha256:950b7ef08b2afdab2488ee2edaff92a03ca500a48f1e1aaa5900e73d6cf992bc", - "sha256:99c5a5bf7135607959441b7d720d96c8e5c46a1f96e9d6d4c9498be8d5f24212", - "sha256:b84ad94868e1e6a5e30d30ec419956042815dfaea1b1df1cef623e4564c374d9", - "sha256:bc3d14bf71a3fb94e5acf5bbf67331ab335467129af6416a437bd6024e4f743d", - "sha256:c2a80fd9a8d7e41b4e38ea9fe149deed0d6aaede255c497e66b8213274d6d61b", - "sha256:c44d3c82a933c6cbc21039326767e778eface44fca55c65719921c4b9661a3f7", - "sha256:cc31e906be1cc121ee201adbdf844522ea3349600dd0a40366611ca18cd40e81", - "sha256:d5d102e945ecca93bcd9801a7bb2fa703e37ad188a2f81b1e65e4abe4b51b00c", - "sha256:dd7936f2a6daa861143e376b3a1fb56e9b802f4980923594edd9ca5670974895", - "sha256:dee68ec462ff10c1d836c0ea2642116aba6151c6880b688e56b4c0246770f297", - "sha256:e76e78863a4eaec3aee5722d85d04dcbd9844bc6cd3bfa6aa880ff46ad16bfcb", - "sha256:eab51036cac2da8a50d7ff0ea30be47750547c9aa1aa2cf1a1b710a1827e7dbe", - "sha256:f4496d8d04da2e98cc9133e238ccebf6a13ef39a93da2e87146c8c8ac9768242", - "sha256:fbd3b5e18d34683decc00d9a360179ac1e7a320a5fee10ab8053ffd6deab76e0", - "sha256:feb24ff1226beeb056e247cf2e24bba5232519efb5645121c4aea5b6ad74c1f2" + "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", + "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", + "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", + "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", + "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", + "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", + "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", + "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", + "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", + "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", + "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", + "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", + "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", + "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", + "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", + "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", + "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", + "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", + "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", + "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", + "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", + "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", + "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", + "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", + "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", + "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", + "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", + "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", + "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", + "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", + "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", + "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", + "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", + "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", + "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", + "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", + "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" ], - "index": "pypi", - "version": "==3.7.4" + "markers": "python_version >= '3.6'", + "version": "==3.7.4.post0" }, "async-timeout": { "hashes": [ "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" ], + "markers": "python_full_version >= '3.5.3'", "version": "==3.0.1" }, "attrs": { @@ -221,67 +223,97 @@ "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==20.3.0" }, + "certifi": { + "hashes": [ + "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", + "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + ], + "version": "==2020.12.5" + }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" }, "colorama": { "hashes": [ - "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", - "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" + "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b", + "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2" ], "index": "pypi", - "version": "==0.4.3" + "version": "==0.4.4" }, "coverage": { "hashes": [ - "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0", - "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30", - "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b", - "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0", - "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823", - "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe", - "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037", - "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6", - "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31", - "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd", - "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892", - "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1", - "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78", - "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac", - "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006", - "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014", - "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2", - "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7", - "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8", - "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7", - "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9", - "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1", - "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307", - "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a", - "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435", - "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0", - "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5", - "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441", - "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732", - "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de", - "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1" + "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c", + "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6", + "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45", + "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a", + "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03", + "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529", + "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a", + "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a", + "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2", + "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6", + "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759", + "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