From 01dc930c173e329c191245b76f05de5fa4b5da21 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 27 Nov 2021 11:33:14 +0100 Subject: [PATCH] Change status for old rules --- rules/application/app_sqlinjection_errors.yml | 32 +-- rules/apt/apt_silence_downloader_v3.yml | 58 ++--- rules/apt/apt_silence_eda.yml | 66 +++--- ...creating_number_of_resources_detection.yml | 9 +- .../azure_granting_permission_detection.yml | 11 +- rules/cloud/azure/azure_rare_operations.yml | 11 +- ...icrosoft365_impossible_travel_activity.yml | 34 +-- rules/generic/generic_brute_force.yml | 32 +-- .../auditd/lnx_auditd_alter_bash_profile.yml | 45 ++-- .../lnx_auditd_auditing_config_change.yml | 45 ++-- .../auditd/lnx_auditd_binary_padding.yml | 41 ++-- .../lnx_auditd_change_file_time_attr.yml | 41 ++-- .../lnx_auditd_chattr_immutable_removal.yml | 27 +-- .../auditd/lnx_auditd_create_account.yml | 27 +-- .../lnx_auditd_file_or_folder_permissions.yml | 29 +-- .../auditd/lnx_auditd_find_cred_in_files.yml | 33 ++- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 28 +-- .../lnx_auditd_logging_config_change.yml | 43 ++-- .../auditd/lnx_auditd_masquerading_crond.yml | 32 +-- .../auditd/lnx_auditd_pers_systemd_reload.yml | 35 +-- .../lnx_auditd_split_file_into_pieces.yml | 29 ++- .../auditd/lnx_auditd_susp_c2_commands.yml | 21 +- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 51 ++-- .../auditd/lnx_auditd_susp_exe_folders.yml | 61 ++--- .../lnx_auditd_susp_histfile_operations.yml | 56 ++--- .../lnx_auditd_system_shutdown_reboot.yml | 49 ++-- .../auditd/lnx_auditd_user_discovery.yml | 34 +-- rules/linux/auditd/lnx_data_compressed.yml | 42 ++-- rules/linux/auditd/lnx_network_sniffing.yml | 45 ++-- .../builtin/lnx_apt_equationgroup_lnx.yml | 99 ++++---- rules/linux/builtin/lnx_proxy_connection.yml | 21 +- rules/linux/builtin/lnx_setgid_setuid.yml | 29 +-- .../linux/builtin/lnx_shell_priv_esc_prep.yml | 105 ++++----- .../linux/builtin/lnx_shell_susp_commands.yml | 90 ++++---- .../builtin/lnx_shell_susp_log_entries.yml | 21 +- .../builtin/lnx_shell_susp_rev_shells.yml | 69 +++--- .../builtin/lnx_space_after_filename_.yml | 27 +-- rules/linux/builtin/lnx_susp_jexboss.yml | 25 +- .../linux/builtin/lnx_symlink_etc_passwd.yml | 23 +- .../file_event/macos_emond_launch_daemon.yml | 17 +- .../macos/file_event/macos_startup_items.yml | 15 +- .../process_creation/macos_applescript.yml | 5 +- .../process_creation/macos_base64_decode.yml | 7 +- .../process_creation/macos_binary_padding.yml | 45 ++-- .../macos_change_file_time_attr.yml | 37 ++- .../process_creation/macos_create_account.yml | 13 +- .../macos_create_hidden_account.yml | 10 +- .../macos_creds_from_keychain.yml | 39 ++-- .../macos_disable_security_tools.yml | 7 +- .../macos_file_and_directory_discovery.yml | 7 +- .../macos_find_cred_in_files.yml | 35 ++- .../process_creation/macos_local_account.yml | 5 +- .../process_creation/macos_local_groups.yml | 5 +- .../macos_network_service_scanning.yml | 7 +- .../macos_network_sniffing.yml | 5 +- .../macos_remote_system_discovery.yml | 5 +- .../macos_schedule_task_job_cron.yml | 17 +- .../process_creation/macos_screencapture.yml | 25 +- .../macos_security_software_discovery.yml | 10 +- .../macos_split_file_into_pieces.yml | 25 +- .../macos_susp_histfile_operations.yml | 42 ++-- ...s_system_network_connections_discovery.yml | 7 +- .../macos_system_network_discovery.yml | 45 ++-- .../macos_system_shutdown_reboot.yml | 31 ++- .../macos_xattr_gatekeeper_bypass.yml | 9 +- rules/linux/other/lnx_ssh_cve_2018_15473.yml | 23 +- .../lnx_susp_failed_logons_single_source.yml | 29 +-- rules/linux/other/lnx_susp_guacamole.yml | 23 +- rules/linux/other/lnx_susp_named.yml | 27 +-- rules/linux/other/lnx_susp_ssh.yml | 46 ++-- rules/linux/other/lnx_susp_vsftp.yml | 55 ++--- .../process_creation/lnx_base64_decode.yml | 7 +- .../lnx_file_and_directory_discovery.yml | 7 +- .../lnx_install_root_certificate.yml | 29 +-- .../process_creation/lnx_local_account.yml | 5 +- .../process_creation/lnx_local_groups.yml | 5 +- .../lnx_remote_system_discovery.yml | 5 +- .../lnx_schedule_task_job_cron.yml | 17 +- .../lnx_security_software_discovery.yml | 9 +- ...x_system_network_connections_discovery.yml | 9 +- .../lnx_system_network_discovery.yml | 45 ++-- .../cisco/aaa/cisco_cli_clear_logs.yml | 38 +-- .../cisco/aaa/cisco_cli_collect_data.yml | 54 ++--- .../cisco/aaa/cisco_cli_crypto_actions.yml | 45 ++-- .../cisco/aaa/cisco_cli_disable_logging.yml | 37 +-- .../network/cisco/aaa/cisco_cli_discovery.yml | 69 +++--- rules/network/cisco/aaa/cisco_cli_dos.yml | 36 +-- .../cisco/aaa/cisco_cli_file_deletion.yml | 41 ++-- .../cisco/aaa/cisco_cli_input_capture.yml | 33 ++- .../cisco/aaa/cisco_cli_local_accounts.yml | 32 +-- .../cisco/aaa/cisco_cli_modify_config.yml | 52 ++--- .../cisco/aaa/cisco_cli_moving_data.yml | 48 ++-- .../network/cisco/aaa/cisco_cli_net_sniff.yml | 31 +-- rules/network/net_apt_equationgroup_c2.yml | 37 +-- rules/network/net_dns_c2_detection.yml | 35 ++- .../net_high_null_records_requests_rate.yml | 28 +-- .../net_high_txt_records_requests_rate.yml | 28 +-- .../network/net_susp_dns_txt_exec_strings.yml | 34 +-- rules/network/net_susp_network_scan_by_ip.yml | 36 +-- .../net_wannacry_killswitch_domain.yml | 37 +-- .../zeek_dce_rpc_mitre_bzar_execution.yml | 91 ++++---- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 61 ++--- ...k_http_executable_download_from_webdav.yml | 38 +-- .../zeek/zeek_http_webdav_put_request.yml | 39 ++-- .../zeek_smb_converted_win_atsvc_task.yml | 35 +-- ..._smb_converted_win_impacket_secretdump.yml | 39 ++-- .../zeek_smb_converted_win_lm_namedpipe.yml | 67 +++--- .../zeek_smb_converted_win_susp_psexec.yml | 49 ++-- ...verted_win_susp_raccess_sensitive_fext.yml | 23 +- ...ransferring_files_with_credential_data.yml | 47 ++-- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 35 +-- rules/proxy/proxy_apt40.yml | 34 +-- rules/proxy/proxy_chafer_malware.yml | 29 +-- rules/proxy/proxy_cobalt_amazon.yml | 6 +- rules/proxy/proxy_cobalt_ocsp.yml | 30 +-- rules/proxy/proxy_download_susp_dyndns.yml | 206 ++++++++--------- .../proxy_download_susp_tlds_blacklist.yml | 198 ++++++++-------- .../proxy_download_susp_tlds_whitelist.yml | 104 ++++----- rules/proxy/proxy_downloadcradle_webdav.yml | 38 +-- rules/proxy/proxy_empire_ua_uri_combos.yml | 34 +-- rules/proxy/proxy_empty_ua.yml | 26 +-- rules/proxy/proxy_ios_implant.yml | 44 ++-- rules/proxy/proxy_powershell_ua.yml | 26 +-- rules/proxy/proxy_pwndrop.yml | 36 +-- .../proxy/proxy_raw_paste_service_access.yml | 46 ++-- rules/proxy/proxy_telegram_api.yml | 50 ++-- rules/proxy/proxy_turla_comrat.yml | 28 +-- rules/proxy/proxy_ua_apt.yml | 104 ++++----- rules/proxy/proxy_ua_cryptominer.yml | 34 +-- rules/proxy/proxy_ua_frameworks.yml | 72 +++--- rules/proxy/proxy_ua_hacktool.yml | 126 +++++----- rules/proxy/proxy_ua_malware.yml | 134 +++++------ rules/web/sql_injection_keywords.yml | 3 +- rules/web/web_apache_segfault.yml | 24 +- rules/web/web_apache_threading_error.yml | 17 +- .../web/web_citrix_cve_2019_19781_exploit.yml | 46 ++-- rules/web/web_cve_2019_3398_confluence.yml | 33 +-- rules/web/web_cve_2020_0688_msexchange.yml | 37 +-- .../web_cve_2020_14882_weblogic_exploit.yml | 38 +-- rules/web/web_cve_2020_5902_f5_bigip.yml | 47 ++-- ...2021_21978_vmware_view_planner_exploit.yml | 37 +-- .../web_exchange_cve_2020_0688_exploit.yml | 10 +- ...le_suspicious_resp_codes_single_source.yml | 38 +-- rules/web/web_pulsesecure_cve_2019_11510.yml | 30 +-- rules/web/web_source_code_enumeration.yml | 32 +-- rules/web/web_webshell_keyword.yml | 34 +-- .../builtin/win_ad_object_writedac_access.yml | 37 +-- ...win_ad_replication_non_machine_account.yml | 50 ++-- .../builtin/win_admin_share_access.yml | 32 +-- ...in_alert_active_directory_user_control.yml | 34 +-- .../builtin/win_alert_ad_user_backdoors.yml | 61 +++-- .../win_alert_enable_weak_encryption.yml | 151 ++++++------ ..._applocker_file_was_not_allowed_to_run.yml | 70 +++--- .../builtin/win_apt_carbonpaper_turla.yml | 39 ++-- rules/windows/builtin/win_apt_stonedrill.yml | 33 +-- .../builtin/win_apt_turla_service_png.yml | 31 +-- rules/windows/builtin/win_atsvc_task.yml | 41 ++-- .../builtin/win_camera_microphone_access.yml | 37 +-- .../win_dce_rpc_smb_spoolss_named_pipe.yml | 37 +-- .../builtin/win_dcom_iertutil_dll_hijack.yml | 35 +-- .../builtin/win_disable_event_logging.yml | 35 +-- .../win_dpapi_domain_backupkey_extraction.yml | 33 +-- ..._dpapi_domain_masterkey_backup_attempt.yml | 33 +-- .../windows/builtin/win_etw_modification.yml | 31 +-- .../builtin/win_gpo_scheduledtasks.yml | 43 ++-- rules/windows/builtin/win_hack_smbexec.yml | 44 ++-- rules/windows/builtin/win_lm_namedpipe.yml | 73 +++--- rules/windows/builtin/win_mal_wceaux_dll.yml | 39 ++-- .../builtin/win_mmc20_lateral_movement.yml | 34 +-- .../builtin/win_not_allowed_rdp_access.yml | 36 +-- .../windows/builtin/win_overpass_the_hash.yml | 35 +-- rules/windows/builtin/win_pass_the_hash.yml | 49 ++-- .../win_protected_storage_service_access.yml | 32 +-- ...rkspwdump_clearing_hive_access_history.yml | 30 +-- .../builtin/win_rare_schtasks_creations.yml | 35 +-- .../builtin/win_rare_service_installs.yml | 31 +-- ..._registry_management_using_reg_utility.yml | 42 ++-- .../win_sam_registry_hive_handle_request.yml | 44 ++-- .../win_scm_database_privileged_operation.yml | 33 +-- ...scrcons_remote_wmi_scripteventconsumer.yml | 39 ++-- .../win_smb_file_creation_admin_shares.yml | 35 +-- rules/windows/builtin/win_susp_dns_config.yml | 39 ++-- .../builtin/win_susp_failed_logon_source.yml | 87 +++---- .../builtin/win_susp_interactive_logons.yml | 43 ++-- .../win_susp_kerberos_manipulation.yml | 91 ++++---- .../builtin/win_susp_ldap_dataexchange.yml | 42 ++-- .../builtin/win_susp_mshta_execution.yml | 55 +++-- ...susp_multiple_files_renamed_or_deleted.yml | 37 +-- .../builtin/win_susp_net_recon_activity.yml | 56 ++--- rules/windows/builtin/win_susp_ntlm_rdp.yml | 41 ++-- rules/windows/builtin/win_susp_psexec.yml | 47 ++-- rules/windows/builtin/win_susp_sam_dump.yml | 31 +-- rules/windows/builtin/win_susp_samr_pwset.yml | 34 +-- rules/windows/builtin/win_susp_sdelete.yml | 56 ++--- .../builtin/win_susp_time_modification.yml | 46 ++-- ...uspicious_outbound_kerberos_connection.yml | 42 ++-- .../builtin/win_svcctl_remote_service.yml | 37 +-- .../builtin/win_syskey_registry_access.yml | 42 ++-- .../win_sysmon_channel_reference_deletion.yml | 47 ++-- ...ith_credential_data_via_network_shares.yml | 49 ++-- .../builtin/win_usb_device_plugged.yml | 33 +-- rules/windows/builtin/win_user_creation.yml | 39 ++-- .../builtin/win_user_driver_loaded.yml | 63 ++--- .../win_wmiprvse_wbemcomn_dll_hijack.yml | 37 +-- .../sysmon_createremotethread_loadlibrary.yml | 30 +-- .../sysmon_powershell_code_injection.yml | 27 +-- .../sysmon_ads_executable.yml | 41 ++-- .../sysmon_regedit_export_to_ads.yml | 29 +-- .../dns_query_possible_dns_rebinding.yml | 70 +++--- .../driver_load/driver_load_susp_temp_use.yml | 26 +-- ...mon_sysinternals_sdelete_file_deletion.yml | 33 +-- .../sysmon_cred_dump_tools_dropped_files.yml | 86 +++---- .../sysmon_ghostpack_safetykatz.yml | 28 +-- .../file_event/sysmon_office_persistence.yml | 46 ++-- .../sysmon_powershell_exploit_scripts.yml | 217 +++++++++--------- .../file_event/sysmon_quarkspw_filedump.yml | 34 +-- .../sysmon_redmimicry_winnti_filedrop.yml | 31 +-- .../sysmon_startup_folder_file_write.yml | 29 +-- .../sysmon_susp_adsi_cache_usage.yml | 48 ++-- .../file_event/sysmon_susp_desktop_ini.yml | 38 +-- .../sysmon_susp_pfx_file_creation.yml | 27 +-- ...cexplorer_driver_created_in_tmp_folder.yml | 41 ++-- ...n_suspicious_powershell_profile_create.yml | 38 +-- .../sysmon_tsclient_filewrite_startup.yml | 23 +- .../sysmon_webshell_creation_detect.yml | 72 +++--- ...ersistence_script_event_consumer_write.yml | 30 +-- .../win_susp_desktopimgdownldr_file.yml | 47 ++-- .../sysmon_mimikatz_inmemory_detection.yml | 67 +++--- ...cons_imageload_wmi_scripteventconsumer.yml | 43 ++-- .../image_load/sysmon_susp_fax_dll.yml | 46 ++-- .../image_load/sysmon_susp_image_load.yml | 36 +-- ...n_susp_office_dotnet_assembly_dll_load.yml | 40 ++-- ...sysmon_susp_office_dotnet_clr_dll_load.yml | 40 ++-- ...sysmon_susp_office_dotnet_gac_dll_load.yml | 40 ++-- .../sysmon_susp_office_dsparse_dll_load.yml | 40 ++-- .../sysmon_susp_office_kerberos_dll_load.yml | 40 ++-- ...sysmon_susp_script_dotnet_clr_dll_load.yml | 45 ++-- .../sysmon_susp_winword_vbadll_load.yml | 44 ++-- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 104 ++++----- ...sysmon_svchost_dll_search_order_hijack.yml | 54 +++-- ...ysmon_unsigned_image_loaded_into_lsass.yml | 30 +-- ...persistence_commandline_event_consumer.yml | 32 +-- .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 35 +-- rules/windows/malware/av_exploiting.yml | 58 ++--- rules/windows/malware/av_password_dumper.yml | 60 ++--- .../file_event_mal_octopus_scanner.yml | 11 +- ...ess_creation_mal_lockergoga_ransomware.yml | 31 +-- .../malware/process_creation_mal_ryuk.yml | 39 ++-- .../malware/registry_event_mal_azorult.yml | 11 +- .../silenttrinity_stager_msbuild_activity.yml | 35 +-- .../sysmon_dllhost_net_connections.yml | 76 +++--- .../sysmon_malware_backconnect_ports.yml | 180 +++++++-------- .../sysmon_notepad_network_connection.yml | 38 +-- ...smon_remote_powershell_session_network.yml | 42 ++-- .../sysmon_rundll32_net_connections.yml | 74 +++--- ..._susp_prog_location_network_connection.yml | 51 ++-- .../network_connection/sysmon_susp_rdp.yml | 78 +++---- ...uspicious_outbound_kerberos_connection.yml | 48 ++-- .../sysmon_win_binary_github_com.yml | 46 ++-- .../sysmon_win_binary_susp_com.yml | 37 +-- .../sysmon_wuauclt_network_connection.yml | 25 +- rules/windows/other/win_defender_bypass.yml | 39 ++-- rules/windows/other/win_pcap_drivers.yml | 59 ++--- .../other/win_rare_schtask_creation.yml | 27 +-- ...sysmon_alternate_powershell_hosts_pipe.yml | 48 ++-- .../sysmon_apt_turla_namedpipes.yml | 43 ++-- .../sysmon_cred_dump_tools_named_pipes.yml | 42 ++-- .../sysmon_powershell_execution_pipe.yml | 25 +- .../sysmon_psexec_pipes_artifacts.yml | 35 +-- ...ndocumented_autoelevated_com_interface.yml | 41 ++-- .../sysmon_malware_verclsid_shellcode.yml | 45 ++-- .../process_creation_dotnet.yml | 49 ++-- .../process_creation_msdeploy.yml | 51 ++-- .../sysmon_abusing_debug_privilege.yml | 75 +++--- ..._accesschk_usage_after_priv_escalation.yml | 43 ++-- ...levated_msi_spawned_cmd_and_powershell.yml | 47 ++-- .../sysmon_apt_muddywater_dnstunnel.yml | 39 ++-- .../sysmon_high_integrity_sdclt.yml | 33 +-- ...on_scripts_userinitmprlogonscript_proc.yml | 46 ++-- .../sysmon_sdclt_child_process.yml | 29 +-- .../sysmon_susp_webdav_client_execution.yml | 31 +-- .../win_apt_apt29_thinktanks.yml | 42 ++-- .../process_creation/win_apt_babyshark.yml | 52 ++--- .../win_apt_bear_activity_gtr19.yml | 58 ++--- .../process_creation/win_apt_bluemashroom.yml | 37 +-- .../process_creation/win_apt_cloudhopper.yml | 39 ++-- .../process_creation/win_apt_dragonfly.yml | 35 +-- .../process_creation/win_apt_elise.yml | 40 ++-- .../win_apt_emissarypanda_sep19.yml | 32 +-- .../process_creation/win_apt_empiremonkey.yml | 40 ++-- .../win_apt_equationgroup_dll_u_load.yml | 42 ++-- .../win_apt_evilnum_jul20.yml | 40 ++-- .../win_apt_hurricane_panda.yml | 39 ++-- .../win_apt_judgement_panda_gtr19.yml | 58 ++--- .../win_apt_ke3chang_regadd.yml | 37 +-- .../win_apt_lazarus_session_highjack.yml | 39 ++-- .../process_creation/win_apt_mustangpanda.yml | 53 ++--- .../process_creation/win_apt_ta17_293a_ps.yml | 34 +-- .../process_creation/win_apt_taidoor.yml | 43 ++-- .../win_apt_turla_comrat_may20.yml | 52 ++--- .../win_apt_winnti_mal_hk_jan20.yml | 57 ++--- .../win_apt_winnti_pipemon.yml | 45 ++-- .../process_creation/win_apt_zxshell.yml | 50 ++-- .../win_attrib_hiding_files.yml | 46 ++-- .../process_creation/win_bootconf_mod.yml | 53 +++-- .../win_bypass_squiblytwo.yml | 68 +++--- .../win_change_default_file_association.yml | 48 ++-- .../win_class_exec_xwizard.yml | 27 +-- .../win_commandline_path_traversal.yml | 35 +-- ...g_sensitive_files_with_credential_data.yml | 70 +++--- .../process_creation/win_crime_fireball.yml | 40 ++-- .../win_crime_snatch_ransomware.yml | 35 +-- .../win_data_compressed_with_rar.yml | 46 ++-- .../win_dns_exfiltration_tools_execution.yml | 36 +-- .../win_dnscat2_powershell_implementation.yml | 43 ++-- .../win_encoded_frombase64string.yml | 31 +-- .../process_creation/win_encoded_iex.yml | 36 +-- .../win_etw_modification_cmdline.yml | 26 +-- .../win_etw_trace_evasion.yml | 99 ++++---- ...ltration_and_tunneling_tools_execution.yml | 38 +-- .../win_exploit_cve_2015_1641.yml | 31 +-- .../win_exploit_cve_2017_0261.yml | 30 +-- .../win_exploit_cve_2017_11882.yml | 40 ++-- .../win_exploit_cve_2017_8759.yml | 40 ++-- .../win_exploit_cve_2019_1378.yml | 54 ++--- .../win_exploit_cve_2020_10189.yml | 49 ++-- .../win_exploit_cve_2020_1048.yml | 48 ++-- .../win_exploit_cve_2020_1350.yml | 39 ++-- .../win_file_permission_modifications.yml | 46 ++-- .../win_grabbing_sensitive_hives_via_reg.yml | 85 +++---- .../process_creation/win_hack_bloodhound.yml | 77 +++---- .../process_creation/win_hack_hydra.yml | 38 +-- .../process_creation/win_hack_rubeus.yml | 57 ++--- rules/windows/process_creation/win_hh_chm.yml | 38 +-- .../process_creation/win_html_help_spawn.yml | 64 +++--- .../process_creation/win_hwp_exploits.yml | 48 ++-- .../win_impacket_lateralization.yml | 82 +++---- .../process_creation/win_indirect_cmd.yml | 40 ++-- ...n_indirect_cmd_compatibility_assistant.yml | 37 +-- .../win_install_reg_debugger_backdoor.yml | 48 ++-- .../process_creation/win_interactive_at.yml | 36 +-- .../win_invoke_obfuscation_clip.yml | 31 +-- ...obfuscation_obfuscated_iex_commandline.yml | 42 ++-- .../win_invoke_obfuscation_stdin.yml | 31 +-- .../win_invoke_obfuscation_var.yml | 31 +-- .../win_invoke_obfuscation_via_compress.yml | 31 +-- .../win_invoke_obfuscation_via_rundll.yml | 29 +-- .../win_invoke_obfuscation_via_stdin.yml | 29 +-- .../win_invoke_obfuscation_via_use_clip.yml | 29 +-- .../win_invoke_obfuscation_via_use_mhsta.yml | 29 +-- ...in_invoke_obfuscation_via_use_rundll32.yml | 29 +-- .../win_invoke_obfuscation_via_var.yml | 31 +-- .../process_creation/win_lethalhta.yml | 31 +-- ...n_local_system_owner_account_discovery.yml | 108 ++++----- .../process_creation/win_lsass_dump.yml | 54 ++--- .../process_creation/win_malware_dridex.yml | 60 ++--- .../process_creation/win_malware_dtrack.yml | 31 +-- .../process_creation/win_malware_emotet.yml | 58 ++--- .../process_creation/win_malware_formbook.yml | 81 ++++--- .../process_creation/win_malware_notpetya.yml | 63 +++-- .../process_creation/win_malware_ryuk.yml | 36 +-- .../win_malware_script_dropper.yml | 62 ++--- .../win_malware_trickbot_recon_activity.yml | 38 +-- .../win_malware_trickbot_wermgr.yml | 41 ++-- .../process_creation/win_malware_wannacry.yml | 108 ++++----- .../win_mavinject_proc_inj.yml | 32 +-- .../win_mimikatz_command_line.yml | 68 +++--- .../process_creation/win_mmc_spawn_shell.yml | 56 ++--- .../process_creation/win_mouse_lock.yml | 37 +-- .../process_creation/win_mshta_javascript.yml | 39 ++-- .../win_mshta_spawn_shell.yml | 64 +++--- .../process_creation/win_net_user_add.yml | 48 ++-- .../win_netsh_allow_port_rdp.yml | 50 ++-- .../process_creation/win_netsh_fw_add.yml | 40 ++-- .../win_netsh_packet_capture.yml | 36 +-- .../process_creation/win_network_sniffing.yml | 49 ++-- .../win_new_service_creation.yml | 40 ++-- .../win_non_priv_reg_or_ps.yml | 73 +++--- .../process_creation/win_office_shell.yml | 92 ++++---- .../win_possible_applocker_bypass.yml | 60 ++--- .../win_powershell_amsi_bypass.yml | 38 +-- .../win_powershell_audio_capture.yml | 34 +-- .../win_powershell_b64_shellcode.yml | 34 +-- .../win_powershell_bitsjob.yml | 38 +-- ...in_powershell_cmdline_reversed_strings.yml | 85 +++---- ..._powershell_cmdline_special_characters.yml | 55 ++--- ...wershell_cmdline_specific_comb_methods.yml | 93 ++++---- .../win_powershell_dll_execution.yml | 44 ++-- .../win_powershell_downgrade_attack.yml | 53 ++--- .../win_powershell_download.yml | 41 ++-- .../win_powershell_frombase64string.yml | 30 +-- ...ershell_suspicious_parameter_variation.yml | 112 ++++----- .../win_powershell_xor_commandline.yml | 40 ++-- .../win_powersploit_empire_schtasks.yml | 77 ++++--- .../process_creation/win_psexesvc_start.yml | 26 +-- .../process_creation/win_query_registry.yml | 70 +++--- .../win_rasautou_dll_execution.yml | 47 ++-- .../win_rdp_hijack_shadowing.yml | 32 +-- .../win_redmimicry_winnti_proc.yml | 46 ++-- .../win_regedit_export_critical_keys.yml | 51 ++-- .../win_regedit_export_keys.yml | 51 ++-- .../win_regedit_import_keys.yml | 51 ++-- .../win_regedit_import_keys_ads.yml | 51 ++-- .../win_remote_time_discovery.yml | 42 ++-- .../process_creation/win_renamed_binary.yml | 116 +++++----- .../win_renamed_binary_highly_relevant.yml | 88 +++---- .../process_creation/win_renamed_jusched.yml | 44 ++-- .../process_creation/win_renamed_paexec.yml | 56 ++--- .../process_creation/win_renamed_psexec.yml | 42 ++-- .../win_run_powershell_script_from_ads.yml | 35 +-- ...un_powershell_script_from_input_stream.yml | 33 +-- .../win_service_execution.yml | 32 +-- .../win_shadow_copies_access_symlink.yml | 33 +-- .../win_shadow_copies_creation.yml | 43 ++-- .../win_shell_spawn_susp_program.yml | 68 +++--- .../win_soundrec_audio_capture.yml | 30 +-- .../windows/process_creation/win_spn_enum.yml | 39 ++-- .../process_creation/win_susp_bginfo.yml | 34 +-- .../process_creation/win_susp_calc.yml | 33 +-- .../windows/process_creation/win_susp_cdb.yml | 38 +-- .../win_susp_child_process_as_system_.yml | 58 ++--- .../process_creation/win_susp_cli_escape.yml | 38 +-- .../win_susp_cmd_http_appdata.yml | 46 ++-- .../win_susp_compression_params.yml | 56 ++--- .../win_susp_comsvcs_procdump.yml | 52 ++--- .../win_susp_control_dll_load.yml | 38 +-- .../win_susp_copy_system32.yml | 40 ++-- .../process_creation/win_susp_covenant.yml | 55 ++--- ...sp_crackmapexec_powershell_obfuscation.yml | 57 ++--- .../win_susp_curl_download.yml | 40 ++-- .../win_susp_curl_fileupload.yml | 34 +-- .../win_susp_curl_start_combo.yml | 36 +-- .../win_susp_dctask64_proc_inject.yml | 46 ++-- .../win_susp_desktopimgdownldr.yml | 50 ++-- .../win_susp_devtoolslauncher.yml | 34 +-- ...susp_direct_asep_reg_keys_modification.yml | 62 ++--- .../win_susp_disable_ie_features.yml | 47 ++-- .../process_creation/win_susp_diskshadow.yml | 39 ++-- .../process_creation/win_susp_ditsnap.yml | 37 +-- .../windows/process_creation/win_susp_dnx.yml | 34 +-- .../win_susp_double_extension.yml | 51 ++-- .../process_creation/win_susp_dxcap.yml | 38 +-- .../win_susp_eventlog_clear.yml | 64 +++--- .../win_susp_execution_path_webserver.yml | 49 ++-- .../process_creation/win_susp_explorer.yml | 35 +-- .../win_susp_explorer_break_proctree.yml | 32 +-- ...p_file_download_via_gfxdownloadwrapper.yml | 33 +-- .../process_creation/win_susp_findstr.yml | 49 ++-- .../process_creation/win_susp_findstr_lnk.yml | 38 +-- .../win_susp_firewall_disable.yml | 36 +-- .../win_susp_fsutil_usage.yml | 46 ++-- .../windows/process_creation/win_susp_ftp.yml | 47 ++-- .../windows/process_creation/win_susp_gup.yml | 40 ++-- .../win_susp_mounted_share_deletion.yml | 33 +-- .../win_susp_mpcmdrun_download.yml | 45 ++-- .../process_creation/win_susp_msiexec_cwd.yml | 37 +-- .../process_creation/win_susp_msoffice.yml | 40 ++-- .../win_susp_netsh_dll_persistence.yml | 46 ++-- .../process_creation/win_susp_odbcconf.yml | 46 ++-- .../process_creation/win_susp_openwith.yml | 34 +-- .../process_creation/win_susp_pcwutl.yml | 39 ++-- .../process_creation/win_susp_pester.yml | 57 ++--- .../win_susp_powershell_empire_launch.yml | 46 ++-- .../win_susp_powershell_empire_uac_bypass.yml | 41 ++-- .../win_susp_powershell_encoded_param.yml | 31 +-- .../win_susp_powershell_hidden_b64_cmd.yml | 129 +++++------ .../win_susp_powershell_parent_process.yml | 101 ++++---- .../process_creation/win_susp_print.yml | 53 ++--- .../win_susp_ps_downloadfile.yml | 39 ++-- .../process_creation/win_susp_psexec_eula.yml | 34 +-- .../win_susp_psr_capture_screenshots.yml | 34 +-- .../win_susp_rasdial_activity.yml | 31 +-- .../win_susp_register_cimprovider.yml | 37 +-- .../win_susp_regsvr32_flags_anomaly.yml | 37 +-- .../win_susp_renamed_dctask64.yml | 46 ++-- .../win_susp_renamed_debugview.yml | 33 +-- .../process_creation/win_susp_rpcping.yml | 67 +++--- .../win_susp_rundll32_activity.yml | 139 +++++------ ...p_rundll32_setupapi_installhinfsection.yml | 51 ++-- .../win_susp_runonce_execution.yml | 41 ++-- .../win_susp_runscripthelper.yml | 35 +-- .../win_susp_script_execution.yml | 44 ++-- .../win_susp_service_dacl_modification.yml | 49 ++-- .../win_susp_service_path_modification.yml | 50 ++-- .../win_susp_sqldumper_activity.yml | 38 +-- .../win_susp_sysprep_appdata.yml | 34 +-- .../win_susp_taskmgr_parent.yml | 37 +-- .../win_susp_tracker_execution.yml | 45 ++-- .../win_susp_tscon_rdp_redirect.yml | 34 +-- .../win_susp_use_of_csharp_console.yml | 29 +-- .../win_susp_use_of_sqlps_bin.yml | 39 ++-- .../win_susp_use_of_sqltoolsps_bin.yml | 40 ++-- .../win_susp_use_of_te_bin.yml | 30 +-- .../process_creation/win_susp_vboxdrvinst.yml | 44 ++-- .../process_creation/win_susp_whoami.yml | 33 +-- .../win_susp_winrm_execution.yml | 39 ++-- .../win_susp_wmic_proc_create_rundll32.yml | 33 +-- .../process_creation/win_susp_wsl_lolbin.yml | 37 +-- .../win_tap_installer_execution.yml | 21 +- .../win_termserv_proc_spawn.yml | 40 ++-- .../process_creation/win_uac_cmstp.yml | 48 ++-- .../process_creation/win_uac_fodhelper.yml | 36 +-- .../process_creation/win_uac_wsreset.yml | 32 +-- ..._change_sevice_image_path_by_non_admin.yml | 50 ++-- .../win_using_settingsynchost_as_lolbin.yml | 50 ++-- .../win_verclsid_runs_com.yml | 37 +-- .../win_visual_basic_compiler.yml | 27 +-- .../win_vul_java_remote_debugging.yml | 30 +-- .../win_webshell_recon_detection.yml | 63 ++--- .../process_creation/win_webshell_spawn.yml | 54 ++--- .../win_win10_sched_task_0day.yml | 40 ++-- .../process_creation/win_winword_dll_load.yml | 31 +-- ..._wmi_backdoor_exchange_transport_agent.yml | 30 +-- ..._wmi_persistence_script_event_consumer.yml | 32 +-- .../win_wsreset_uac_bypass.yml | 38 +-- .../win_xsl_script_processing.yml | 35 ++- .../sysmon_bypass_via_wsreset.yml | 41 ++-- .../registry_event/sysmon_comhijack_sdclt.yml | 31 +-- .../registry_event/sysmon_cve_2020_1048.yml | 46 ++-- .../registry_event/sysmon_dhcp_calloutdll.yml | 42 ++-- ...y_events_logging_adding_reg_key_minint.yml | 46 ++-- ...ysmon_disable_wdigest_credential_guard.yml | 25 +- ...on_enabling_cor_profiler_env_variables.yml | 37 +-- .../registry_event/sysmon_etw_disabled.yml | 27 +-- .../registry_event/sysmon_hack_wce_reg.yml | 28 +-- ...gon_scripts_userinitmprlogonscript_reg.yml | 32 +-- .../sysmon_modify_screensaver_binary_path.yml | 15 +- .../sysmon_narrator_feedback_persistance.yml | 34 +-- .../sysmon_new_application_appcompat.yml | 33 +-- ..._dll_added_to_appcertdlls_registry_key.yml | 47 ++-- .../sysmon_rdp_registry_modification.yml | 40 ++-- .../sysmon_rdp_settings_hijack.yml | 34 +-- .../sysmon_redmimicry_winnti_reg.yml | 25 +- .../sysmon_registry_susp_printer_driver.yml | 33 +-- ...mon_registry_trust_record_modification.yml | 30 +-- ...mon_removal_com_hijacking_registry_key.yml | 37 +-- .../registry_event/sysmon_runkey_winekey.yml | 37 +-- .../sysmon_runonce_persistence.yml | 29 +-- .../sysmon_ssp_added_lsa_config.yml | 40 ++-- .../sysmon_susp_download_run_key.yml | 36 +-- .../sysmon_susp_lsass_dll_load.yml | 36 +-- .../sysmon_susp_reg_persist_explorer_run.yml | 54 ++--- .../sysmon_susp_service_installed.yml | 49 ++-- ...sysmon_suspicious_keyboard_layout_load.yml | 43 ++-- .../sysmon_win_reg_persistence.yml | 58 ++--- .../sysmon_win_reg_telemetry_persistence.yml | 47 ++-- .../sysmon_wmi_event_subscription.yml | 29 +-- 547 files changed, 11964 insertions(+), 11755 deletions(-) diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index 2add5d608..3a9366fd6 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -1,30 +1,30 @@ title: Suspicious SQL Error Messages id: 8a670c6d-7189-4b1c-8017-a417ca84a086 -status: experimental +status: test description: Detects SQL error messages that indicate probing for an injection attack author: Bjoern Kimminich -date: 2017/11/27 -modified: 2020/09/01 references: - - http://www.sqlinjection.net/errors + - http://www.sqlinjection.net/errors +date: 2017/11/27 +modified: 2021/11/27 logsource: - category: application - product: sql + category: application + product: sql detection: - keywords: + keywords: # Oracle - - quoted string not properly terminated + - quoted string not properly terminated # MySQL - - You have an error in your SQL syntax + - You have an error in your SQL syntax # SQL Server - - Unclosed quotation mark + - Unclosed quotation mark # SQLite - - 'near "*": syntax error' - - SELECTs to the left and right of UNION do not have the same number of result columns - condition: keywords + - 'near "*": syntax error' + - SELECTs to the left and right of UNION do not have the same number of result columns + condition: keywords falsepositives: - - Application bugs + - Application bugs level: high tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.initial_access + - attack.t1190 diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index 19c0c957f..faeea86db 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -1,40 +1,40 @@ title: Silence.Downloader V3 id: 170901d1-de11-4de7-bccb-8fa13678d857 -status: experimental +status: test description: Detects Silence downloader. These commands are hardcoded into the binary. author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community date: 2019/11/01 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_recon: - Image|endswith: - - '\tasklist.exe' - - '\qwinsta.exe' - - '\ipconfig.exe' - - '\hostname.exe' - CommandLine|contains: '>>' - CommandLine|endswith: 'temps.dat' - selection_persistence: - CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d' - condition: selection_recon | near selection_persistence # requires both + selection_recon: + Image|endswith: + - '\tasklist.exe' + - '\qwinsta.exe' + - '\ipconfig.exe' + - '\hostname.exe' + CommandLine|contains: '>>' + CommandLine|endswith: 'temps.dat' + selection_persistence: + CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d' + condition: selection_recon | near selection_persistence # requires both fields: - - ComputerName - - User - - Image - - CommandLine + - ComputerName + - User + - Image + - CommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one - - attack.discovery - - attack.t1057 - - attack.t1082 - - attack.t1016 - - attack.t1033 - - attack.g0091 \ No newline at end of file + - attack.persistence + - attack.t1547.001 + - attack.t1060 # an old one + - attack.discovery + - attack.t1057 + - attack.t1082 + - attack.t1016 + - attack.t1033 + - attack.g0091 diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index 3ac105659..ad8aadcf9 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -1,43 +1,43 @@ title: Silence.EDA Detection id: 3ceb2083-a27f-449a-be33-14ec1b7cc973 -status: experimental +status: test description: Detects Silence empireDNSagent author: Alina Stepchenkova, Group-IB, oscd.community date: 2019/11/01 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - product: windows - service: powershell + product: windows + service: powershell detection: - empire: - ScriptBlockText|contains|all: # better to randomise the order - - 'System.Diagnostics.Process' - - 'Stop-Computer' - - 'Restart-Computer' - - 'Exception in execution' - - '$cmdargs' - - 'Close-Dnscat2Tunnel' - dnscat: - ScriptBlockText|contains|all: # better to randomise the order - - 'set type=$LookupType`nserver' - - '$Command | nslookup 2>&1 | Out-String' - - 'New-RandomDNSField' - - '[Convert]::ToString($SYNOptions, 16)' - - '$Session.Dead = $True' - - '$Session["Driver"] -eq' - condition: empire and dnscat + empire: + ScriptBlockText|contains|all: # better to randomise the order + - 'System.Diagnostics.Process' + - 'Stop-Computer' + - 'Restart-Computer' + - 'Exception in execution' + - '$cmdargs' + - 'Close-Dnscat2Tunnel' + dnscat: + ScriptBlockText|contains|all: # better to randomise the order + - 'set type=$LookupType`nserver' + - '$Command | nslookup 2>&1 | Out-String' + - 'New-RandomDNSField' + - '[Convert]::ToString($SYNOptions, 16)' + - '$Session.Dead = $True' + - '$Session["Driver"] -eq' + condition: empire and dnscat falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.command_and_control - - attack.t1071.004 - - attack.t1071 # an old one - - attack.t1572 - - attack.impact - - attack.t1529 - - attack.g0091 - - attack.s0363 \ No newline at end of file + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.command_and_control + - attack.t1071.004 + - attack.t1071 # an old one + - attack.t1572 + - attack.impact + - attack.t1529 + - attack.g0091 + - attack.s0363 diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index ed305d5e3..9537454f2 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -1,11 +1,12 @@ title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 -status: experimental -author: sawwinnnaung -date: 2020/05/07 +status: test description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +author: sawwinnnaung references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 logsource: product: azure service: AzureActivity @@ -14,8 +15,8 @@ detection: - Microsoft.Compute/virtualMachines/write - Microsoft.Resources/deployments/write condition: keywords -level: medium falsepositives: - Valid change +level: medium tags: - attack.t1098 diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index a7bb6240f..060207576 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -1,20 +1,21 @@ title: Granting Of Permissions To An Account id: a622fcd2-4b5a-436a-b8a2-a4171161833c -status: experimental -author: sawwinnnaung -date: 2020/05/07 +status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 logsource: product: azure service: AzureActivity detection: - keywords: + keywords: - Microsoft.Authorization/roleAssignments/write condition: keywords -level: medium falsepositives: - Valid change +level: medium tags: - attack.t1098 diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 3d93148de..3a1ad660f 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -1,16 +1,17 @@ title: Rare Subscription-level Operations In Azure id: c1182e02-49a3-481c-b3de-0fadc4091488 -status: experimental -author: sawwinnnaung -date: 2020/05/07 +status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml +date: 2020/05/07 +modified: 2021/11/27 logsource: product: azure service: AzureActivity detection: - keywords: + keywords: - Microsoft.DocumentDB/databaseAccounts/listKeys/action - Microsoft.Maps/accounts/listKeys/action - Microsoft.Media/mediaservices/listKeys/action @@ -19,8 +20,8 @@ detection: - Microsoft.Compute/snapshots/write - Microsoft.Network/networkSecurityGroups/write condition: keywords -level: medium falsepositives: - Valid change +level: medium tags: - attack.t1003 diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 8531eaef5..b23d04651 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -1,27 +1,27 @@ -title: Microsoft 365 - Impossible Travel Activity +title: Microsoft 365 - Impossible Travel Activity id: d7eab125-5f94-43df-8710-795b80fa1189 -status: experimental -description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. +status: test +description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. author: Austin Songer @austinsonger -date: 2020/07/06 -modified: 2020/07/06 references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +date: 2020/07/06 +modified: 2021/11/27 logsource: - category: ThreatManagement - product: m365 + category: ThreatManagement + product: m365 detection: - selection: - eventSource: SecurityComplianceCenter - eventName: "Impossible travel activity" - status: success - condition: selection + selection: + eventSource: SecurityComplianceCenter + eventName: "Impossible travel activity" + status: success + condition: selection falsepositives: - - + - level: medium tags: - - attack.initial_access - - attack.t1078 + - attack.initial_access + - attack.t1078 diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index 6767424a8..47b45e159 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -1,27 +1,27 @@ title: Brute Force id: 53c7cca0-2901-493a-95db-d00d6fcf0a37 -status: experimental +status: test description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity author: Aleksandr Akhremchik, oscd.community date: 2019/10/25 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: authentication + category: authentication detection: - selection: - action: failure - timeframe: 600s - condition: selection | count(category) by dst_ip > 30 + selection: + action: failure + timeframe: 600s + condition: selection | count(category) by dst_ip > 30 fields: - - src_ip - - dst_ip - - user + - src_ip + - dst_ip + - user falsepositives: - - Inventarization - - Penetration testing - - Vulnerability scanner - - Legitimate application + - Inventarization + - Penetration testing + - Vulnerability scanner + - Legitimate application level: medium tags: - - attack.credential_access - - attack.t1110 \ No newline at end of file + - attack.credential_access + - attack.t1110 diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index ddc0901a3..89030ee2d 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -1,32 +1,33 @@ title: Edit of .bash_profile and .bashrc id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 -status: experimental +status: test description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. author: Peter Matkovski -date: 2019/05/12 references: - - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' + - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' +date: 2019/05/12 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'PATH' - name: - - '/home/*/.bashrc' - - '/home/*/.bash_profile' - - '/home/*/.profile' - - '/etc/profile' - - '/etc/shells' - - '/etc/bashrc' - - '/etc/csh.cshrc' - - '/etc/csh.login' - condition: selection + selection: + type: 'PATH' + name: + - '/home/*/.bashrc' + - '/home/*/.bash_profile' + - '/home/*/.profile' + - '/etc/profile' + - '/etc/shells' + - '/etc/bashrc' + - '/etc/csh.cshrc' + - '/etc/csh.login' + condition: selection falsepositives: - - Admin or User activity + - Admin or User activity level: medium tags: - - attack.s0003 - - attack.t1156 # an old one - - attack.persistence - - attack.t1546.004 \ No newline at end of file + - attack.s0003 + - attack.t1156 # an old one + - attack.persistence + - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 4fac21234..6d2657ca7 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -1,35 +1,32 @@ title: Auditing Configuration Changes on Linux Host id: 977ef627-4539-4875-adf4-ed8f780c4922 -status: experimental +status: test description: Detect changes in auditd configuration files - # Example config for this one (place it at the top of audit.rules) - # -w /etc/audit/ -p wa -k etc_modify_auditconfig - # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig - # -w /etc/audisp/ -p wa -k etc_modify_audispconfig author: Mikhail Larin, oscd.community -date: 2019/10/25 references: - - https://github.com/Neo23x0/auditd/blob/master/audit.rules - - self experience + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - self experience +date: 2019/10/25 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: PATH - name: - - /etc/audit/* - - /etc/libaudit.conf - - /etc/audisp/* - condition: selection + selection: + type: PATH + name: + - /etc/audit/* + - /etc/libaudit.conf + - /etc/audisp/* + condition: selection fields: - - exe - - comm - - key + - exe + - comm + - key falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: high tags: - - attack.defense_evasion - - attack.t1054 # an old one - - attack.t1562.006 \ No newline at end of file + - attack.defense_evasion + - attack.t1054 # an old one + - attack.t1562.006 diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index a6df756da..70d03d204 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -1,33 +1,30 @@ title: 'Binary Padding' id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba -status: experimental +status: test description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' - # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Igor Fits, oscd.community' -date: 2020/10/13 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +date: 2020/10/13 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - truncate: - - 'truncate' - - '-s' - dd: - - 'dd' - - 'if=' - filter: - - 'of=' - condition: execve and (all of truncate or (all of dd and not filter)) + execve: + type: 'EXECVE' + truncate: + - 'truncate' + - '-s' + dd: + - 'dd' + - 'if=' + filter: + - 'of=' + condition: execve and (all of truncate or (all of dd and not filter)) falsepositives: - - 'Legitimate script work' + - 'Legitimate script work' level: high tags: - - attack.defense_evasion - - attack.t1027.001 + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index 416448e5d..c2f250151 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -1,32 +1,29 @@ title: 'File Time Attribute Change' id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b -status: experimental +status: test description: 'Detect file time attribute change to hide new or changes to existing files.' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Igor Fits, oscd.community' -date: 2020/10/15 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +date: 2020/10/15 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - touch: - - 'touch' - selection2: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: execve and touch and selection2 + execve: + type: 'EXECVE' + touch: + - 'touch' + selection2: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: execve and touch and selection2 falsepositives: - - 'Unknown' + - 'Unknown' level: medium tags: - - attack.defense_evasion - - attack.t1070.006 + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml index 687e46dc7..eaceefccb 100644 --- a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml +++ b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -1,23 +1,24 @@ title: Remove Immutable File Attribute id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 -status: experimental +status: test description: Detects removing immutable file attribute. author: Jakob Weinzettl, oscd.community -date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md +date: 2019/09/23 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: 'chattr' - a1|contains: '-i' - condition: selection + selection: + type: 'EXECVE' + a0|contains: 'chattr' + a1|contains: '-i' + condition: selection falsepositives: - - Administrator interacting with immutable files (e.g. for instance backups). + - Administrator interacting with immutable files (e.g. for instance backups). level: medium tags: - - attack.defense_evasion - - attack.t1222.002 + - attack.defense_evasion + - attack.t1222.002 diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 4c1d6f6ba..8d2d96b09 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -1,23 +1,24 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 -status: experimental +status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. author: Marie Euler -date: 2020/05/18 references: - - 'MITRE Attack technique T1136; Create Account ' + - 'MITRE Attack technique T1136; Create Account ' +date: 2020/05/18 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - exe|endswith: '/useradd' - condition: selection + selection: + type: 'SYSCALL' + exe|endswith: '/useradd' + condition: selection falsepositives: - - Admin activity + - Admin activity level: medium tags: - - attack.t1136 # an old one - - attack.t1136.001 - - attack.persistence + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml index 07818316f..34b0f105a 100644 --- a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml +++ b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml @@ -1,24 +1,25 @@ title: File or Folder Permissions Change id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 -status: experimental +status: test description: Detects file and folder permission changes. author: Jakob Weinzettl, oscd.community -date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md +date: 2019/09/23 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: - - 'chmod' - - 'chown' - condition: selection + selection: + type: 'EXECVE' + a0|contains: + - 'chmod' + - 'chown' + condition: selection falsepositives: - - User interacting with files permissions (normal/daily behaviour). + - User interacting with files permissions (normal/daily behaviour). level: low tags: - - attack.defense_evasion - - attack.t1222.002 + - attack.defense_evasion + - attack.t1222.002 diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index 84ddd8ea6..b8d06ee1a 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -1,28 +1,25 @@ title: 'Credentials In Files' id: df3fcaea-2715-4214-99c5-0056ea59eb35 -status: experimental +status: test description: 'Detecting attempts to extract passwords with grep' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Igor Fits, oscd.community' -date: 2020/10/15 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2020/10/15 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - passwordgrep: - - 'grep' - - 'password' - condition: execve and all of passwordgrep + execve: + type: 'EXECVE' + passwordgrep: + - 'grep' + - 'password' + condition: execve and all of passwordgrep falsepositives: - - 'Unknown' + - 'Unknown' level: high tags: - - attack.credential_access - - attack.t1552.001 + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 868ff4c6b..ffe1bd020 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -1,24 +1,24 @@ title: Modification of ld.so.preload id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 -status: experimental +status: test description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md - - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +date: 2019/10/24 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'PATH' - name: '/etc/ld.so.preload' - condition: selection + selection: + type: 'PATH' + name: '/etc/ld.so.preload' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1574.006 + - attack.defense_evasion + - attack.t1574.006 diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 06e93c2e8..018008956 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -1,34 +1,31 @@ title: Logging Configuration Changes on Linux Host id: c830f15d-6f6e-430f-8074-6f73d6807841 -status: experimental +status: test description: Detect changes of syslog daemons configuration files - # Example config for this one (place it at the top of audit.rules) - # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig - # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig - # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig author: Mikhail Larin, oscd.community -date: 2019/10/25 references: - - self experience + - self experience +date: 2019/10/25 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'PATH' - name: - - /etc/syslog.conf - - /etc/rsyslog.conf - - /etc/syslog-ng/syslog-ng.conf - condition: selection + selection: + type: 'PATH' + name: + - /etc/syslog.conf + - /etc/rsyslog.conf + - /etc/syslog-ng/syslog-ng.conf + condition: selection fields: - - exe - - comm - - key + - exe + - comm + - key falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: high tags: - - attack.defense_evasion - - attack.t1054 # an old one - - attack.t1562.006 \ No newline at end of file + - attack.defense_evasion + - attack.t1054 # an old one + - attack.t1562.006 diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index abb7ac2c5..ce000f173 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -1,24 +1,24 @@ title: Masquerading as Linux Crond Process id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 -status: experimental -description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and - observation. Several different variations of this technique have been observed. +status: test +description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'execve' - a0: 'cp' - a1: '-i' - a2: '/bin/sh' - a3|endswith: '/crond' - condition: selection + selection: + type: 'execve' + a0: 'cp' + a1: '-i' + a2: '/bin/sh' + a3|endswith: '/crond' + condition: selection level: medium tags: - - attack.defense_evasion - - attack.t1036.003 + - attack.defense_evasion + - attack.t1036.003 diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml index 3050725a2..d7cc90375 100644 --- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml +++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml @@ -1,27 +1,28 @@ title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 -status: experimental +status: test description: Detects a reload or a start of a service. author: Jakob Weinzettl, oscd.community -date: 2019/09/23 references: - - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md + - https://attack.mitre.org/techniques/T1543/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md +date: 2019/09/23 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: 'systemctl' - a1|contains: - - 'daemon-reload' - - 'start' - condition: selection + selection: + type: 'EXECVE' + a0|contains: 'systemctl' + a1|contains: + - 'daemon-reload' + - 'start' + condition: selection falsepositives: - - Installation of legitimate service. - - Legitimate reconfiguration of service. + - Installation of legitimate service. + - Legitimate reconfiguration of service. level: low tags: - - attack.persistence - - attack.t1543.002 + - attack.persistence + - attack.t1543.002 diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index 36b1a82db..466b7b7a2 100644 --- a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -1,26 +1,23 @@ title: 'Split A File Into Pieces' id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 -status: experimental +status: test description: 'Detection use of the command "split" to split files into parts and possible transfer.' - # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Igor Fits, oscd.community' -date: 2020/10/15 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +date: 2020/10/15 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - comm: 'split' - condition: selection + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection falsepositives: - - 'Legitimate administrative activity' + - 'Legitimate administrative activity' level: low tags: - - attack.exfiltration - - attack.t1030 + - attack.exfiltration + - attack.t1030 diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 8b1456068..7bd2b3b07 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -1,21 +1,22 @@ title: Suspicious C2 Activities id: f7158a64-6204-4d6d-868a-6e6378b467e0 -status: experimental +status: test description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) author: Marie Euler references: - - 'https://github.com/Neo23x0/auditd' + - 'https://github.com/Neo23x0/auditd' date: 2020/05/18 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - key: - - 'susp_activity' - condition: selection + selection: + key: + - 'susp_activity' + condition: selection falsepositives: - - Admin or User activity + - Admin or User activity level: medium tags: - - attack.command_and_control \ No newline at end of file + - attack.command_and_control diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 96bf95add..2a85474b2 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -1,35 +1,36 @@ title: Suspicious Commands Linux id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 -status: experimental +status: test description: Detects relevant commands often related to malware or hacking activity author: Florian Roth -date: 2017/12/12 references: - - Internal Research - mostly derived from exploit code including code in MSF + - Internal Research - mostly derived from exploit code including code in MSF +date: 2017/12/12 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - cmd1: - type: 'EXECVE' - a0: 'chmod' - a1: '777' - cmd2: - type: 'EXECVE' - a0: 'chmod' - a1: 'u+s' - cmd3: - type: 'EXECVE' - a0: 'cp' - a1: '/bin/ksh' - cmd4: - type: 'EXECVE' - a0: 'cp' - a1: '/bin/sh' - condition: 1 of them + cmd1: + type: 'EXECVE' + a0: 'chmod' + a1: '777' + cmd2: + type: 'EXECVE' + a0: 'chmod' + a1: 'u+s' + cmd3: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/ksh' + cmd4: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/sh' + condition: 1 of them falsepositives: - - Admin activity + - Admin activity level: medium tags: - - attack.execution - - attack.t1059.004 \ No newline at end of file + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index be3889840..23c6037bd 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -1,43 +1,44 @@ title: Program Executions in Suspicious Folders id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc -status: experimental +status: test description: Detects program executions in suspicious non-program folders related to malware or hacking activity author: Florian Roth -date: 2018/01/23 references: - - Internal Research + - Internal Research +date: 2018/01/23 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - exe|startswith: + selection: + type: 'SYSCALL' + exe|startswith: # Temporary folder - - '/tmp/' + - '/tmp/' # Web server - - '/var/www/' # Standard - - '/home/*/public_html/' # Per-user - - '/usr/local/apache2/' # Classical Apache - - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache - - '/var/apache/' # Solaris Apache - - '/srv/www/' # SuSE Linux 9.* - - '/home/httpd/html/' # Redhat 6 or older Apache - - '/srv/http/' # ArchLinux standard - - '/usr/share/nginx/html/' # ArchLinux nginx + - '/var/www/' # Standard + - '/home/*/public_html/' # Per-user + - '/usr/local/apache2/' # Classical Apache + - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache + - '/var/apache/' # Solaris Apache + - '/srv/www/' # SuSE Linux 9.* + - '/home/httpd/html/' # Redhat 6 or older Apache + - '/srv/http/' # ArchLinux standard + - '/usr/share/nginx/html/' # ArchLinux nginx # Data dirs of typically exploited services (incomplete list) - - '/var/lib/pgsql/data/' - - '/usr/local/mysql/data/' - - '/var/lib/mysql/' - - '/var/vsftpd/' - - '/etc/bind/' - - '/var/named/' - condition: selection + - '/var/lib/pgsql/data/' + - '/usr/local/mysql/data/' + - '/var/lib/mysql/' + - '/var/vsftpd/' + - '/etc/bind/' + - '/var/named/' + condition: selection falsepositives: - - Admin activity (especially in /tmp folders) - - Crazy web applications + - Admin activity (especially in /tmp folders) + - Crazy web applications level: medium tags: - - attack.t1587 - - attack.t1584 - - attack.resource_development \ No newline at end of file + - attack.t1587 + - attack.t1584 + - attack.resource_development diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 016b26e52..64c956a34 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -1,42 +1,36 @@ title: 'Suspicious History File Operations' id: eae8ce9f-bde9-47a6-8e79-f20d18419910 -status: experimental +status: test description: 'Detects commandline operations on shell history files' - # Rule detects presence of various shell history files in process commandline - # Normally user expected to view own history with dedicated 'history' command and not some other tools - # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +date: 2020/10/17 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: EXECVE - history: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: execve and history + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - - a0 - - a1 - - a2 - - a3 - - key + - a0 + - a1 + - a2 + - a3 + - key falsepositives: - - 'Legitimate administrative activity' - - 'Ligitimate software, cleaning hist file' + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' level: medium tags: - - attack.credential_access - - attack.t1552.003 + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index 4aafb0203..a83d8d225 100644 --- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -1,36 +1,33 @@ title: 'System Shutdown/Reboot' id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f -status: experimental +status: test description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' - # For this rule to work execve auditing must be configured - # Example config (place it at the bottom of audit.rules) - # -a always,exit -F arch=b32 -S execve -k execve - # -a always,exit -F arch=b64 -S execve -k execve author: 'Igor Fits, oscd.community' -date: 2020/10/15 references: - - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +date: 2020/10/15 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - shutdowncmd: - - 'shutdown' - - 'reboot' - - 'halt' - - 'poweroff' - init: - - 'init' - - 'telinit' - initselection: - - '0' - - '6' - condition: execve and (shutdowncmd or (init and initselection)) + execve: + type: 'EXECVE' + shutdowncmd: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + init: + - 'init' + - 'telinit' + initselection: + - '0' + - '6' + condition: execve and (shutdowncmd or (init and initselection)) falsepositives: - - 'Legitimate administrative activity' + - 'Legitimate administrative activity' level: informational tags: - - attack.impact - - attack.t1529 + - attack.impact + - attack.t1529 diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 286fc3036..6526a061d 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -1,26 +1,26 @@ title: System Owner or User Discovery id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 -status: experimental -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not - the adversary fully infects the target and/or attempts specific actions. +status: test +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0: - - 'users' - - 'w' - - 'who' - condition: selection + selection: + type: 'EXECVE' + a0: + - 'users' + - 'w' + - 'who' + condition: selection falsepositives: - - Admin activity + - Admin activity level: low tags: - - attack.discovery - - attack.t1033 + - attack.discovery + - attack.t1033 diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 127323a10..7fd4fd508 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,31 +1,31 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee -status: experimental +status: test description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection1: - type: 'execve' - a0: 'zip' - selection2: - type: 'execve' - a0: 'gzip' - a1: '-f' - selection3: - type: 'execve' - a0: 'tar' - a1|contains: '-c' - condition: 1 of them + selection1: + type: 'execve' + a0: 'zip' + selection2: + type: 'execve' + a0: 'gzip' + a1: '-f' + selection3: + type: 'execve' + a0: 'tar' + a1|contains: '-c' + condition: 1 of them falsepositives: - - Legitimate use of archiving tools by legitimate user. + - Legitimate use of archiving tools by legitimate user. level: low tags: - - attack.exfiltration - - attack.t1560.001 + - attack.exfiltration + - attack.t1560.001 diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index 9f2078370..85be63038 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -1,32 +1,31 @@ title: Network Sniffing id: f4d3748a-65d1-4806-bd23-e25728081d01 -status: experimental -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary - may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +status: test +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection1: - type: 'execve' - a0: 'tcpdump' - a1: '-c' - a3|contains: '-i' - selection2: - type: 'execve' - a0: 'tshark' - a1: '-c' - a3: '-i' - condition: selection1 or selection2 + selection1: + type: 'execve' + a0: 'tcpdump' + a1: '-c' + a3|contains: '-i' + selection2: + type: 'execve' + a0: 'tshark' + a1: '-c' + a3: '-i' + condition: selection1 or selection2 falsepositives: - - Legitimate administrator or user uses network sniffing tool for legitimate reasons. + - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low tags: - - attack.credential_access - - attack.discovery - - attack.t1040 + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml index 532c619bc..a5ffb58ab 100755 --- a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml +++ b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml @@ -1,81 +1,82 @@ title: Equation Group Indicators id: 41e5c73d-9983-4b69-bd03-e13b67e9623c -status: experimental +status: test description: Detects suspicious shell commands used in various Equation Group scripts and tools author: Florian Roth -date: 2017/04/09 references: - - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 + - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +date: 2017/04/09 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: + keywords: # evolvingstrategy, elgingamble, estesfox - - 'chown root*chmod 4777 ' - - 'cp /bin/sh .;chown' + - 'chown root*chmod 4777 ' + - 'cp /bin/sh .;chown' # tmpwatch - - 'chmod 4777 /tmp/.scsi/dev/bin/gsh' - - 'chown root:root /tmp/.scsi/dev/bin/' + - 'chmod 4777 /tmp/.scsi/dev/bin/gsh' + - 'chown root:root /tmp/.scsi/dev/bin/' # estesfox - - 'chown root:root x;' + - 'chown root:root x;' # ratload - - '/bin/telnet locip locport < /dev/console | /bin/sh' - - '/tmp/ratload' + - '/bin/telnet locip locport < /dev/console | /bin/sh' + - '/tmp/ratload' # ewok - - 'ewok -t ' + - 'ewok -t ' # xspy - - 'xspy -display ' + - 'xspy -display ' # elatedmonkey - - 'cat > /dev/tcp/127.0.0.1/80 < /dev/tcp/127.0.0.1/80 < /dev/null' + - ' --wipe > /dev/null' # noclient - - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx' - - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;' + - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx' + - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;' # auditcleaner - - '> /var/log/audit/audit.log; rm -f .' - - 'cp /var/log/audit/audit.log .tmp' + - '> /var/log/audit/audit.log; rm -f .' + - 'cp /var/log/audit/audit.log .tmp' # reverse shell - - 'sh >/dev/tcp/* <&1 2>&1' + - 'sh >/dev/tcp/* <&1 2>&1' # packrat - - 'ncat -vv -l -p * <' - - 'nc -vv -l -p * <' + - 'ncat -vv -l -p * <' + - 'nc -vv -l -p * <' # empty bowl - - '< /dev/console | uudecode && uncompress' - - 'sendmail -osendmail;chmod +x sendmail' + - '< /dev/console | uudecode && uncompress' + - 'sendmail -osendmail;chmod +x sendmail' # echowrecker - - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron' + - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron' # dubmoat - - 'chmod 666 /var/run/utmp~' + - 'chmod 666 /var/run/utmp~' # poptop - - 'chmod 700 nscd crond' + - 'chmod 700 nscd crond' # abopscript - - 'cp /etc/shadow /tmp/.' + - 'cp /etc/shadow /tmp/.' # ys - - ' /dev/null 2>&1 && uncompress' + - ' /dev/null 2>&1 && uncompress' # jacktelnet - - 'chmod 700 jp&&netstat -an|grep' + - 'chmod 700 jp&&netstat -an|grep' # others - - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755' - - 'chmod 700 crond' - - 'wget http*; chmod +x /tmp/sendmail' - - 'chmod 700 fp sendmail pt' - - 'chmod 755 /usr/vmsys/bin/pipe' - - 'chmod -R 755 /usr/vmsys' - - 'chmod 755 $opbin/*tunnel' - - 'chmod 700 sendmail' - - 'chmod 0700 sendmail' - - '/usr/bin/wget http*sendmail;chmod +x sendmail;' - - '&& telnet * 2>&1 /dev/null 2>&1 && uncompress -f * && chmod 755' + - 'chmod 700 crond' + - 'wget http*; chmod +x /tmp/sendmail' + - 'chmod 700 fp sendmail pt' + - 'chmod 755 /usr/vmsys/bin/pipe' + - 'chmod -R 755 /usr/vmsys' + - 'chmod 755 $opbin/*tunnel' + - 'chmod 700 sendmail' + - 'chmod 0700 sendmail' + - '/usr/bin/wget http*sendmail;chmod +x sendmail;' + - '&& telnet * 2>&1 6 + - 'find / -perm -u=s' + - 'find / -perm -g=s' + - 'find / -perm -4000' + - 'find / -perm -2000' + timeframe: 30m + condition: keywords | count() by host > 6 falsepositives: - - Troubleshooting on Linux Machines + - Troubleshooting on Linux Machines level: medium tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index f4eecddd2..4c8a64463 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -1,59 +1,59 @@ title: Suspicious Activity in Shell Commands id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 -status: experimental +status: test description: Detects suspicious shell commands used in various exploit codes (see references) author: Florian Roth -date: 2017/08/21 -modified: 2019/02/05 references: - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - - http://pastebin.com/FtygZ1cg - - https://artkond.com/2017/03/23/pivoting-guide/ + - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ +date: 2017/08/21 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: + keywords: # Generic suspicious commands - - 'wget * - http* | perl' - - 'wget * - http* | sh' - - 'wget * - http* | bash' - - 'python -m SimpleHTTPServer' - - '-m http.server' # Python 3 - - 'import pty; pty.spawn*' - - 'socat exec:*' - - 'socat -O /tmp/*' - - 'socat tcp-connect*' - - '*echo binary >>*' + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - - '*wget *; chmod +x*' - - '*wget *; chmod 777 *' - - '*cd /tmp || cd /var/run || cd /mnt*' + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - '*stop;service iptables stop;*' - - '*stop;SuSEfirewall2 stop;*' - - 'chmod 777 2020*' - - '*>>/etc/rc.local' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - '*base64 -d /tmp/*' - - '* | base64 -d *' - - '*/chmod u+s *' - - '*chmod +s /tmp/*' - - '*chmod u+s /tmp/*' - - '* /tmp/haxhax*' - - '* /tmp/ns_sploit*' - - 'nc -l -p *' - - 'cp /bin/ksh *' - - 'cp /bin/sh *' - - '* /tmp/*.b64 *' - - '*/tmp/ysocereal.jar*' - - '*/tmp/x *' - - '*; chmod +x /tmp/*' - - '*;chmod +x /tmp/*' - condition: keywords + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 \ No newline at end of file + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index 053bd8e41..7501d26ed 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -1,20 +1,21 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 -status: experimental +status: test description: Detects suspicious log entries in Linux log files author: Florian Roth date: 2017/03/25 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: - - entered promiscuous mode - - Deactivating service - - Oversized packet received from - - imuxsock begins to drop messages - condition: keywords + keywords: + - entered promiscuous mode + - Deactivating service + - Oversized packet received from + - imuxsock begins to drop messages + condition: keywords falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.impact \ No newline at end of file + - attack.impact diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index c643ac58b..89376d456 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -1,44 +1,45 @@ title: Suspicious Reverse Shell Command Line id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab -status: experimental +status: test description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell author: Florian Roth -date: 2019/04/02 references: - - https://alamot.github.io/reverse_shells/ + - https://alamot.github.io/reverse_shells/ +date: 2019/04/02 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: - - 'BEGIN {s = "/inet/tcp/0/' - - 'bash -i >& /dev/tcp/' - - 'bash -i >& /dev/udp/' - - 'sh -i >$ /dev/udp/' - - 'sh -i >$ /dev/tcp/' - - '&& while read line 0<&5; do' - - '/bin/bash -c exec 5<>/dev/tcp/' - - '/bin/bash -c exec 5<>/dev/udp/' - - 'nc -e /bin/sh ' - - '/bin/sh | nc' - - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' - - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' - - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' - - '/bin/sh -i <&3 >&3 2>&3' - - 'uname -a; w; id; /bin/bash -i' - - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" - - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" - - 'rm -f /tmp/p; mknod /tmp/p p &&' - - ' | /bin/bash | telnet ' - - ',echo=0,raw tcp-listen:' - - 'nc -lvvp ' - - 'xterm -display 1' - condition: keywords + keywords: + - 'BEGIN {s = "/inet/tcp/0/' + - 'bash -i >& /dev/tcp/' + - 'bash -i >& /dev/udp/' + - 'sh -i >$ /dev/udp/' + - 'sh -i >$ /dev/tcp/' + - '&& while read line 0<&5; do' + - '/bin/bash -c exec 5<>/dev/tcp/' + - '/bin/bash -c exec 5<>/dev/udp/' + - 'nc -e /bin/sh ' + - '/bin/sh | nc' + - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' + - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' + - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' + - '/bin/sh -i <&3 >&3 2>&3' + - 'uname -a; w; id; /bin/bash -i' + - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' + - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" + - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' + - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" + - 'rm -f /tmp/p; mknod /tmp/p p &&' + - ' | /bin/bash | telnet ' + - ',echo=0,raw tcp-listen:' + - 'nc -lvvp ' + - 'xterm -display 1' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 \ No newline at end of file + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml index ab1533e62..c963868b7 100644 --- a/rules/linux/builtin/lnx_space_after_filename_.yml +++ b/rules/linux/builtin/lnx_space_after_filename_.yml @@ -1,21 +1,22 @@ title: Space After Filename -id: 879c3015-c88b-4782-93d7-07adf92dbcb7 -status: experimental +id: 879c3015-c88b-4782-93d7-07adf92dbcb7 +status: test description: Detects space after filename author: Ömer Günal -date: 2020/06/17 references: - - https://attack.mitre.org/techniques/T1064 -level: low + - https://attack.mitre.org/techniques/T1064 +date: 2020/06/17 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - selection1: - - 'echo "*" > * && chmod +x *' - selection2: - - 'mv * "* "' - condition: selection1 and selection2 + selection1: + - 'echo "*" > * && chmod +x *' + selection2: + - 'mv * "* "' + condition: selection1 and selection2 falsepositives: - - Typos + - Typos +level: low tags: - - attack.execution \ No newline at end of file + - attack.execution diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index b5234445d..118ed0cd3 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -1,22 +1,23 @@ title: JexBoss Command Sequence id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae +status: test description: Detects suspicious command sequence that JexBoss -status: experimental author: Florian Roth -date: 2017/08/24 references: - - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A + - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A +date: 2017/08/24 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - selection1: - - 'bash -c /bin/bash' - selection2: - - '&/dev/tcp/' - condition: selection1 and selection2 + selection1: + - 'bash -c /bin/bash' + selection2: + - '&/dev/tcp/' + condition: selection1 and selection2 falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 \ No newline at end of file + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml index 043a45b0f..4e26563e6 100644 --- a/rules/linux/builtin/lnx_symlink_etc_passwd.yml +++ b/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -1,21 +1,22 @@ title: Symlink Etc Passwd id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 -status: experimental +status: test description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd author: Florian Roth -date: 2019/04/05 references: - - https://www.qualys.com/2021/05/04/21nails/21nails.txt + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +date: 2019/04/05 +modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: - - 'ln -s -f /etc/passwd' - - 'ln -s /etc/passwd' - condition: keywords + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.t1204.001 - - attack.execution \ No newline at end of file + - attack.t1204.001 + - attack.execution diff --git a/rules/linux/macos/file_event/macos_emond_launch_daemon.yml b/rules/linux/macos/file_event/macos_emond_launch_daemon.yml index 1c904a61b..834ba05d5 100644 --- a/rules/linux/macos/file_event/macos_emond_launch_daemon.yml +++ b/rules/linux/macos/file_event/macos_emond_launch_daemon.yml @@ -1,12 +1,13 @@ title: MacOS Emond Launch Daemon id: 23c43900-e732-45a4-8354-63e4a6c187ce -status: experimental +status: test description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. author: Alejandro Ortuno, oscd.community -date: 2020/10/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md - - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md + - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +date: 2020/10/23 +modified: 2021/11/27 logsource: category: file_event product: macos @@ -18,9 +19,9 @@ detection: TargetFilename|contains: '/private/var/db/emondClients/' condition: selection_1 or selection_2 falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.014 + - attack.persistence + - attack.privilege_escalation + - attack.t1546.014 diff --git a/rules/linux/macos/file_event/macos_startup_items.yml b/rules/linux/macos/file_event/macos_startup_items.yml index 89102e3ff..e87e5b6db 100644 --- a/rules/linux/macos/file_event/macos_startup_items.yml +++ b/rules/linux/macos/file_event/macos_startup_items.yml @@ -1,11 +1,12 @@ title: Startup Items id: dfe8b941-4e54-4242-b674-6b613d521962 -status: experimental +status: test description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. author: Alejandro Ortuno, oscd.community -date: 2020/10/14 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md +date: 2020/10/14 +modified: 2021/11/27 logsource: category: file_event product: macos @@ -16,9 +17,9 @@ detection: TargetFilename|endswith: '.plist' condition: selection_1 and selection_2 falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1037.005 + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 diff --git a/rules/linux/macos/process_creation/macos_applescript.yml b/rules/linux/macos/process_creation/macos_applescript.yml index 38daf676a..35f8c42da 100644 --- a/rules/linux/macos/process_creation/macos_applescript.yml +++ b/rules/linux/macos/process_creation/macos_applescript.yml @@ -1,11 +1,12 @@ title: MacOS Scripting Interpreter AppleScript id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 -status: experimental +status: test description: Detects execution of AppleScript of the macOS scripting language AppleScript. author: Alejandro Ortuno, oscd.community -date: 2020/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md +date: 2020/10/21 +modified: 2021/11/27 logsource: category: process_creation product: macos diff --git a/rules/linux/macos/process_creation/macos_base64_decode.yml b/rules/linux/macos/process_creation/macos_base64_decode.yml index 4afeec596..1c997e44a 100644 --- a/rules/linux/macos/process_creation/macos_base64_decode.yml +++ b/rules/linux/macos/process_creation/macos_base64_decode.yml @@ -1,11 +1,12 @@ title: Decode Base64 Encoded Text id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 -status: experimental +status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -19,4 +20,4 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1027 \ No newline at end of file + - attack.t1027 diff --git a/rules/linux/macos/process_creation/macos_binary_padding.yml b/rules/linux/macos/process_creation/macos_binary_padding.yml index 843b2aa61..0462fbd05 100644 --- a/rules/linux/macos/process_creation/macos_binary_padding.yml +++ b/rules/linux/macos/process_creation/macos_binary_padding.yml @@ -1,33 +1,32 @@ title: 'Binary Padding' id: 95361ce5-c891-4b0a-87ca-e24607884a96 -status: experimental +status: test description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: - - '/truncate' - CommandLine|contains: - - '-s' - selection2: - Image|endswith: - - '/dd' - CommandLine|contains: - - 'if=' - filter: - CommandLine|contains: 'of=' - condition: selection1 or (selection2 and not filter) + selection1: + Image|endswith: + - '/truncate' + CommandLine|contains: + - '-s' + selection2: + Image|endswith: + - '/dd' + CommandLine|contains: + - 'if=' + filter: + CommandLine|contains: 'of=' + condition: selection1 or (selection2 and not filter) falsepositives: - - 'Legitimate script work' + - 'Legitimate script work' level: high tags: - - attack.defense_evasion - - attack.t1027.001 + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/macos/process_creation/macos_change_file_time_attr.yml b/rules/linux/macos/process_creation/macos_change_file_time_attr.yml index f4a0ca2d7..74d6d0fab 100644 --- a/rules/linux/macos/process_creation/macos_change_file_time_attr.yml +++ b/rules/linux/macos/process_creation/macos_change_file_time_attr.yml @@ -1,29 +1,28 @@ title: 'File Time Attribute Change' id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 -status: experimental +status: test description: 'Detect file time attribute change to hide new or changes to existing files.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +date: 2020/10/19 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: '/touch' - selection2: - CommandLine|contains: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: selection1 and selection2 + selection1: + Image|endswith: '/touch' + selection2: + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 falsepositives: - - 'Unknown' + - 'Unknown' level: medium tags: - - attack.defense_evasion - - attack.t1070.006 + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/macos/process_creation/macos_create_account.yml b/rules/linux/macos/process_creation/macos_create_account.yml index 42d1d4931..b5e7862d9 100644 --- a/rules/linux/macos/process_creation/macos_create_account.yml +++ b/rules/linux/macos/process_creation/macos_create_account.yml @@ -1,11 +1,12 @@ title: Creation Of A Local User Account id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 -status: experimental +status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. author: Alejandro Ortuno, oscd.community -date: 2020/10/06 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +date: 2020/10/06 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -20,6 +21,6 @@ falsepositives: - Legitimate administration activities level: low tags: - - attack.t1136 # an old one - - attack.t1136.001 - - attack.persistence + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence diff --git a/rules/linux/macos/process_creation/macos_create_hidden_account.yml b/rules/linux/macos/process_creation/macos_create_hidden_account.yml index 56cf55fdf..000f97f28 100644 --- a/rules/linux/macos/process_creation/macos_create_hidden_account.yml +++ b/rules/linux/macos/process_creation/macos_create_hidden_account.yml @@ -1,11 +1,12 @@ title: Hidden User Creation id: b22a5b36-2431-493a-8be1-0bae56c28ef3 -status: experimental +status: test description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/10 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md +date: 2020/10/10 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -23,11 +24,10 @@ detection: - 'true' - 'yes' - '1' - condition: dscl_create and id_below_500 or - dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) + condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) falsepositives: - Legitimate administration activities level: medium tags: - attack.defense_evasion - - attack.t1564.002 \ No newline at end of file + - attack.t1564.002 diff --git a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml index e8d3d1302..3cd1a7ab3 100644 --- a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml +++ b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml @@ -1,29 +1,30 @@ title: Credentials from Password Stores - Keychain id: b120b587-a4c2-4b94-875d-99c9807d6955 -status: experimental +status: test description: Detects passwords dumps from Keychain author: Tim Ismilyaev, oscd.community, Florian Roth -date: 2020/10/19 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md - - https://gist.github.com/Capybara/6228955 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md + - https://gist.github.com/Capybara/6228955 +date: 2020/10/19 +modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection1: - Image: '/usr/bin/security' - CommandLine|contains: - - 'find-certificate' - - ' export ' - selection2: - CommandLine|contains: - - ' dump-keychain ' - - ' login-keychain ' - condition: 1 of them + selection1: + Image: '/usr/bin/security' + CommandLine|contains: + - 'find-certificate' + - ' export ' + selection2: + CommandLine|contains: + - ' dump-keychain ' + - ' login-keychain ' + condition: 1 of them falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.credential_access - - attack.t1555.001 + - attack.credential_access + - attack.t1555.001 diff --git a/rules/linux/macos/process_creation/macos_disable_security_tools.yml b/rules/linux/macos/process_creation/macos_disable_security_tools.yml index 0f843c789..9475d3ff6 100644 --- a/rules/linux/macos/process_creation/macos_disable_security_tools.yml +++ b/rules/linux/macos/process_creation/macos_disable_security_tools.yml @@ -1,11 +1,12 @@ title: Disable Security Tools id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 -status: experimental +status: test description: Detects disabling security tools author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -39,4 +40,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml index 025babc38..3e25319e3 100644 --- a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml @@ -1,11 +1,12 @@ title: File and Directory Discovery id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 -status: experimental +status: test description: Detects usage of system utilities to discover files and directories author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -28,4 +29,4 @@ falsepositives: level: informational tags: - attack.discovery - - attack.t1083 \ No newline at end of file + - attack.t1083 diff --git a/rules/linux/macos/process_creation/macos_find_cred_in_files.yml b/rules/linux/macos/process_creation/macos_find_cred_in_files.yml index a0b2a0cbd..7b04c2933 100644 --- a/rules/linux/macos/process_creation/macos_find_cred_in_files.yml +++ b/rules/linux/macos/process_creation/macos_find_cred_in_files.yml @@ -1,28 +1,27 @@ title: 'Credentials In Files' id: 53b1b378-9b06-4992-b972-dde6e423d2b4 -status: experimental +status: test description: 'Detecting attempts to extract passwords with grep and laZagne' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: - - '/grep' - CommandLine|contains: - - 'password' - selection2: - CommandLine|contains: 'laZagne' - condition: selection1 or selection2 + selection1: + Image|endswith: + - '/grep' + CommandLine|contains: + - 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: selection1 or selection2 falsepositives: - - 'Unknown' + - 'Unknown' level: high tags: - - attack.credential_access - - attack.t1552.001 + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/macos/process_creation/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml index 638fb1ba9..7f3722d7d 100644 --- a/rules/linux/macos/process_creation/macos_local_account.yml +++ b/rules/linux/macos/process_creation/macos_local_account.yml @@ -1,11 +1,12 @@ title: Local System Accounts Discovery id: ddf36b67-e872-4507-ab2e-46bda21b842c -status: experimental +status: test description: Detects enumeration of local systeam accounts on MacOS author: Alejandro Ortuno, oscd.community -date: 2020/10/08 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +date: 2020/10/08 +modified: 2021/11/27 logsource: category: process_creation product: macos diff --git a/rules/linux/macos/process_creation/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml index 7cffce09d..377287618 100644 --- a/rules/linux/macos/process_creation/macos_local_groups.yml +++ b/rules/linux/macos/process_creation/macos_local_groups.yml @@ -1,11 +1,12 @@ title: Local Groups Discovery id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 -status: experimental +status: test description: Detects enumeration of local system groups author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +date: 2020/10/11 +modified: 2021/11/27 logsource: category: process_creation product: macos diff --git a/rules/linux/macos/process_creation/macos_network_service_scanning.yml b/rules/linux/macos/process_creation/macos_network_service_scanning.yml index 8faa5b721..fc2e432c9 100644 --- a/rules/linux/macos/process_creation/macos_network_service_scanning.yml +++ b/rules/linux/macos/process_creation/macos_network_service_scanning.yml @@ -1,11 +1,12 @@ title: MacOS Network Service Scanning id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f -status: experimental +status: test description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community -date: 2020/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +date: 2020/10/21 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -20,7 +21,7 @@ detection: - '/telnet' filter: CommandLine|contains: 'l' - condition: (selection_1 and not filter) or selection_2 + condition: (selection_1 and not filter) or selection_2 falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/macos/process_creation/macos_network_sniffing.yml b/rules/linux/macos/process_creation/macos_network_sniffing.yml index ef95ea36d..dd0ae18f3 100644 --- a/rules/linux/macos/process_creation/macos_network_sniffing.yml +++ b/rules/linux/macos/process_creation/macos_network_sniffing.yml @@ -1,11 +1,12 @@ title: Network Sniffing id: adc9bcc4-c39c-4f6b-a711-1884017bf043 -status: experimental +status: test description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Alejandro Ortuno, oscd.community -date: 2020/10/14 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +date: 2020/10/14 +modified: 2021/11/27 logsource: category: process_creation product: macos diff --git a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml index fd5867314..b32ff1d98 100644 --- a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml +++ b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml @@ -1,11 +1,12 @@ title: Macos Remote System Discovery id: 10227522-8429-47e6-a301-f2b2d014e7ad -status: experimental +status: test description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community -date: 2020/10/22 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +date: 2020/10/22 +modified: 2021/11/27 logsource: category: process_creation product: macos diff --git a/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml b/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml index c757d014f..b0e4558d4 100644 --- a/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml +++ b/rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml @@ -1,11 +1,12 @@ title: Scheduled Cron Task/Job id: 7c3b43d8-d794-47d2-800a-d277715aa460 -status: experimental +status: test description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. author: Alejandro Ortuno, oscd.community -date: 2020/10/06 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +date: 2020/10/06 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -17,10 +18,10 @@ detection: - '/tmp/' condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.003 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/linux/macos/process_creation/macos_screencapture.yml b/rules/linux/macos/process_creation/macos_screencapture.yml index 18fb1bf32..7d38e1974 100644 --- a/rules/linux/macos/process_creation/macos_screencapture.yml +++ b/rules/linux/macos/process_creation/macos_screencapture.yml @@ -1,22 +1,23 @@ title: Screen Capture - macOS id: 0877ed01-da46-4c49-8476-d49cdd80dfa7 -status: experimental +status: test description: Detects attempts to use screencapture to collect macOS screenshots author: remotephone, oscd.community -date: 2020/10/13 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md - - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py +date: 2020/10/13 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection: - Image: '/usr/sbin/screencapture' - condition: selection + selection: + Image: '/usr/sbin/screencapture' + condition: selection falsepositives: - - Legitimate user activity taking screenshots + - Legitimate user activity taking screenshots level: low tags: - - attack.collection - - attack.t1113 + - attack.collection + - attack.t1113 diff --git a/rules/linux/macos/process_creation/macos_security_software_discovery.yml b/rules/linux/macos/process_creation/macos_security_software_discovery.yml index ae896a953..f20aab853 100644 --- a/rules/linux/macos/process_creation/macos_security_software_discovery.yml +++ b/rules/linux/macos/process_creation/macos_security_software_discovery.yml @@ -1,11 +1,12 @@ title: Security Software Discovery id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 -status: experimental +status: test description: Detects usage of system utilities (only grep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -29,11 +30,10 @@ detection: CommandLine|contains|all: - 'Little' - 'Snitch' - condition: grep_execution and security_services_and_processes or - grep_execution and little_snitch_process + condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process falsepositives: - Legitimate activities level: medium tags: - attack.discovery - - attack.t1518.001 \ No newline at end of file + - attack.t1518.001 diff --git a/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml b/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml index f65d96dee..6f18c4de7 100644 --- a/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml +++ b/rules/linux/macos/process_creation/macos_split_file_into_pieces.yml @@ -1,23 +1,22 @@ title: 'Split A File Into Pieces' id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 -status: experimental +status: test description: 'Detection use of the command "split" to split files into parts and possible transfer.' - # For this rule to work you must enable audit of process execution in OpenBSM, see link - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/15 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +date: 2020/10/15 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection: - Image|endswith: '/split' - condition: selection + selection: + Image|endswith: '/split' + condition: selection falsepositives: - - 'Legitimate administrative activity' + - 'Legitimate administrative activity' level: low tags: - - attack.exfiltration - - attack.t1030 + - attack.exfiltration + - attack.t1030 diff --git a/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml b/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml index b643bfbb3..4156d18d3 100644 --- a/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml +++ b/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml @@ -1,33 +1,29 @@ title: 'Suspicious History File Operations' id: 508a9374-ad52-4789-b568-fc358def2c65 -status: experimental +status: test description: 'Detects commandline operations on shell history files' - # Rule detects presence of various shell history files in process commandline - # Normally user expected to view own history with dedicated 'history' command and not some other tools - # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +date: 2020/10/17 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection: - CommandLine|contains: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: selection + selection: + CommandLine|contains: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: selection falsepositives: - - 'Legitimate administrative activity' - - 'Ligitimate software, cleaning hist file' + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' level: medium tags: - - attack.credential_access - - attack.t1552.003 + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml index 1a3fb7d41..6b5b1523f 100644 --- a/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml +++ b/rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml @@ -1,11 +1,12 @@ title: System Network Connections Discovery id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db -status: experimental +status: test description: Detects usage of system utilities to discover system network connections author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos @@ -23,4 +24,4 @@ falsepositives: level: informational tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/rules/linux/macos/process_creation/macos_system_network_discovery.yml b/rules/linux/macos/process_creation/macos_system_network_discovery.yml index cc4278175..b012b58cb 100644 --- a/rules/linux/macos/process_creation/macos_system_network_discovery.yml +++ b/rules/linux/macos/process_creation/macos_system_network_discovery.yml @@ -1,32 +1,33 @@ title: System Network Discovery - macOS id: 58800443-f9fc-4d55-ae0c-98a3966dfb97 -status: experimental +status: test description: Detects enumeration of local network configuration author: remotephone, oscd.community -date: 2020/10/06 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +date: 2020/10/06 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image: - - '/usr/sbin/netstat' - - '/sbin/ifconfig' - - '/usr/sbin/ipconfig' - - '/usr/libexec/ApplicationFirewall/socketfilterfw' - - '/usr/sbin/networksetup' - - '/usr/sbin/arp' - selection2: - Image: '/usr/bin/defaults' - CommandLine|contains|all: - - 'read' - - '/Library/Preferences/com.apple.alf' - condition: selection1 or selection2 + selection1: + Image: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + Image: '/usr/bin/defaults' + CommandLine|contains|all: + - 'read' + - '/Library/Preferences/com.apple.alf' + condition: selection1 or selection2 falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.t1016 + - attack.discovery + - attack.t1016 diff --git a/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml b/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml index fe4d4b645..5e6350327 100644 --- a/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml @@ -1,26 +1,25 @@ title: 'System Shutdown/Reboot' id: 40b1fbe2-18ea-4ee7-be47-0294285811de -status: experimental +status: test description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' - # For this rule to work you must enable audit of process execution in OpenBSM, see - # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 references: - - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +date: 2020/10/19 +modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection: - Image|endswith: - - '/shutdown' - - '/reboot' - - '/halt' - condition: selection + selection: + Image|endswith: + - '/shutdown' + - '/reboot' + - '/halt' + condition: selection falsepositives: - - 'Legitimate administrative activity' + - 'Legitimate administrative activity' level: informational tags: - - attack.impact - - attack.t1529 + - attack.impact + - attack.t1529 diff --git