53", + "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a", + "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4", + "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff", + "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502", + "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793", + "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb", + "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905", + "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821", + "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b", + "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81", + "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0", + "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b", + "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3", + "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184", + "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701", + "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a", + "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82", + "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638", + "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5", + "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083", + "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6", + "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90", + "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465", + "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a", + "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3", + "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e", + "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066", + "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf", + "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b", + "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae", + "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669", + "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873", + "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b", + "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6", + "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb", + "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160", + "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c", + "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079", + "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d", + "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6" ], "index": "pypi", - "version": "==5.0.4" + "version": "==5.5" }, "elasticsearch": { "hashes": [ - "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8", - "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81" + "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0", + "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378" ], "index": "pypi", - "version": "==7.6.0" + "version": "==7.12.0" }, "elasticsearch-async": { "hashes": [ @@ -296,28 +328,15 @@ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, - "idna-ssl": { - "hashes": [ - "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c" - ], - "markers": "python_version < '3.7'", - "version": "==1.1.0" - }, - "importlib-metadata": { - "hashes": [ - "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa", - "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614" - ], - "markers": "python_version < '3.8'", - "version": "==3.7.0" - }, "more-itertools": { "hashes": [ "sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced", "sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713" ], + "markers": "python_version >= '3.5'", "version": "==8.7.0" }, "multidict": { @@ -360,6 +379,7 @@ "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" ], + "markers": "python_version >= '3.6'", "version": "==5.1.0" }, "packaging": { @@ -367,6 +387,7 @@ "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==20.9" }, "pathspec": { @@ -381,6 +402,7 @@ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.13.1" }, "py": { @@ -388,6 +410,7 @@ "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.10.0" }, "pyparsing": { @@ -395,32 +418,51 @@ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, "pytest": { "hashes": [ - "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172", - "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970" + "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1", + "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8" ], "index": "pypi", - "version": "==5.4.1" + "version": "==5.4.3" }, "pyyaml": { "hashes": [ - "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c", - "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95", - "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2", - "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4", - "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad", - "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba", - "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1", - "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e", - "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673", - "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13", - "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" ], "index": "pypi", - "version": "==5.1" + "version": "==5.4.1" }, "typing-extensions": { "hashes": [ @@ -433,11 +475,11 @@ }, "urllib3": { "hashes": [ - "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", - "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" + "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", + "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" ], "index": "pypi", - "version": "==1.25.8" + "version": "==1.26.4" }, "wcwidth": { "hashes": [ @@ -448,11 +490,11 @@ }, "yamllint": { "hashes": [ - "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f", - "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193" + "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637", + "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087" ], "index": "pypi", - "version": "==1.21.0" + "version": "==1.26.0" }, "yarl": { "hashes": [ @@ -494,14 +536,8 @@ "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" ], + "markers": "python_version >= '3.6'", "version": "==1.6.3" - }, - "zipp": { - "hashes": [ - "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108", - "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb" - ], - "version": "==3.4.0" } } } diff --git a/README.md b/README.md index bd5182d4c..a4de644f6 100644 --- a/README.md +++ b/README.md @@ -40,9 +40,9 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec # Why Sigma -Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. +Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. -Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. +Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. ## Slides @@ -52,7 +52,7 @@ See the first slide deck that I prepared for a private conference in mid January # Specification -The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). +The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). The current specification is a proposal. Feedback is requested. @@ -62,7 +62,7 @@ The current specification is a proposal. Feedback is requested. Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started. -## Rule Usage +## Rule Usage 1. Download or clone the repository 2. Check the `./rules` sub directory for an overview on the rule base @@ -172,13 +172,13 @@ Translate a whole rule directory and ignore backend errors (`-I`) in rule conver ``` tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/ ``` -#### Rule Set Translation with Custom Config +#### Rule Set Translation with Custom Config Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings ``` tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon ``` #### Generic Rule Set Translation -Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) +Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) ``` tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation ``` @@ -228,16 +228,18 @@ It's available on PyPI. Install with: pip3 install sigmatools ``` -Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with: +Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with [Pipenv](https://pypi.org/project/pipenv/). +Run the following command to get a shell with the installed requirements: ```bash -pip3 install -r tools/requirements.txt +pipenv shell ``` For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with: ```bash -pip3 install -r tools/requirements-devel.txt +pipenv install --dev +pipenv shell ``` ## Sigma2MISP @@ -251,7 +253,7 @@ Example: *misp.conf*: ``` url https://host -key foobarfoobarfoobarfoobarfoobarfoobarfoo +key foobarfoobarfoobarfoobarfoobarfoobarfoo ``` Load Sigma rule into MISP event 1234: @@ -266,7 +268,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ ## Evt2Sigma -[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. +[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. ## Sigma2attack @@ -291,7 +293,7 @@ Result once imported in the MITRE ATT&CK® Navigator ([online version](https://m ## S2AN -Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules. +Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules. S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies. @@ -317,11 +319,11 @@ These tools are not part of the main toolchain and maintained separately by thei * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints * [Joe Sandbox](https://www.joesecurity.org/) -* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing +* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html) * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App) * [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35) -* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion +* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion Sigma is available in some Linux distribution repositories: @@ -333,10 +335,10 @@ If you want to contribute, you are more then welcome. There are numerous ways to ## Use it and provide feedback -If you use it, let us know what works and what does not work. +If you use it, let us know what works and what does not work. E.g. -- Tell us about false positives (issues section) +- Tell us about false positives (issues section) - Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule ## Work on open issues @@ -345,7 +347,7 @@ The github issue tracker is a good place to start tackling some issues others ra ## Provide Backends / Backend Features / Bugfixes -Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. +Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. ## Spread the word diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt deleted file mode 100644 index 3665b6ee4..000000000 --- a/tools/requirements-devel.txt +++ /dev/null @@ -1,10 +0,0 @@ -coverage~=5.0 -yamllint~=1.21 -elasticsearch~=7.6 -elasticsearch-async~=6.2 -setuptools -wheel -pytest~=5.4 -colorama -stix2 -attackcti \ No newline at end of file diff --git a/tools/requirements.txt b/tools/requirements.txt deleted file mode 100644 index 3debba0b4..000000000 --- a/tools/requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -pyyaml>=4.2b1 -requests~=2.23 -urllib3~=1.25 -progressbar2~=3.47 -pymisp~=2.4.123 From 3d519a874b4d18d7d0923e987cf0f9e0d4d70e40 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 3 Apr 2021 23:12:36 +0200 Subject: [PATCH 1331/1335] Added dev dependencies from requirements --- .github/workflows/pypi-publish.yml | 27 ------- Pipfile | 3 + Pipfile.lock | 113 ++++++++++++++++++++++++++++- 3 files changed, 115 insertions(+), 28 deletions(-) delete mode 100644 .github/workflows/pypi-publish.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml deleted file mode 100644 index efeff2dc6..000000000 --- a/.github/workflows/pypi-publish.yml +++ /dev/null @@ -1,27 +0,0 @@ -# This workflows will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries - -name: Upload Sigmatools Package to PyPI -on: - release: - types: [created] - -jobs: - deploy: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Python - uses: actions/setup-python@v1 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install setuptools wheel twine - - name: Build and publish - env: - TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - run: | - make upload diff --git a/Pipfile b/Pipfile index 085c96887..7df1021b1 100644 --- a/Pipfile +++ b/Pipfile @@ -10,6 +10,9 @@ elasticsearch = "~=7.6" elasticsearch-async = "~=6.2" pytest = "~=5.4" colorama = "*" +setuptools = "*" +stix2 = "*" +attackcti = "*" [packages] requests = "~=2.23" diff --git a/Pipfile.lock b/Pipfile.lock index 5fd8dd8e3..ed1329a91 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "e101cf0d543e90c8c9f87347917b9ee06e19ba82aa0016d77f7e43ade1eab9fc" + "sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687" }, "pipfile-spec": 6, "requires": { @@ -210,6 +210,13 @@ "markers": "python_version >= '3.6'", "version": "==3.7.4.post0" }, + "antlr4-python3-runtime": { + "hashes": [ + "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + ], + "markers": "python_version >= '3'", + "version": "==4.8" + }, "async-timeout": { "hashes": [ "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", @@ -218,6 +225,14 @@ "markers": "python_full_version >= '3.5.3'", "version": "==3.0.1" }, + "attackcti": { + "hashes": [ + "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f", + "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9" + ], + "index": "pypi", + "version": "==0.3.4.3" + }, "attrs": { "hashes": [ "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6", @@ -429,6 +444,13 @@ "index": "pypi", "version": "==5.4.3" }, + "pytz": { + "hashes": [ + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + ], + "version": "==2021.1" + }, "pyyaml": { "hashes": [ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", @@ -464,6 +486,95 @@ "index": "pypi", "version": "==5.4.1" }, + "requests": { + "hashes": [ + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" + ], + "index": "pypi", + "version": "==2.25.1" + }, + "simplejson": { + "hashes": [ + "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667", + "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3", + "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043", + "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb", + "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0", + "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d", + "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8", + "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f", + "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf", + "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748", + "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278", + "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4", + "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a", + "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8", + "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d", + "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971", + "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841", + "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f", + "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b", + "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45", + "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9", + "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6", + "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc", + "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956", + "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d", + "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746", + "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a", + "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0", + "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25", + "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625", + "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995", + "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46", + "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f", + "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a", + "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139", + "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f", + "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da", + "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34", + "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b", + "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94", + "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04", + "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b", + "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396", + "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06", + "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb" + ], + "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==3.17.2" + }, + "six": { + "hashes": [ + "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", + "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==1.15.0" + }, + "stix2": { + "hashes": [ + "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938", + "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4" + ], + "index": "pypi", + "version": "==2.1.0" + }, + "stix2-patterns": { + "hashes": [ + "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", + "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + ], + "version": "==1.3.2" + }, + "taxii2-client": { + "hashes": [ + "sha256:b4212b8a8bab170cd5dc386ca3ea36bc44b53932f1da30db150abeef00bce7b9", + "sha256:fb3bf895e2eaff3cd08bb7aad75c9d30682ffc00b9f3add77de3a67dc6b895a3" + ], + "version": "==2.3.0" + }, "typing-extensions": { "hashes": [ "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", From b1b0240692cd35a8f493b77809f2164578fb9ca9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 3 Apr 2021 23:21:13 +0200 Subject: [PATCH 1332/1335] Fixes --- rules/windows/powershell/powershell_shellcode_b64.yml | 2 +- .../process_creation/win_susp_crackmapexec_execution.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index 3d7988b68..ba269aca2 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -23,7 +23,7 @@ detection: EventID: 4104 ScriptBlockText|contains: 'AAAAYInlM' selection2: - ScriptBlockText|contains|all: + ScriptBlockText|contains: - 'OiCAAAAYInlM' - 'OiJAAAAYInlM' condition: selection and selection2 diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index e5d69a30a..9a5f1afb3 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -28,9 +28,9 @@ detection: - 'cmd.exe /C * > *\\Temp\\* 2>&1' CommandLine|contains: # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' + - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) - - '*powershell.exe -noni -nop -w 1 -enc *' + - 'powershell.exe -noni -nop -w 1 -enc ' condition: selection fields: - ComputerName From af09dd8e3cb4e5e11ca700213f2b19c53318e532 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 5 Apr 2021 13:01:10 -0400 Subject: [PATCH 1333/1335] Clean up: Webshell ReGeorg Detection --- rules/web/win_webshell_regeorg.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index fc068bf4e..b4ccdb5c3 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -13,11 +13,11 @@ logsource: detection: selection: uri_query|contains: - - '*cmd=read*' - - '*connect&target*' - - '*cmd=connect*' - - '*cmd=disconnect*' - - '*cmd=forward*' + - 'cmd=read' + - 'connect&target' + - 'cmd=connect' + - 'cmd=disconnect' + - 'cmd=forward' filter: referer: null useragent: null From 0a28a4249824cccca5fba079df3998f02ff79436 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 5 Apr 2021 22:57:50 +0200 Subject: [PATCH 1334/1335] CI: Install Python dependencies in virtual env --- .github/workflows/sigma-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index b5871f027..d5ef8f490 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,10 +23,10 @@ jobs: run: | python -m pip install --upgrade pip pip install pipenv - pipenv install --dev --deploy --system + pipenv install --dev --deploy - name: Test Sigma Tools and Rules run: | - make test + pipenv run make test - name: Test SQL(ite) Backend run: | - make test-backend-sql + pipenv run make test-backend-sql From e73e27e44f4384e5c2bf3aae0f3992d62358075d Mon Sep 17 00:00:00 2001 From: Vasiliy Burov Date: Tue, 6 Apr 2021 20:18:54 +0300 Subject: [PATCH 1335/1335] Update win_hack_rubeus.yml Added commandline parameters for constrained delegation abuse and for hashes calculation --- rules/windows/process_creation/win_hack_rubeus.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 02f977365..4ce04049b 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -28,6 +28,9 @@ detection: - ' renew /ticket:' - ' asktgt /user:' - ' harvest /interval:' + - ' s4u /user:' + - ' s4u /ticket:' + - ' hash /password:' condition: selection falsepositives: - unlikely