a/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml index 8c4ac76c2..d9a9c3747 100644 --- a/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml +++ b/rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml @@ -1,18 +1,19 @@ title: Gatekeeper Bypass via Xattr id: f5141b6d-9f42-41c6-a7bf-2a780678b29b -status: experimental +status: test description: Detects macOS Gatekeeper bypass via xattr utility author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: macos detection: selection: Image|endswith: '/xattr' - CommandLine|contains|all: + CommandLine|contains|all: - '-r' - 'com.apple.quarantine' condition: selection @@ -21,4 +22,4 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1553.001 \ No newline at end of file + - attack.t1553.001 diff --git a/rules/linux/other/lnx_ssh_cve_2018_15473.yml b/rules/linux/other/lnx_ssh_cve_2018_15473.yml index d7bb5c46d..4b422fb7c 100644 --- a/rules/linux/other/lnx_ssh_cve_2018_15473.yml +++ b/rules/linux/other/lnx_ssh_cve_2018_15473.yml @@ -1,21 +1,22 @@ title: SSHD Error Message CVE-2018-15473 id: 4c9d903d-4939-4094-ade0-3cb748f4d7da -status: experimental +status: test description: Detects exploitation attempt using public exploit code for CVE-2018-15473 author: Florian Roth -date: 2017/08/24 references: - - https://github.com/Rhynorater/CVE-2018-15473-Exploit + - https://github.com/Rhynorater/CVE-2018-15473-Exploit +date: 2017/08/24 +modified: 2021/11/27 logsource: - product: linux - service: sshd + product: linux + service: sshd detection: - keywords: - - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' - condition: keywords + keywords: + - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' + condition: keywords falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.reconnaissance - - attack.t1589 \ No newline at end of file + - attack.reconnaissance + - attack.t1589 diff --git a/rules/linux/other/lnx_susp_failed_logons_single_source.yml b/rules/linux/other/lnx_susp_failed_logons_single_source.yml index b87fe723c..23e22f94a 100644 --- a/rules/linux/other/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/other/lnx_susp_failed_logons_single_source.yml @@ -1,24 +1,25 @@ title: Failed Logins with Different Accounts from Single Source System id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 -status: experimental +status: test description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/02/16 +modified: 2021/11/27 logsource: - product: linux - service: auth + product: linux + service: auth detection: - selection: - pam_message: authentication failure - pam_user: '*' - pam_rhost: '*' - timeframe: 24h - condition: selection | count(pam_user) by pam_rhost > 3 + selection: + pam_message: authentication failure + pam_user: '*' + pam_rhost: '*' + timeframe: 24h + condition: selection | count(pam_user) by pam_rhost > 3 falsepositives: - - Terminal servers - - Jump servers - - Workstations with frequently changing users + - Terminal servers + - Jump servers + - Workstations with frequently changing users level: medium tags: - - attack.credential_access - - attack.t1110 \ No newline at end of file + - attack.credential_access + - attack.t1110 diff --git a/rules/linux/other/lnx_susp_guacamole.yml b/rules/linux/other/lnx_susp_guacamole.yml index a19ec04d9..9de7add4c 100644 --- a/rules/linux/other/lnx_susp_guacamole.yml +++ b/rules/linux/other/lnx_susp_guacamole.yml @@ -1,21 +1,22 @@ title: Guacamole Two Users Sharing Session Anomaly id: 1edd77db-0669-4fef-9598-165bda82826d -status: experimental +status: test description: Detects suspicious session with two users present author: Florian Roth -date: 2020/07/03 references: - - https://research.checkpoint.com/2020/apache-guacamole-rce/ + - https://research.checkpoint.com/2020/apache-guacamole-rce/ +date: 2020/07/03 +modified: 2021/11/27 logsource: - product: linux - service: guacamole + product: linux + service: guacamole detection: - selection: - - '(2 users now present)' - condition: selection + selection: + - '(2 users now present)' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.credential_access - - attack.t1212 + - attack.credential_access + - attack.t1212 diff --git a/rules/linux/other/lnx_susp_named.yml b/rules/linux/other/lnx_susp_named.yml index 128300cc2..6c7a43e2f 100644 --- a/rules/linux/other/lnx_susp_named.yml +++ b/rules/linux/other/lnx_susp_named.yml @@ -1,23 +1,24 @@ title: Suspicious Named Error id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 -status: experimental +status: test description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts author: Florian Roth -date: 2018/02/20 references: - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml +date: 2018/02/20 +modified: 2021/11/27 logsource: - product: linux - service: syslog + product: linux + service: syslog detection: - keywords: - - '* dropping source port zero packet from *' - - '* denied AXFR from *' - - '* exiting (due to fatal error)*' - condition: keywords + keywords: + - '* dropping source port zero packet from *' + - '* denied AXFR from *' + - '* exiting (due to fatal error)*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/linux/other/lnx_susp_ssh.yml b/rules/linux/other/lnx_susp_ssh.yml index c5ea7448e..dbf3e58fe 100644 --- a/rules/linux/other/lnx_susp_ssh.yml +++ b/rules/linux/other/lnx_susp_ssh.yml @@ -1,33 +1,33 @@ title: Suspicious OpenSSH Daemon Error id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc -status: experimental +status: test description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts author: Florian Roth -date: 2017/06/30 -modified: 2020/05/15 references: - - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml + - https://github.com/openssh/openssh-portable/blob/master/ssherr.c + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml +date: 2017/06/30 +modified: 2021/11/27 logsource: - product: linux - service: sshd + product: linux + service: sshd detection: - keywords: - - '*unexpected internal error*' - - '*unknown or unsupported key type*' - - '*invalid certificate signing key*' - - '*invalid elliptic curve value*' - - '*incorrect signature*' - - '*error in libcrypto*' - - '*unexpected bytes remain after decoding*' - - '*fatal: buffer_get_string: bad string*' - - '*Local: crc32 compensation attack*' - - '*bad client public DH value*' - - '*Corrupted MAC on input*' - condition: keywords + keywords: + - '*unexpected internal error*' + - '*unknown or unsupported key type*' + - '*invalid certificate signing key*' + - '*invalid elliptic curve value*' + - '*incorrect signature*' + - '*error in libcrypto*' + - '*unexpected bytes remain after decoding*' + - '*fatal: buffer_get_string: bad string*' + - '*Local: crc32 compensation attack*' + - '*bad client public DH value*' + - '*Corrupted MAC on input*' + condition: keywords falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml index 8476f6190..80b9d2c51 100644 --- a/rules/linux/other/lnx_susp_vsftp.yml +++ b/rules/linux/other/lnx_susp_vsftp.yml @@ -1,37 +1,38 @@ title: Suspicious VSFTPD Error Messages id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe -status: experimental +status: test description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts author: Florian Roth -date: 2017/07/05 references: - - https://github.com/dagwieers/vsftpd/ + - https://github.com/dagwieers/vsftpd/ +date: 2017/07/05 +modified: 2021/11/27 logsource: - product: linux - service: vsftpd + product: linux + service: vsftpd detection: - keywords: - - 'Connection refused: too many sessions for this address.' - - 'Connection refused: tcp_wrappers denial.' - - 'Bad HTTP verb.' - - 'port and pasv both active' - - 'pasv and port both active' - - 'Transfer done (but failed to open directory).' - - 'Could not set file modification time.' - - 'bug: pid active in ptrace_sandbox_free' - - 'PTRACE_SETOPTIONS failure' - - 'weird status:' - - "couldn't handle sandbox event" - - 'syscall * out of bounds' - - 'syscall not permitted:' - - 'syscall validate failed:' - - 'Input line too long.' - - 'poor buffer accounting in str_netfd_alloc' - - 'vsf_sysutil_read_loop' - condition: keywords + keywords: + - 'Connection refused: too many sessions for this address.' + - 'Connection refused: tcp_wrappers denial.' + - 'Bad HTTP verb.' + - 'port and pasv both active' + - 'pasv and port both active' + - 'Transfer done (but failed to open directory).' + - 'Could not set file modification time.' + - 'bug: pid active in ptrace_sandbox_free' + - 'PTRACE_SETOPTIONS failure' + - 'weird status:' + - "couldn't handle sandbox event" + - 'syscall * out of bounds' + - 'syscall not permitted:' + - 'syscall validate failed:' + - 'Input line too long.' + - 'poor buffer accounting in str_netfd_alloc' + - 'vsf_sysutil_read_loop' + condition: keywords falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.initial_access + - attack.t1190 diff --git a/rules/linux/process_creation/lnx_base64_decode.yml b/rules/linux/process_creation/lnx_base64_decode.yml index 62620cf4b..045007419 100644 --- a/rules/linux/process_creation/lnx_base64_decode.yml +++ b/rules/linux/process_creation/lnx_base64_decode.yml @@ -1,11 +1,12 @@ title: Decode Base64 Encoded Text id: e2072cab-8c9a-459b-b63c-40ae79e27031 -status: experimental +status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: linux @@ -19,4 +20,4 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1027 \ No newline at end of file + - attack.t1027 diff --git a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml index af52c7765..c26db2e42 100644 --- a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml @@ -1,11 +1,12 @@ title: File and Directory Discovery id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 -status: experimental +status: test description: Detects usage of system utilities to discover files and directories author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: linux @@ -26,4 +27,4 @@ falsepositives: level: informational tags: - attack.discovery - - attack.t1083 \ No newline at end of file + - attack.t1083 diff --git a/rules/linux/process_creation/lnx_install_root_certificate.yml b/rules/linux/process_creation/lnx_install_root_certificate.yml index 12af5d3d3..e1e66a138 100644 --- a/rules/linux/process_creation/lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/lnx_install_root_certificate.yml @@ -1,23 +1,24 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee +status: test description: Detects installed new certificate -status: experimental author: Ömer Günal, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md date: 2020/10/05 -tags: - - attack.defense_evasion - - attack.t1553.004 -level: low +modified: 2021/11/27 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: - - '/update-ca-certificates' - - '/update-ca-trust' - condition: selection + selection: + Image|endswith: + - '/update-ca-certificates' + - '/update-ca-trust' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities +level: low +tags: + - attack.defense_evasion + - attack.t1553.004 diff --git a/rules/linux/process_creation/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml index 2e31f466d..a59756079 100644 --- a/rules/linux/process_creation/lnx_local_account.yml +++ b/rules/linux/process_creation/lnx_local_account.yml @@ -1,11 +1,12 @@ title: Local System Accounts Discovery id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c -status: experimental +status: test description: Detects enumeration of local systeam accounts author: Alejandro Ortuno, oscd.community -date: 2020/10/08 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +date: 2020/10/08 +modified: 2021/11/27 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_local_groups.yml b/rules/linux/process_creation/lnx_local_groups.yml index 8df8a8157..b8a13846f 100644 --- a/rules/linux/process_creation/lnx_local_groups.yml +++ b/rules/linux/process_creation/lnx_local_groups.yml @@ -1,11 +1,12 @@ title: Local Groups Discovery id: 676381a6-15ca-4d73-a9c8-6a22e970b90d -status: experimental +status: test description: Detects enumeration of local system groups author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +date: 2020/10/11 +modified: 2021/11/27 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_remote_system_discovery.yml b/rules/linux/process_creation/lnx_remote_system_discovery.yml index 218053e15..632cde7af 100644 --- a/rules/linux/process_creation/lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/lnx_remote_system_discovery.yml @@ -1,11 +1,12 @@ title: Linux Remote System Discovery id: 11063ec2-de63-4153-935e-b1a8b9e616f1 -status: experimental +status: test description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community -date: 2020/10/22 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +date: 2020/10/22 +modified: 2021/11/27 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/lnx_schedule_task_job_cron.yml index cd2540f96..a8c45fd7e 100644 --- a/rules/linux/process_creation/lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/lnx_schedule_task_job_cron.yml @@ -1,11 +1,12 @@ title: Scheduled Cron Task/Job id: 6b14bac8-3e3a-4324-8109-42f0546a347f -status: experimental +status: test description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. author: Alejandro Ortuno, oscd.community -date: 2020/10/06 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +date: 2020/10/06 +modified: 2021/11/27 logsource: category: process_creation product: linux @@ -17,10 +18,10 @@ detection: - '/tmp/' condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.003 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/linux/process_creation/lnx_security_software_discovery.yml b/rules/linux/process_creation/lnx_security_software_discovery.yml index 37a7f7871..dd93f19bd 100644 --- a/rules/linux/process_creation/lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/lnx_security_software_discovery.yml @@ -1,11 +1,12 @@ title: Security Software Discovery id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 -status: experimental +status: test description: Detects usage of system utilities (only grep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: linux @@ -13,7 +14,7 @@ detection: grep_execution: Image|endswith: '/grep' security_services_and_processes: - CommandLine|contains: + CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'td-agent' # fluentd log shipper - 'packetbeat' # elastic network logger/shipper @@ -28,4 +29,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1518.001 \ No newline at end of file + - attack.t1518.001 diff --git a/rules/linux/process_creation/lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/lnx_system_network_connections_discovery.yml index 5f9642370..b013e068b 100644 --- a/rules/linux/process_creation/lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/lnx_system_network_connections_discovery.yml @@ -1,17 +1,18 @@ title: System Network Connections Discovery id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 -status: experimental +status: test description: Detects usage of system utilities to discover system network connections author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +date: 2020/10/19 +modified: 2021/11/27 logsource: category: process_creation product: linux detection: selection: - Image|endswith: + Image|endswith: - '/who' - '/w' - '/last' @@ -23,4 +24,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/rules/linux/process_creation/lnx_system_network_discovery.yml b/rules/linux/process_creation/lnx_system_network_discovery.yml index fa5c6f748..891e743f3 100644 --- a/rules/linux/process_creation/lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/lnx_system_network_discovery.yml @@ -1,32 +1,33 @@ title: System Network Discovery - Linux id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa -status: experimental +status: test description: Detects enumeration of local network configuration author: Ömer Günal and remotephone, oscd.community -date: 2020/10/06 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +date: 2020/10/06 +modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: - - '/firewall-cmd' - - '/ufw' - - '/iptables' - - '/netstat' - - '/ss' - - '/ip' - - '/ifconfig' - - '/systemd-resolve' - - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: selection1 or selection2 + selection1: + Image|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: selection1 or selection2 falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.t1016 + - attack.discovery + - attack.t1016 diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 3c7dd2b36..2c261f2d9 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -1,29 +1,29 @@ title: Cisco Clear Logs id: ceb407f6-8277-439b-951f-e4210e3ed956 -status: experimental +status: test description: Clear command history in network OS which is used for defense evasion author: Austin Clark date: 2019/08/12 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'clear logging' - - 'clear archive' - condition: keywords + keywords: + - 'clear logging' + - 'clear archive' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Legitimate administrators may run these commands + - Legitimate administrators may run these commands level: high tags: - - attack.defense_evasion - - attack.t1146 # an old one - - attack.t1070.003 \ No newline at end of file + - attack.defense_evasion + - attack.t1146 # an old one + - attack.t1070.003 diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 382f4edc3..d7735944d 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -1,37 +1,37 @@ title: Cisco Collect Data id: cd072b25-a418-4f98-8ebc-5093fb38fe1a -status: experimental +status: test description: Collect pertinent data from the configuration files author: Austin Clark date: 2019/08/11 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'show running-config' - - 'show startup-config' - - 'show archive config' - - 'more' - condition: keywords + keywords: + - 'show running-config' + - 'show startup-config' + - 'show archive config' + - 'more' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Commonly run by administrators + - Commonly run by administrators level: low tags: - - attack.discovery - - attack.credential_access - - attack.collection - - attack.t1087 # an old one - - attack.t1087.001 - - attack.t1003 # an old one - - attack.t1081 # an old one - - attack.t1552.001 - - attack.t1005 \ No newline at end of file + - attack.discovery + - attack.credential_access + - attack.collection + - attack.t1087 # an old one + - attack.t1087.001 + - attack.t1003 # an old one + - attack.t1081 # an old one + - attack.t1552.001 + - attack.t1005 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index c3d0c8e1d..b3dfc8fc4 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -1,32 +1,33 @@ title: Cisco Crypto Commands id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d -status: experimental +status: test description: Show when private keys are being exported from the device, or when new certificates are installed author: Austin Clark date: 2019/08/12 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'crypto pki export' - - 'crypto pki import' - - 'crypto pki trustpoint' - condition: keywords + keywords: + - 'crypto pki export' + - 'crypto pki import' + - 'crypto pki trustpoint' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Not commonly run by administrators. Also whitelist your known good certificates + - Not commonly run by administrators. Also whitelist your known good certificates level: high tags: - - attack.credential_access - - attack.defense_evasion - - attack.t1130 # an old one - - attack.t1553.004 - - attack.t1145 # an old one - - attack.t1552.004 \ No newline at end of file + - attack.credential_access + - attack.defense_evasion + - attack.t1130 # an old one + - attack.t1553.004 + - attack.t1145 # an old one + - attack.t1552.004 diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 79597722c..510ec7346 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -1,28 +1,29 @@ title: Cisco Disabling Logging id: 9e8f6035-88bf-4a63-96b6-b17c0508257e -status: experimental +status: test description: Turn off logging locally or remote author: Austin Clark date: 2019/08/11 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'no logging' - - 'no aaa new-model' - condition: keywords + keywords: + - 'no logging' + - 'no aaa new-model' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 \ No newline at end of file + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index e60033e39..21f2741f0 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -1,44 +1,45 @@ title: Cisco Discovery id: 9705a6a1-6db6-4a16-a987-15b7151e299b -status: experimental +status: test description: Find information about network devices that is not stored in config files author: Austin Clark date: 2019/08/12 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'dir' - - 'show processes' - - 'show arp' - - 'show cdp' - - 'show version' - - 'show ip route' - - 'show ip interface' - - 'show ip sockets' - - 'show users' - - 'show ssh' - - 'show clock' - condition: keywords + keywords: + - 'dir' + - 'show processes' + - 'show arp' + - 'show cdp' + - 'show version' + - 'show ip route' + - 'show ip interface' + - 'show ip sockets' + - 'show users' + - 'show ssh' + - 'show clock' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Commonly used by administrators for troubleshooting + - Commonly used by administrators for troubleshooting level: low tags: - - attack.discovery - - attack.t1083 - - attack.t1201 - - attack.t1057 - - attack.t1018 - - attack.t1082 - - attack.t1016 - - attack.t1049 - - attack.t1033 - - attack.t1124 \ No newline at end of file + - attack.discovery + - attack.t1083 + - attack.t1201 + - attack.t1057 + - attack.t1018 + - attack.t1082 + - attack.t1016 + - attack.t1049 + - attack.t1033 + - attack.t1124 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index 2ff856ea4..fc0c76fa9 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -1,28 +1,28 @@ title: Cisco Denial of Service id: d94a35f0-7a29-45f6-90a0-80df6159967c -status: experimental +status: test description: Detect a system being shutdown or put into different boot mode author: Austin Clark date: 2019/08/15 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'shutdown' - - 'config-register 0x2100' - - 'config-register 0x2142' - condition: keywords + keywords: + - 'shutdown' + - 'config-register 0x2100' + - 'config-register 0x2142' + condition: keywords +fields: + - CmdSet falsepositives: - - Legitimate administrators may run these commands, though rarely. + - Legitimate administrators may run these commands, though rarely. level: medium tags: - - attack.impact - - attack.t1495 - - attack.t1529 - - attack.t1492 # an old one - - attack.t1565.001 \ No newline at end of file + - attack.impact + - attack.t1495 + - attack.t1529 + - attack.t1492 # an old one + - attack.t1565.001 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 4a015d9da..9849c2364 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -1,30 +1,31 @@ title: Cisco File Deletion id: 71d65515-c436-43c0-841b-236b1f32c21e -status: experimental +status: test description: See what files are being deleted from flash file systems author: Austin Clark date: 2019/08/12 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'erase' - - 'delete' - - 'format' - condition: keywords + keywords: + - 'erase' + - 'delete' + - 'format' + condition: keywords +fields: + - CmdSet falsepositives: - - Will be used sometimes by admins to clean up local flash space + - Will be used sometimes by admins to clean up local flash space level: medium tags: - - attack.defense_evasion - - attack.impact - - attack.t1107 # an old one - - attack.t1070.004 - - attack.t1488 # an old one - - attack.t1561.001 - - attack.t1487 # an old one - - attack.t1561.002 \ No newline at end of file + - attack.defense_evasion + - attack.impact + - attack.t1107 # an old one + - attack.t1070.004 + - attack.t1488 # an old one + - attack.t1561.001 + - attack.t1487 # an old one + - attack.t1561.002 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index ae65a5fab..27c70acec 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -1,27 +1,26 @@ title: Cisco Show Commands Input id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b -status: experimental +status: test description: See what commands are being input into the device by other people, full credentials can be in the history author: Austin Clark date: 2019/08/11 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'show history' - - 'show history all' - - 'show logging' - condition: keywords + keywords: + - 'show history' + - 'show history all' + - 'show logging' + condition: keywords +fields: + - CmdSet falsepositives: - - Not commonly run by administrators, especially if remote logging is configured + - Not commonly run by administrators, especially if remote logging is configured level: medium tags: - - attack.credential_access - - attack.t1139 # an old one - - attack.t1552.003 - \ No newline at end of file + - attack.credential_access + - attack.t1139 # an old one + - attack.t1552.003 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 821dbe734..0a57541c9 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -1,26 +1,26 @@ title: Cisco Local Accounts id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 -status: experimental +status: test description: Find local accounts being created or modified as well as remote authentication configurations author: Austin Clark date: 2019/08/12 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'username' - - 'aaa' - condition: keywords + keywords: + - 'username' + - 'aaa' + condition: keywords +fields: + - CmdSet falsepositives: - - When remote authentication is in place, this should not change often + - When remote authentication is in place, this should not change often level: high tags: - - attack.persistence - - attack.t1136 # an old one - - attack.t1136.001 - - attack.t1098 \ No newline at end of file + - attack.persistence + - attack.t1136 # an old one + - attack.t1136.001 + - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index 71613c47a..e1b6d7684 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -1,36 +1,36 @@ title: Cisco Modify Configuration id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b -status: experimental +status: test description: Modifications to a config that will serve an adversary's impacts or persistence author: Austin Clark date: 2019/08/12 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'ip http server' - - 'ip https server' - - 'kron policy-list' - - 'kron occurrence' - - 'policy-list' - - 'access-list' - - 'ip access-group' - - 'archive maximum' - condition: keywords + keywords: + - 'ip http server' + - 'ip https server' + - 'kron policy-list' + - 'kron occurrence' + - 'policy-list' + - 'access-list' + - 'ip access-group' + - 'archive maximum' + condition: keywords +fields: + - CmdSet falsepositives: - - Legitimate administrators may run these commands + - Legitimate administrators may run these commands level: medium tags: - - attack.persistence - - attack.impact - - attack.t1490 - - attack.t1505 - - attack.t1493 # an old one - - attack.t1565.002 - - attack.t1168 # an old one - - attack.t1053 \ No newline at end of file + - attack.persistence + - attack.impact + - attack.t1490 + - attack.t1505 + - attack.t1493 # an old one + - attack.t1565.002 + - attack.t1168 # an old one + - attack.t1053 diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index 2135454b5..a80bbfb5b 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -1,34 +1,34 @@ title: Cisco Stage Data id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 -status: experimental +status: test description: Various protocols maybe used to put data on the device for exfil or infil author: Austin Clark date: 2019/08/12 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'tftp' - - 'rcp' - - 'puts' - - 'copy' - - 'configure replace' - - 'archive tar' - condition: keywords + keywords: + - 'tftp' + - 'rcp' + - 'puts' + - 'copy' + - 'configure replace' + - 'archive tar' + condition: keywords +fields: + - CmdSet falsepositives: - - Generally used to copy configs or IOS images + - Generally used to copy configs or IOS images level: low tags: - - attack.collection - - attack.lateral_movement - - attack.command_and_control - - attack.exfiltration - - attack.t1074 - - attack.t1105 - - attack.t1002 # an old one - - attack.t1560.001 \ No newline at end of file + - attack.collection + - attack.lateral_movement + - attack.command_and_control + - attack.exfiltration + - attack.t1074 + - attack.t1105 + - attack.t1002 # an old one + - attack.t1560.001 diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index a24582e69..a6d646dd1 100644 --- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -1,25 +1,26 @@ title: Cisco Sniffing id: b9e1f193-d236-4451-aaae-2f3d2102120d -status: experimental +status: test description: Show when a monitor or a span/rspan is setup or modified author: Austin Clark date: 2019/08/11 +modified: 2021/11/27 logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet + product: cisco + service: aaa + category: accounting detection: - keywords: - - 'monitor capture point' - - 'set span' - - 'set rspan' - condition: keywords + keywords: + - 'monitor capture point' + - 'set span' + - 'set rspan' + condition: keywords +fields: + - CmdSet falsepositives: - - Admins may setup new or modify old spans, or use a monitor for troubleshooting + - Admins may setup new or modify old spans, or use a monitor for troubleshooting level: medium tags: - - attack.credential_access - - attack.discovery - - attack.t1040 \ No newline at end of file + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/rules/network/net_apt_equationgroup_c2.yml b/rules/network/net_apt_equationgroup_c2.yml index 40d04f152..162c60a74 100755 --- a/rules/network/net_apt_equationgroup_c2.yml +++ b/rules/network/net_apt_equationgroup_c2.yml @@ -1,28 +1,29 @@ title: Equation Group C2 Communication id: 881834a4-6659-4773-821e-1c151789d873 +status: test description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools -status: experimental author: Florian Roth -date: 2017/04/15 references: - - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation - - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 + - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation + - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +date: 2017/04/15 +modified: 2021/11/27 logsource: - category: firewall + category: firewall detection: - outgoing: - dst_ip: - - '69.42.98.86' - - '89.185.234.145' - incoming: - src_ip: - - '69.42.98.86' - - '89.185.234.145' - condition: 1 of them + outgoing: + dst_ip: + - '69.42.98.86' + - '89.185.234.145' + incoming: + src_ip: + - '69.42.98.86' + - '89.185.234.145' + condition: 1 of them falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.g0020 - - attack.t1041 + - attack.command_and_control + - attack.g0020 + - attack.t1041 diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index d71075e43..497ab0b5f 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -1,27 +1,26 @@ title: Possible DNS Tunneling id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e -status: experimental -description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, - which can be an indicator that DNS is used to transfer data. +status: test +description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. author: Patrick Bareiss -date: 2019/04/07 -modified: 2020/08/27 references: - - https://zeltser.com/c2-dns-tunneling/ - - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ + - https://zeltser.com/c2-dns-tunneling/ + - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ +date: 2019/04/07 +modified: 2021/11/27 logsource: - category: dns + category: dns detection: - selection: - parent_domain: '*' - condition: selection | count(dns_query) by parent_domain > 1000 + selection: + parent_domain: '*' + condition: selection | count(dns_query) by parent_domain > 1000 falsepositives: - - Valid software, which uses dns for transferring data + - Valid software, which uses dns for transferring data level: high tags: - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 - - attack.exfiltration - - attack.t1048 # an old one - - attack.t1048.003 \ No newline at end of file + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml index 655a71280..92fb83d52 100644 --- a/rules/network/net_high_null_records_requests_rate.yml +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -1,24 +1,24 @@ title: High NULL Records Requests Rate id: 44ae5117-9c44-40cf-9c7c-7edad385ca70 -status: experimental +status: test description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: dns + category: dns detection: - selection: - record_type: "NULL" - timeframe: 1m - condition: selection | count() by src_ip > 50 + selection: + record_type: "NULL" + timeframe: 1m + condition: selection | count() by src_ip > 50 falsepositives: - - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist + - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist level: medium tags: - - attack.exfiltration - - attack.t1048 # an old one - - attack.t1048.003 - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml index 5fc2f50b5..4b4bcdabb 100644 --- a/rules/network/net_high_txt_records_requests_rate.yml +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -1,24 +1,24 @@ title: High TXT Records Requests Rate id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35 -status: experimental +status: test description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: dns + category: dns detection: - selection: - record_type: "TXT" - timeframe: 1m - condition: selection | count() by src_ip > 50 + selection: + record_type: "TXT" + timeframe: 1m + condition: selection | count() by src_ip > 50 falsepositives: - - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist + - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist level: medium tags: - - attack.exfiltration - - attack.t1048 # an old one - - attack.t1048.003 - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 \ No newline at end of file + - attack.exfiltration + - attack.t1048 # an old one + - attack.t1048.003 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 4e97c3493..9ea3d56d2 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -1,27 +1,27 @@ title: DNS TXT Answer with Possible Execution Strings id: 8ae51330-899c-4641-8125-e39f2e07da72 -status: experimental +status: test description: Detects strings used in command execution in DNS TXT Answer author: Markus Neis -date: 2018/08/08 -modified: 2020/08/27 references: - - https://twitter.com/stvemillertime/status/1024707932447854592 - - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 + - https://twitter.com/stvemillertime/status/1024707932447854592 + - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 +date: 2018/08/08 +modified: 2021/11/27 logsource: - category: dns + category: dns detection: - selection: - record_type: 'TXT' - answer|contains: - - 'IEX' - - 'Invoke-Expression' - - 'cmd.exe' - condition: selection + selection: + record_type: 'TXT' + answer|contains: + - 'IEX' + - 'Invoke-Expression' + - 'cmd.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 diff --git a/rules/network/net_susp_network_scan_by_ip.yml b/rules/network/net_susp_network_scan_by_ip.yml index 518b5d685..ab443fc66 100644 --- a/rules/network/net_susp_network_scan_by_ip.yml +++ b/rules/network/net_susp_network_scan_by_ip.yml @@ -1,26 +1,26 @@ title: Network Scans Count By Destination IP id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 -status: experimental +status: test description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke date: 2017/02/19 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: firewall -tags: - - attack.discovery - - attack.t1046 + category: firewall detection: - selection: - action: denied - timeframe: 24h - condition: selection | count(dst_ip) by src_ip > 10 -falsepositives: - - Inventarization systems - - Vulnerability scans - - Penetration testing activity -level: medium + selection: + action: denied + timeframe: 24h + condition: selection | count(dst_ip) by src_ip > 10 fields: - - src_ip - - dst_ip - - dst_port \ No newline at end of file + - src_ip + - dst_ip + - dst_port +falsepositives: + - Inventarization systems + - Vulnerability scans + - Penetration testing activity +level: medium +tags: + - attack.discovery + - attack.t1046 diff --git a/rules/network/net_wannacry_killswitch_domain.yml b/rules/network/net_wannacry_killswitch_domain.yml index ab0f3a46e..52eb64c33 100644 --- a/rules/network/net_wannacry_killswitch_domain.yml +++ b/rules/network/net_wannacry_killswitch_domain.yml @@ -1,26 +1,27 @@ title: Wannacry Killswitch Domain id: 3eaf6218-3bed-4d8a-8707-274096f12a18 -status: experimental +status: test description: Detects wannacry killswitch domain dns queries -references: - - https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html author: Mike Wade +references: + - https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html date: 2020/09/16 -tags: - - attack.command_and_control - - attack.t1071.001 +modified: 2021/11/27 logsource: - category: dns + category: dns detection: - selection: - query: - - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing' - - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test' - - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com' - - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com' - - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com' - - '' - condition: selection + selection: + query: + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing' + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test' + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com' + - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com' + - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com' + - '' + condition: selection falsepositives: - - Analyst testing -level: high \ No newline at end of file + - Analyst testing +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 0cba260b8..0f3048cee 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -1,54 +1,55 @@ title: MITRE BZAR Indicators for Execution id: b640c0b8-87f8-4daa-aef8-95a24261dd1d +status: test description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE' -status: experimental author: '@neu5ron, SOC Prime' -date: 2020/03/19 references: - - https://github.com/mitre-attack/bzar#indicators-for-attck-execution -tags: - - attack.execution - - attack.t1035 # an old one - - attack.t1047 - - attack.t1053 # an old one - - attack.t1053.002 - - attack.t1569.002 + - https://github.com/mitre-attack/bzar#indicators-for-attck-execution +date: 2020/03/19 +modified: 2021/11/27 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'JobAdd' - operation: 'atsvc' - op2: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcEnableTask' - op3: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRegisterTask' - op4: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRun' - op5: - endpoint: 'IWbemServices' - operation: 'ExecMethod' - op6: - endpoint: 'IWbemServices' - operation: 'ExecMethodAsync' - op7: - endpoint: 'svcctl' - operation: 'CreateServiceA' - op8: - endpoint: 'svcctl' - operation: 'CreateServiceW' - op9: - endpoint: 'svcctl' - operation: 'StartServiceA' - op10: - endpoint: 'svcctl' - operation: 'StartServiceW' - condition: 1 of them + op1: + endpoint: 'JobAdd' + operation: 'atsvc' + op2: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcEnableTask' + op3: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRegisterTask' + op4: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRun' + op5: + endpoint: 'IWbemServices' + operation: 'ExecMethod' + op6: + endpoint: 'IWbemServices' + operation: 'ExecMethodAsync' + op7: + endpoint: 'svcctl' + operation: 'CreateServiceA' + op8: + endpoint: 'svcctl' + operation: 'CreateServiceW' + op9: + endpoint: 'svcctl' + operation: 'StartServiceA' + op10: + endpoint: 'svcctl' + operation: 'StartServiceW' + condition: 1 of them falsepositives: - - 'Windows administrator tasks or troubleshooting' - - 'Windows management scripts or software' + - 'Windows administrator tasks or troubleshooting' + - 'Windows management scripts or software' level: medium +tags: + - attack.execution + - attack.t1035 # an old one + - attack.t1047 + - attack.t1053 # an old one + - attack.t1053.002 + - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 0fd11985f..4e2eef82d 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -1,39 +1,40 @@ title: MITRE BZAR Indicators for Persistence id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 +status: test description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' -status: experimental author: '@neu5ron, SOC Prime' -date: 2020/03/19 references: - - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence -tags: - - attack.persistence - - attack.t1004 # an old one - - attack.t1547.004 + - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence +date: 2020/03/19 +modified: 2021/11/27 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'spoolss' - operation: 'RpcAddMonitor' - op2: - endpoint: 'spoolss' - operation: 'RpcAddPrintProcessor' - op3: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddMonitor' - op4: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddPrintProcessor' - op5: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonW' - op6: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of them + op1: + endpoint: 'spoolss' + operation: 'RpcAddMonitor' + op2: + endpoint: 'spoolss' + operation: 'RpcAddPrintProcessor' + op3: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddMonitor' + op4: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddPrintProcessor' + op5: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonW' + op6: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonExW' + condition: 1 of them falsepositives: - - 'Windows administrator tasks or troubleshooting' - - 'Windows management scripts or software' + - 'Windows administrator tasks or troubleshooting' + - 'Windows management scripts or software' level: medium +tags: + - attack.persistence + - attack.t1004 # an old one + - attack.t1547.004 diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 5674e70d6..81609c8b9 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -1,27 +1,27 @@ title: Executable from Webdav -description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/" id: aac2fd97-bcba-491b-ad66-a6edf89c71bf +status: test +description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/" author: 'SOC Prime, Adam Swan' references: - - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html - - https://github.com/OTRF/detection-hackathon-apt29 -tags: - - attack.command_and_control - - attack.t1105 -logsource: - product: zeek - service: http + - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html + - https://github.com/OTRF/detection-hackathon-apt29 date: 2020/05/01 -modified: 2020/09/02 +modified: 2021/11/27 +logsource: + product: zeek + service: http detection: - selection_webdav: - - c-useragent|contains: 'WebDAV' - - c-uri|contains: 'webdav' - selection_executable: - - resp_mime_types|contains: 'dosexec' - - c-uri|endswith: '.exe' - condition: selection_webdav and selection_executable + selection_webdav: + - c-useragent|contains: 'WebDAV' + - c-uri|contains: 'webdav' + selection_executable: + - resp_mime_types|contains: 'dosexec' + - c-uri|endswith: '.exe' + condition: selection_webdav and selection_executable falsepositives: - - unknown + - unknown level: medium -status: experimental +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index b02c7e6a9..bb86f47a2 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -1,27 +1,28 @@ title: WebDav Put Request id: 705072a5-bb6f-4ced-95b6-ecfa6602090b -status: experimental +status: test description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.exfiltration - - attack.t1048.003 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/17 + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: zeek - service: http + product: zeek + service: http detection: - selection: - user_agent|contains: 'WebDAV' - method: 'PUT' - filter: - id.resp_h: - - 192.168.0.0/16 - - 172.16.0.0/12 - - 10.0.0.0/8 - condition: selection and not filter + selection: + user_agent|contains: 'WebDAV' + method: 'PUT' + filter: + id.resp_h: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + condition: selection and not filter falsepositives: - - unknown -level: low \ No newline at end of file + - unknown +level: low +tags: + - attack.exfiltration + - attack.t1048.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index cd6236b45..a6f2b4307 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -1,27 +1,28 @@ title: Remote Task Creation via ATSVC Named Pipe - Zeek id: dde85b37-40cd-4a94-b00c-0b8794f956b5 +status: test description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe -status: experimental author: 'Samir Bousseaden, @neu5rn' -date: 2020/04/03 references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml -tags: - - attack.lateral_movement - - attack.persistence - - attack.t1053 # an old one - - car.2013-05-004 - - car.2015-04-001 - - attack.t1053.002 + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml +date: 2020/04/03 +modified: 2021/11/27 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - path: \\*\IPC$ - name: atsvc + selection: + path: \\*\IPC$ + name: atsvc #Accesses: '*WriteData*' - condition: selection + condition: selection falsepositives: - - unknown + - unknown level: medium +tags: + - attack.lateral_movement + - attack.persistence + - attack.t1053 # an old one + - car.2013-05-004 + - car.2015-04-001 + - attack.t1053.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index ad1cf11d4..98ad4d204 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -1,28 +1,29 @@ title: Possible Impacket SecretDump Remote Activity - Zeek id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e +status: test description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' -status: experimental author: 'Samir Bousseaden, @neu5ron' -date: 2020/03/19 references: - - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.003 + - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +date: 2020/03/19 +modified: 2021/11/27 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - path|contains|all: - - '\' - - 'ADMIN$' - name|contains: 'SYSTEM32\' - name|endswith: '.tmp' - condition: selection + selection: + path|contains|all: + - '\' + - 'ADMIN$' + name|contains: 'SYSTEM32\' + name|endswith: '.tmp' + condition: selection falsepositives: - - 'unknown' + - 'unknown' level: high +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 59ab04cef..d1836b625 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,42 +1,43 @@ title: First Time Seen Remote Named Pipe - Zeek id: 021310d9-30a6-480a-84b7-eaa69aeb92bb +status: test description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes -status: experimental author: 'Samir Bousseaden, @neu5ron' -date: 2020/04/02 references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml -tags: - - attack.lateral_movement - - attack.t1077 # an old one - - attack.t1021.002 + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml +date: 2020/04/02 +modified: 2021/11/27 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection1: - path: \\*\IPC$ - selection2: - path: \\*\IPC$ - name: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' - condition: selection1 and not selection2 + selection1: + path: \\*\IPC$ + selection2: + path: \\*\IPC$ + name: + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' + condition: selection1 and not selection2 falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - update the excluded named pipe to filter out any newly observed legit named pipe level: high +tags: + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index cfa97b269..13162d6a0 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -1,33 +1,34 @@ title: Suspicious PsExec Execution - Zeek id: f1b3a22a-45e6-4004-afb5-4291f9c21166 +status: test description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one -status: experimental author: 'Samir Bousseaden, @neu5ron' -date: 2020/04/02 references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml -tags: - - attack.lateral_movement - - attack.t1077 # an old one - - attack.t1021.002 + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml +date: 2020/04/02 +modified: 2021/11/27 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection1: - path|contains|all: - - '\\' - - '\IPC$' - name|endswith: - - '-stdin' - - '-stdout' - - '-stderr' - selection2: - name|contains|all: - - '\\' - - '\IPC$' - path|startswith: 'PSEXESVC' - condition: selection1 and not selection2 + selection1: + path|contains|all: + - '\\' + - '\IPC$' + name|endswith: + - '-stdin' + - '-stdout' + - '-stderr' + selection2: + name|contains|all: + - '\\' + - '\IPC$' + path|startswith: 'PSEXESVC' + condition: selection1 and not selection2 falsepositives: - - nothing observed so far + - nothing observed so far level: high +tags: + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index f75bbce68..d2fc92f84 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -1,13 +1,12 @@ title: Suspicious Access to Sensitive File Extensions - Zeek id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc +status: test description: Detects known sensitive file extensions via Zeek -status: experimental author: 'Samir Bousseaden, @neu5ron' -date: 2020/04/02 -references: +references: - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml -tags: - - attack.collection +date: 2020/04/02 +modified: 2021/11/27 logsource: product: zeek service: smb_files @@ -28,11 +27,13 @@ detection: - '.rdp' condition: selection fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName + - ComputerName + - SubjectDomainName + - SubjectUserName + - RelativeTargetName falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software - - Users working with these data types or exchanging message files + - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software + - Users working with these data types or exchanging message files level: medium +tags: + - attack.collection diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index f9183b840..848b04118 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -1,32 +1,33 @@ title: Transferring Files with Credential Data via Network Shares - Zeek id: 2e69f167-47b5-4ae7-a390-47764529eff5 +status: test description: Transferring files with well-known filenames (sensitive files with credential data) using network shares author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' -date: 2020/04/02 references: - - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 - - attack.t1003.001 - - attack.t1003.003 + - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +date: 2020/04/02 +modified: 2021/11/27 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - name: - - '\mimidrv' - - '\lsass' - - '\windows\minidump\' - - '\hiberfil' - - '\sqldmpr' - - '\sam' - - '\ntds.dit' - - '\security' - condition: selection + selection: + name: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection falsepositives: - - Transferring sensitive files for legitimate administration work by legitimate administrator + - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -status: experimental +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 23867c4e2..5b2517060 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -1,25 +1,26 @@ title: Kerberos Network Traffic RC4 Ticket Encryption id: 503fe26e-b5f2-4944-a126-eab405cc06e5 -status: experimental -author: sigma -date: 2020/02/12 +status: test description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting +author: sigma references: - - https://adsecurity.org/?p=3458 -tags: - - attack.credential_access - - attack.t1208 # an old one - - attack.t1558.003 + - https://adsecurity.org/?p=3458 +date: 2020/02/12 +modified: 2021/11/27 logsource: - product: zeek - service: kerberos + product: zeek + service: kerberos detection: - selection: - request_type: 'TGS' - cipher: 'rc4-hmac' - computer_acct: - service|startswith: '$' - condition: selection and not computer_acct + selection: + request_type: 'TGS' + cipher: 'rc4-hmac' + computer_acct: + service|startswith: '$' + condition: selection and not computer_acct falsepositives: - - normal enterprise SPN requests activity + - normal enterprise SPN requests activity level: medium +tags: + - attack.credential_access + - attack.t1208 # an old one + - attack.t1558.003 diff --git a/rules/proxy/proxy_apt40.yml b/rules/proxy/proxy_apt40.yml index ddb610484..56869f0ef 100644 --- a/rules/proxy/proxy_apt40.yml +++ b/rules/proxy/proxy_apt40.yml @@ -1,29 +1,29 @@ title: APT40 Dropbox Tool User Agent id: 5ba715b6-71b7-44fd-8245-f66893e81b3d -status: experimental +status: test description: Detects suspicious user agent string of APT40 Dropbox tool author: Thomas Patzke references: - - Internal research from Florian Roth + - Internal research from Florian Roth date: 2019/11/12 -modified: 2020/09/02 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' - r-dns: 'api.dropbox.com' - condition: selection + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' + r-dns: 'api.dropbox.com' + condition: selection fields: - - c-ip - - c-uri + - c-ip + - c-uri falsepositives: - - Old browsers + - Old browsers level: high tags: - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one - - attack.exfiltration - - attack.t1567.002 - - attack.t1048 # an old one \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.exfiltration + - attack.t1567.002 + - attack.t1048 # an old one diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 5fd9a8641..65b74bef3 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -1,25 +1,26 @@ title: Chafer Malware URL Pattern id: fb502828-2db0-438e-93e6-801c7548686d -status: experimental +status: test description: Detects HTTP requests used by Chafer malware author: Florian Roth -date: 2019/01/31 references: - - https://securelist.com/chafer-used-remexi-malware/89538/ + - https://securelist.com/chafer-used-remexi-malware/89538/ +date: 2019/01/31 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: '/asp.asp?ui=' - condition: selection + selection: + c-uri|contains: '/asp.asp?ui=' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index e604589b8..a935a6980 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -1,13 +1,13 @@ title: CobaltStrike Malleable Amazon Browsing Traffic Profile id: 953b895e-5cc9-454b-b183-7f3db555452e -status: experimental +status: test description: Detects Malleable Amazon Profile author: Markus Neis -date: 2019/11/12 -modified: 2020/09/02 references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 +date: 2019/11/12 +modified: 2021/11/27 logsource: category: proxy detection: diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index d657963aa..4c45e33c7 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -1,25 +1,25 @@ title: CobaltStrike Malleable (OCSP) Profile id: 37325383-740a-403d-b1a2-b2b4ab7992e7 -status: experimental +status: test description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL author: Markus Neis -date: 2019/11/12 -modified: 2020/09/02 references: - - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile -tags: - - attack.defense_evasion - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile +date: 2019/11/12 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: '/oscp/' - cs-host: 'ocsp.verisign.com' + selection: + c-uri|contains: '/oscp/' + cs-host: 'ocsp.verisign.com' - condition: selection + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 4a73e87b4..995af3374 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -1,115 +1,115 @@ title: Download from Suspicious Dyndns Hosts id: 195c1119-ef07-4909-bb12-e66f5e07bf3c -status: experimental +status: test description: Detects download of certain file types from hosts with dynamic DNS names (selected list) author: Florian Roth -date: 2017/11/08 -modified: 2020/09/03 references: - - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats + - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +date: 2017/11/08 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri-extension: - - 'exe' - - 'vbs' - - 'bat' - - 'rar' - - 'ps1' - - 'doc' - - 'docm' - - 'xls' - - 'xlsm' - - 'pptm' - - 'rtf' - - 'hta' - - 'dll' - - 'ws' - - 'wsf' - - 'sct' - - 'zip' + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns|endswith: - - '.hopto.org' - - '.no-ip.org' - - '.no-ip.info' - - '.no-ip.biz' - - '.no-ip.com' - - '.noip.com' - - '.ddns.name' - - '.myftp.org' - - '.myftp.biz' - - '.serveblog.net' - - '.servebeer.com' - - '.servemp3.com' - - '.serveftp.com' - - '.servequake.com' - - '.servehalflife.com' - - '.servehttp.com' - - '.servegame.com' - - '.servepics.com' - - '.myvnc.com' - - '.ignorelist.com' - - '.jkub.com' - - '.dlinkddns.com' - - '.jumpingcrab.com' - - '.ddns.info' - - '.mooo.com' - - '.dns-dns.com' - - '.strangled.net' - - '.adultdns.net' - - '.craftx.biz' - - '.ddns01.com' - - '.dns53.biz' - - '.dnsapi.info' - - '.dnsd.info' - - '.dnsdynamic.com' - - '.dnsdynamic.net' - - '.dnsget.org' - - '.fe100.net' - - '.flashserv.net' - - '.ftp21.net' - - '.http01.com' - - '.http80.info' - - '.https443.com' - - '.imap01.com' - - '.kadm5.com' - - '.mysq1.net' - - '.ns360.info' - - '.ntdll.net' - - '.ole32.com' - - '.proxy8080.com' - - '.sql01.com' - - '.ssh01.com' - - '.ssh22.net' - - '.tempors.com' - - '.tftpd.net' - - '.ttl60.com' - - '.ttl60.org' - - '.user32.com' - - '.voip01.com' - - '.wow64.net' - - '.x64.me' - - '.xns01.com' - - '.dyndns.org' - - '.dyndns.info' - - '.dyndns.tv' - - '.dyndns-at-home.com' - - '.dnsomatic.com' - - '.zapto.org' - - '.webhop.net' - - '.25u.com' - - '.slyip.net' - condition: selection + r-dns|endswith: + - '.hopto.org' + - '.no-ip.org' + - '.no-ip.info' + - '.no-ip.biz' + - '.no-ip.com' + - '.noip.com' + - '.ddns.name' + - '.myftp.org' + - '.myftp.biz' + - '.serveblog.net' + - '.servebeer.com' + - '.servemp3.com' + - '.serveftp.com' + - '.servequake.com' + - '.servehalflife.com' + - '.servehttp.com' + - '.servegame.com' + - '.servepics.com' + - '.myvnc.com' + - '.ignorelist.com' + - '.jkub.com' + - '.dlinkddns.com' + - '.jumpingcrab.com' + - '.ddns.info' + - '.mooo.com' + - '.dns-dns.com' + - '.strangled.net' + - '.adultdns.net' + - '.craftx.biz' + - '.ddns01.com' + - '.dns53.biz' + - '.dnsapi.info' + - '.dnsd.info' + - '.dnsdynamic.com' + - '.dnsdynamic.net' + - '.dnsget.org' + - '.fe100.net' + - '.flashserv.net' + - '.ftp21.net' + - '.http01.com' + - '.http80.info' + - '.https443.com' + - '.imap01.com' + - '.kadm5.com' + - '.mysq1.net' + - '.ns360.info' + - '.ntdll.net' + - '.ole32.com' + - '.proxy8080.com' + - '.sql01.com' + - '.ssh01.com' + - '.ssh22.net' + - '.tempors.com' + - '.tftpd.net' + - '.ttl60.com' + - '.ttl60.org' + - '.user32.com' + - '.voip01.com' + - '.wow64.net' + - '.x64.me' + - '.xns01.com' + - '.dyndns.org' + - '.dyndns.info' + - '.dyndns.tv' + - '.dyndns-at-home.com' + - '.dnsomatic.com' + - '.zapto.org' + - '.webhop.net' + - '.25u.com' + - '.slyip.net' + condition: selection fields: - - cs-ip - - c-uri + - cs-ip + - c-uri falsepositives: - - Software downloads + - Software downloads level: medium tags: - - attack.defense_evasion - - attack.command_and_control - - attack.t1105 - - attack.t1568 + - attack.defense_evasion + - attack.command_and_control + - attack.t1105 + - attack.t1568 diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 76081c8d8..739a09478 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -1,116 +1,116 @@ title: Download from Suspicious TLD id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19 -status: experimental +status: test description: Detects download of certain file types from hosts in suspicious TLDs author: Florian Roth -date: 2017/11/07 -modified: 2020/09/03 references: - - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - - https://www.spamhaus.org/statistics/tlds/ - - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ + - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap + - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf + - https://www.spamhaus.org/statistics/tlds/ + - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ +date: 2017/11/07 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri-extension: - - 'exe' - - 'vbs' - - 'bat' - - 'rar' - - 'ps1' - - 'doc' - - 'docm' - - 'xls' - - 'xlsm' - - 'pptm' - - 'rtf' - - 'hta' - - 'dll' - - 'ws' - - 'wsf' - - 'sct' - - 'zip' + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns|endswith: + r-dns|endswith: # Symantec / Chris Larsen analysis - - '.country' - - '.stream' - - '.gdn' - - '.mom' - - '.xin' - - '.kim' - - '.men' - - '.loan' - - '.download' - - '.racing' - - '.online' - - '.science' - - '.ren' - - '.gb' - - '.win' - - '.top' - - '.review' - - '.vip' - - '.party' - - '.tech' - - '.xyz' - - '.date' - - '.faith' - - '.zip' - - '.cricket' - - '.space' + - '.country' + - '.stream' + - '.gdn' + - '.mom' + - '.xin' + - '.kim' + - '.men' + - '.loan' + - '.download' + - '.racing' + - '.online' + - '.science' + - '.ren' + - '.gb' + - '.win' + - '.top' + - '.review' + - '.vip' + - '.party' + - '.tech' + - '.xyz' + - '.date' + - '.faith' + - '.zip' + - '.cricket' + - '.space' # McAfee report - - '.info' - - '.vn' - - '.cm' - - '.am' - - '.cc' - - '.asia' - - '.ws' - - '.tk' - - '.biz' - - '.su' - - '.st' - - '.ro' - - '.ge' - - '.ms' - - '.pk' - - '.nu' - - '.me' - - '.ph' - - '.to' - - '.tt' - - '.name' - - '.tv' - - '.kz' - - '.tc' - - '.mobi' + - '.info' + - '.vn' + - '.cm' + - '.am' + - '.cc' + - '.asia' + - '.ws' + - '.tk' + - '.biz' + - '.su' + - '.st' + - '.ro' + - '.ge' + - '.ms' + - '.pk' + - '.nu' + - '.me' + - '.ph' + - '.to' + - '.tt' + - '.name' + - '.tv' + - '.kz' + - '.tc' + - '.mobi' # Spamhaus - - '.study' - - '.click' - - '.link' - - '.trade' - - '.accountant' + - '.study' + - '.click' + - '.link' + - '.trade' + - '.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - - '.cf' - - '.gq' - - '.ml' - - '.ga' + - '.cf' + - '.gq' + - '.ml' + - '.ga' # Custom - - '.pw' - condition: selection + - '.pw' + condition: selection fields: - - ClientIP - - c-uri + - ClientIP + - c-uri falsepositives: - - All kinds of software downloads + - All kinds of software downloads level: low tags: - - attack.initial_access - - attack.t1566 - - attack.execution - - attack.t1203 - - attack.t1204.002 - - attack.t1204 # an old one + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index 9b9200c5d..d30f7d32b 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -1,65 +1,65 @@ title: Download EXE from Suspicious TLD id: b5de2919-b74a-4805-91a7-5049accbaefe -status: experimental +status: test description: Detects executable downloads from suspicious remote systems author: Florian Roth date: 2017/03/13 -modified: 2020/09/03 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri-extension: - - 'exe' - - 'vbs' - - 'bat' - - 'rar' - - 'ps1' - - 'doc' - - 'docm' - - 'xls' - - 'xlsm' - - 'pptm' - - 'rtf' - - 'hta' - - 'dll' - - 'ws' - - 'wsf' - - 'sct' - - 'zip' + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - filter: - r-dns|endswith: - - '.com' - - '.org' - - '.net' - - '.edu' - - '.gov' - - '.uk' - - '.ca' - - '.de' - - '.jp' - - '.fr' - - '.au' - - '.us' - - '.ch' - - '.it' - - '.nl' - - '.se' - - '.no' - - '.es' + filter: + r-dns|endswith: + - '.com' + - '.org' + - '.net' + - '.edu' + - '.gov' + - '.uk' + - '.ca' + - '.de' + - '.jp' + - '.fr' + - '.au' + - '.us' + - '.ch' + - '.it' + - '.nl' + - '.se' + - '.no' + - '.es' # Extend this list as needed - condition: selection and not filter + condition: selection and not filter fields: - - ClientIP - - c-uri + - ClientIP + - c-uri falsepositives: - - All kind of software downloads + - All kind of software downloads level: low tags: - - attack.initial_access - - attack.t1566 - - attack.execution - - attack.t1203 - - attack.t1204.002 - - attack.t1204 # an old one + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index c1a8bf30f..d797c734d 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -1,30 +1,30 @@ title: Windows WebDAV User Agent id: e09aed7a-09e0-4c9a-90dd-f0d52507347e -status: experimental +status: test description: Detects WebDav DownloadCradle author: Florian Roth -date: 2018/04/06 -modified: 2020/09/03 references: - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html +date: 2018/04/06 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' - cs-method: 'GET' - condition: selection + selection: + c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' + cs-method: 'GET' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent - - cs-method + - ClientIP + - c-uri + - c-useragent + - cs-method falsepositives: - - Administrative scripts that download files from the Internet - - Administrative scripts that retrieve certain website contents - - Legitimate WebDAV administration + - Administrative scripts that download files from the Internet + - Administrative scripts that retrieve certain website contents + - Legitimate WebDAV administration level: high tags: - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml index 3b08504be..a36a0909f 100644 --- a/rules/proxy/proxy_empire_ua_uri_combos.yml +++ b/rules/proxy/proxy_empire_ua_uri_combos.yml @@ -1,31 +1,31 @@ title: Empire UserAgent URI Combo id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8 -status: experimental +status: test description: Detects user agent and URI paths used by empire agents author: Florian Roth -date: 2020/07/13 -modified: 2020/09/03 references: - - https://github.com/BC-SECURITY/Empire + - https://github.com/BC-SECURITY/Empire +date: 2020/07/13 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' - cs-uri-query: - - '/admin/get.php' - - '/news.php' - - '/login/process.php' - cs-method: 'POST' - condition: selection + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-uri-query: + - '/admin/get.php' + - '/news.php' + - '/login/process.php' + cs-method: 'POST' + condition: selection fields: - - c-uri - - c-ip + - c-uri + - c-ip falsepositives: - - Valid requests with this exact user agent to server scripts of the defined names + - Valid requests with this exact user agent to server scripts of the defined names level: high tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_empty_ua.yml b/rules/proxy/proxy_empty_ua.yml index 577922c53..5cd3357fe 100644 --- a/rules/proxy/proxy_empty_ua.yml +++ b/rules/proxy/proxy_empty_ua.yml @@ -1,27 +1,27 @@ title: Empty User Agent id: 21e44d78-95e7-421b-a464-ffd8395659c4 -status: experimental +status: test description: Detects suspicious empty user agent strings in proxy logs author: Florian Roth -date: 2017/07/08 -modified: 2020/09/03 references: - - https://twitter.com/Carlos_Perez/status/883455096645931008 + - https://twitter.com/Carlos_Perez/status/883455096645931008 +date: 2017/07/08 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: + selection: # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString - c-useragent: '' - condition: selection + c-useragent: '' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: medium tags: - attack.defense_evasion - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index a1f1ee1a0..ab89ee9ef 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -1,33 +1,33 @@ title: iOS Implant URL Pattern id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6 -status: experimental +status: test description: Detects URL pattern used by iOS Implant author: Florian Roth -date: 2019/08/30 -modified: 2020/09/03 references: - - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html - - https://twitter.com/craiu/status/1167358457344925696 + - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html + - https://twitter.com/craiu/status/1167358457344925696 +date: 2019/08/30 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: '/list/suc?name=' - condition: selection + selection: + c-uri|contains: '/list/suc?name=' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.execution - - attack.t1203 - - attack.collection - - attack.t1005 - - attack.t1119 - - attack.credential_access - - attack.t1528 - - attack.t1552.001 - - attack.t1081 # an old one + - attack.execution + - attack.t1203 + - attack.collection + - attack.t1005 + - attack.t1119 + - attack.credential_access + - attack.t1528 + - attack.t1552.001 + - attack.t1081 # an old one diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index f3d91771e..60c74b5a5 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -1,25 +1,25 @@ title: Windows PowerShell User Agent id: c8557060-9221-4448-8794-96320e6f3e74 -status: experimental +status: test description: Detects Windows PowerShell Web Access author: Florian Roth -date: 2017/03/13 -modified: 2020/09/03 references: - - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest + - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +date: 2017/03/13 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent|contains: ' WindowsPowerShell/' - condition: selection + selection: + c-useragent|contains: ' WindowsPowerShell/' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Administrative scripts that download files from the Internet - - Administrative scripts that retrieve certain website contents + - Administrative scripts that download files from the Internet + - Administrative scripts that retrieve certain website contents level: medium tags: - attack.defense_evasion diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml index 0885f5bf6..42813f313 100644 --- a/rules/proxy/proxy_pwndrop.yml +++ b/rules/proxy/proxy_pwndrop.yml @@ -1,29 +1,29 @@ title: PwnDrp Access id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e -status: experimental +status: test description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity author: Florian Roth -date: 2020/04/15 -modified: 2020/09/03 references: - - https://breakdev.org/pwndrop/ + - https://breakdev.org/pwndrop/ +date: 2020/04/15 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: '/pwndrop/' - condition: selection + selection: + c-uri|contains: '/pwndrop/' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one - - attack.t1102.001 - - attack.t1102.003 - - attack.t1102 # an old one \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.001 + - attack.t1102.003 + - attack.t1102 # an old one diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index 07034174a..b731474b6 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -1,34 +1,34 @@ title: Raw Paste Service Access id: 5468045b-4fcc-4d1a-973c-c9c9578edacb -status: experimental +status: test description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form author: Florian Roth -date: 2019/12/05 -modified: 2020/09/03 references: - - https://www.virustotal.com/gui/domain/paste.ee/relations + - https://www.virustotal.com/gui/domain/paste.ee/relations +date: 2019/12/05 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: - - '.paste.ee/r/' - - '.pastebin.com/raw/' - - '.hastebin.com/raw/' - - '.ghostbin.co/paste/*/raw/' - condition: selection + selection: + c-uri|contains: + - '.paste.ee/r/' + - '.pastebin.com/raw/' + - '.hastebin.com/raw/' + - '.ghostbin.co/paste/*/raw/' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) + - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) level: high tags: - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one - - attack.t1102.001 - - attack.t1102.003 - - attack.defense_evasion - - attack.t1102 # an old one \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.001 + - attack.t1102.003 + - attack.defense_evasion + - attack.t1102 # an old one diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index eda3a5ef9..c961ec2c9 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -1,37 +1,37 @@ title: Telegram API Access id: b494b165-6634-483d-8c47-2026a6c52372 -status: experimental +status: test description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent author: Florian Roth -date: 2018/06/05 -modified: 2020/09/03 references: - - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ - - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ + - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ + - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ + - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ +date: 2018/06/05 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - r-dns: - - 'api.telegram.org' # Often used by Bots - filter: - c-useragent|contains: + selection: + r-dns: + - 'api.telegram.org' # Often used by Bots + filter: + c-useragent|contains: # Used https://core.telegram.org/bots/samples for this list - - 'Telegram' - - 'Bot' - condition: selection and not filter + - 'Telegram' + - 'Bot' + condition: selection and not filter fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Legitimate use of Telegram bots in the company + - Legitimate use of Telegram bots in the company level: medium tags: - - attack.defense_evasion - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one - - attack.t1102.002 - - attack.t1102 # an old one + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.t1102.002 + - attack.t1102 # an old one diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 3c9eece73..2f97ae7da 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -1,24 +1,24 @@ title: Turla ComRAT id: 7857f021-007f-4928-8b2c-7aedbe64bb82 -status: experimental +status: test description: Detects Turla ComRAT patterns author: Florian Roth -date: 2020/05/26 -modified: 2020/09/03 references: - - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +date: 2020/05/26 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-uri|contains: '/index/index.php?h=' - condition: selection + selection: + c-uri|contains: '/index/index.php?h=' + condition: selection falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.defense_evasion - - attack.command_and_control - - attack.t1071.001 - - attack.t1043 # an old one - - attack.g0010 \ No newline at end of file + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one + - attack.g0010 diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index d7298a8cc..904feabfe 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -1,64 +1,64 @@ title: APT User Agent id: 6ec820f2-e963-4801-9127-d8b2dce4d31b -status: experimental +status: test description: Detects suspicious user agent strings used in APT malware in proxy logs author: Florian Roth, Markus Neis -date: 2019/11/12 -modified: 2020/09/03 references: - - Internal Research + - Internal Research +date: 2019/11/12 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent: + selection: + c-useragent: # APT Related - - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace - - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi - - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp - - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp - - 'webclient' # Naikon APT - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT - - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut - - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel - - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel - - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel - - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021 - - 'Netscape' # Unit78020 Malware - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related - - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17 - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf - - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf - - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597 - - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ - - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html - - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ - - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ - - 'Mozilla v5.1 *' # Sofacy Zebrocy samples - - 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100 - - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html - - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw - - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details - - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o - - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018 - - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20 - - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/ - - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware - - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 - - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ - - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin - condition: selection + - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace + - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi + - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp + - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp + - 'webclient' # Naikon APT + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT + - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut + - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel + - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel + - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel + - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021 + - 'Netscape' # Unit78020 Malware + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17 + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf + - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf + - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597 + - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ + - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ + - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ + - 'Mozilla v5.1 *' # Sofacy Zebrocy samples + - 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100 + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html + - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw + - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw + - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o + - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018 + - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20 + - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/ + - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware + - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ + - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ + - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Old browsers + - Old browsers level: high tags: - - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index ea4a3bd26..538a3a6be 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -1,30 +1,30 @@ title: Crypto Miner User Agent id: fa935401-513b-467b-81f4-f9e77aa0dd78 -status: experimental +status: test description: Detects suspicious user agent strings used by crypto miners in proxy logs author: Florian Roth -date: 2019/10/21 -modified: 2020/09/03 references: - - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 - - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h + - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 + - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent|startswith: + selection: + c-useragent|startswith: # XMRig - - 'XMRig ' + - 'XMRig ' # CCMiner - - 'ccminer' - condition: selection + - 'ccminer' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1071.001 + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 5d81546aa..3601ab068 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -1,58 +1,58 @@ title: Exploit Framework User Agent id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f -status: experimental +status: test description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs author: Florian Roth -date: 2017/07/08 -modified: 2020/09/03 references: - - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ + - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ +date: 2017/07/08 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent: + selection: + c-useragent: # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2 - - 'Internet Explorer *' - - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez + - 'Internet Explorer *' + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ - - 'Mozilla/4.0 (compatible; Metasploit RSPEC)' - - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' - - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed - - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed - - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' - - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' - - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads + - 'Mozilla/4.0 (compatible; Metasploit RSPEC)' + - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' + - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads # Metasploit Update by Florian Roth 08.07.2017 - - 'Mozilla/5.0' - - 'Mozilla/4.0 (compatible; SPIPE/1.0' + - 'Mozilla/5.0' + - 'Mozilla/4.0 (compatible; SPIPE/1.0' # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected - - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0' - - 'Sametime Community Agent' # Unknown if prone to false positives - used in https://goo.gl/gHZkeR - - 'X-FORWARDED-FOR' - - 'DotDotPwn v2.1' - - 'SIPDROID' - - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ + - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0' + - 'Sametime Community Agent' # Unknown if prone to false positives - used in https://goo.gl/gHZkeR + - 'X-FORWARDED-FOR' + - 'DotDotPwn v2.1' + - 'SIPDROID' + - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ # Empire - - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0' + - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0' # Exploits - - '*wordpress hash grabber*' - - '*exploit*' - condition: selection + - '*wordpress hash grabber*' + - '*exploit*' + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index bbb8a7807..af6f393fc 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -1,79 +1,79 @@ title: Hack Tool User Agent id: c42a3073-30fb-48ae-8c99-c23ada84b103 -status: experimental +status: test description: Detects suspicious user agent strings user by hack tools in proxy logs author: Florian Roth -date: 2017/07/08 -modified: 2020/09/03 references: - - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb - - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules + - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb + - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules +date: 2017/07/08 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent|contains: + selection: + c-useragent|contains: # Vulnerability scanner and brute force tools - - '(hydra)' - - ' arachni/' - - ' BFAC ' - - ' brutus ' - - ' cgichk ' - - 'core-project/1.0' - - ' crimscanner/' - - 'datacha0s' - - 'dirbuster' - - 'domino hunter' - - 'dotdotpwn' - - 'FHScan Core' - - 'floodgate' - - 'get-minimal' - - 'gootkit auto-rooter scanner' - - 'grendel-scan' - - ' inspath ' - - 'internet ninja' - - 'jaascois' - - ' zmeu ' - - 'masscan' - - ' metis ' - - 'morfeus fucking scanner' - - 'n-stealth' - - 'nsauditor' - - 'pmafind' - - 'security scan' - - 'springenwerk' - - 'teh forest lobster' - - 'toata dragostea' - - ' vega/' - - 'voideye' - - 'webshag' - - 'webvulnscan' - - ' whcc/' + - '(hydra)' + - ' arachni/' + - ' BFAC ' + - ' brutus ' + - ' cgichk ' + - 'core-project/1.0' + - ' crimscanner/' + - 'datacha0s' + - 'dirbuster' + - 'domino hunter' + - 'dotdotpwn' + - 'FHScan Core' + - 'floodgate' + - 'get-minimal' + - 'gootkit auto-rooter scanner' + - 'grendel-scan' + - ' inspath ' + - 'internet ninja' + - 'jaascois' + - ' zmeu ' + - 'masscan' + - ' metis ' + - 'morfeus fucking scanner' + - 'n-stealth' + - 'nsauditor' + - 'pmafind' + - 'security scan' + - 'springenwerk' + - 'teh forest lobster' + - 'toata dragostea' + - ' vega/' + - 'voideye' + - 'webshag' + - 'webvulnscan' + - ' whcc/' # SQL Injection - - ' Havij' - - 'absinthe' - - 'bsqlbf' - - 'mysqloit' - - 'pangolin' - - 'sql power injector' - - 'sqlmap' - - 'sqlninja' - - 'uil2pn' + - ' Havij' + - 'absinthe' + - 'bsqlbf' + - 'mysqloit' + - 'pangolin' + - 'sql power injector' + - 'sqlmap' + - 'sqlninja' + - 'uil2pn' # Hack tool - - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper - condition: selection + - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: high tags: - - attack.initial_access - - attack.t1190 - - attack.credential_access - - attack.t1110 + - attack.initial_access + - attack.t1190 + - attack.credential_access + - attack.t1110 diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 45a433e74..6931b219f 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -1,85 +1,85 @@ title: Malware User Agent id: 5c84856b-55a5-45f1-826f-13f37250cf4e -status: experimental +status: test description: Detects suspicious user agent strings used by malware in proxy logs author: Florian Roth -date: 2017/07/08 -modified: 2020/09/03 references: - - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules - - http://www.botopedia.org/search?searchword=scan&searchphrase=all - - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html - - https://perishablepress.com/blacklist/ua-2013.txt - - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents + - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules + - http://www.botopedia.org/search?searchword=scan&searchphrase=all + - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html + - https://perishablepress.com/blacklist/ua-2013.txt + - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents +date: 2017/07/08 +modified: 2021/11/27 logsource: - category: proxy + category: proxy detection: - selection: - c-useragent: + selection: + c-useragent: # RATs - - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 - - 'HttpBrowser/1.0' # HTTPBrowser RAT - - '*<|>*' # Houdini / Iniduoh / njRAT - - 'nsis_inetc (mozilla)' # ZeroAccess - - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre + - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 + - 'HttpBrowser/1.0' # HTTPBrowser RAT + - '*<|>*' # Houdini / Iniduoh / njRAT + - 'nsis_inetc (mozilla)' # ZeroAccess + - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre # Ghost419 https://goo.gl/rW1yvZ - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)' + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)' # Malware - - '*zeroup*' # W32/Renos.Downloader - - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy - - '* adlib/*' # https://goo.gl/gcAHoh - - '* tiny' # Trojan Downloader - - '* BGroom *' # Trojan Downloader - - '* changhuatong' - - '* CholTBAgent' - - 'Mozilla/5.0 WinInet' - - 'RookIE/1.0' - - 'M' # HkMain - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives - - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes - - 'backdoorbot' - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality - - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality - - 'Opera' # Trojan Keragany - - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit - - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect - - 'MSIE' # Toby web shell - - '*(Charon; Inferno)' # Loki Bot - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony - - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs - - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again - - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/ + - '*zeroup*' # W32/Renos.Downloader + - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy + - '* adlib/*' # https://goo.gl/gcAHoh + - '* tiny' # Trojan Downloader + - '* BGroom *' # Trojan Downloader + - '* changhuatong' + - '* CholTBAgent' + - 'Mozilla/5.0 WinInet' + - 'RookIE/1.0' + - 'M' # HkMain + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives + - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes + - 'backdoorbot' + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality + - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality + - 'Opera' # Trojan Keragany + - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit + - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect + - 'MSIE' # Toby web shell + - '*(Charon; Inferno)' # Loki Bot + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony + - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs + - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/ # Ursnif - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)' - - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)' + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)' + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)' # Emotet - - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968 + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968 # Others - - '* pxyscand*' - - '* asd' - - '* mdms' - - 'sample' - - 'nocase' - - 'Moxilla' - - 'Win32 *' - - '*Microsoft Internet Explorer*' - - 'agent *' - - 'AutoIt' # Suspicious - base-lining recommended - - 'IczelionDownLoad' - - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/ - condition: selection + - '* pxyscand*' + - '* asd' + - '* mdms' + - 'sample' + - 'nocase' + - 'Moxilla' + - 'Win32 *' + - '*Microsoft Internet Explorer*' + - 'agent *' + - 'AutoIt' # Suspicious - base-lining recommended + - 'IczelionDownLoad' + - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/ + condition: selection fields: - - ClientIP - - c-uri - - c-useragent + - ClientIP + - c-uri + - c-useragent falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/web/sql_injection_keywords.yml b/rules/web/sql_injection_keywords.yml index f3d8985ff..e07945228 100644 --- a/rules/web/sql_injection_keywords.yml +++ b/rules/web/sql_injection_keywords.yml @@ -1,9 +1,10 @@ title: Detect Sql Injection By Keywords id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 -status: experimental +status: test description: Detects sql injection that use GET requests by keyword searches in URL strings author: Saw Win Naung date: 2020/02/22 +modified: 2021/11/27 logsource: category: webserver detection: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index 0bad3e2ec..e2fe9853d 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,22 +1,22 @@ title: Apache Segmentation Fault id: 1da8ce0b-855d-4004-8860-7d64d42063b1 +status: test description: Detects a segmentation fault error message caused by a creashing apache worker process -status: experimental author: Florian Roth -date: 2017/02/28 -modified: 2020/09/03 references: - - http://www.securityfocus.com/infocus/1633 + - http://www.securityfocus.com/infocus/1633 +date: 2017/02/28 +modified: 2021/11/27 logsource: - product: apache + product: apache detection: - keywords: - - 'exit signal Segmentation Fault' - condition: keywords + keywords: + - 'exit signal Segmentation Fault' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.impact - - attack.t1499 # an old one - - attack.t1499.004 \ No newline at end of file + - attack.impact + - attack.t1499 # an old one + - attack.t1499.004 diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index 8d2461998..7710cbb5d 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -1,17 +1,18 @@ title: Apache Threading Error id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c -status: experimental +status: test description: Detects an issue in apache logs that reports threading related errors author: Florian Roth -date: 2019/01/22 references: - - https://github.com/hannob/apache-uaf/blob/master/README.md + - https://github.com/hannob/apache-uaf/blob/master/README.md +date: 2019/01/22 +modified: 2021/11/27 logsource: - product: apache + product: apache detection: - keywords: - - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' - condition: keywords + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords falsepositives: - - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 + - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 level: medium diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml index 0ba707ec2..6a1494cd8 100644 --- a/rules/web/web_citrix_cve_2019_19781_exploit.yml +++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml @@ -1,34 +1,34 @@ title: Citrix Netscaler Attack CVE-2019-19781 id: ac5a6409-8c89-44c2-8d64-668c29a2d756 -status: experimental +status: test description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack author: Arnim Rupp, Florian Roth -date: 2020/01/02 -modified: 2020/09/03 references: - - https://support.citrix.com/article/CTX267679 - - https://support.citrix.com/article/CTX267027 - - https://isc.sans.edu/diary/25686 - - https://twitter.com/mpgn_x64/status/1216787131210829826 - - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md + - https://support.citrix.com/article/CTX267679 + - https://support.citrix.com/article/CTX267027 + - https://isc.sans.edu/diary/25686 + - https://twitter.com/mpgn_x64/status/1216787131210829826 + - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md +date: 2020/01/02 +modified: 2021/11/27 logsource: - category: webserver - definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' + category: webserver + definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' detection: - selection: - c-uri: - - '*/../vpns/*' - - '*/vpns/cfg/smb.conf' - - '*/vpns/portal/scripts/*.pl*' - condition: selection + selection: + c-uri: + - '*/../vpns/*' + - '*/vpns/cfg/smb.conf' + - '*/vpns/portal/scripts/*.pl*' + condition: selection fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2019_3398_confluence.yml b/rules/web/web_cve_2019_3398_confluence.yml index 142dbe0b7..ffe38b48b 100644 --- a/rules/web/web_cve_2019_3398_confluence.yml +++ b/rules/web/web_cve_2019_3398_confluence.yml @@ -1,26 +1,27 @@ title: Confluence Exploitation CVE-2019-3398 id: e9bc39ae-978a-4e49-91ab-5bd481fc668b -status: experimental -description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 +status: test +description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 author: Florian Roth -date: 2020/05/26 references: - - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 + - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 +date: 2020/05/26 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection: - cs-method: 'POST' - c-uri|contains|all: - - '/upload.action' - - 'filename=../../../../' - condition: selection + selection: + cs-method: 'POST' + c-uri|contains|all: + - '/upload.action' + - 'filename=../../../../' + condition: selection fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2020_0688_msexchange.yml b/rules/web/web_cve_2020_0688_msexchange.yml index 0c22037e1..4f5c9c8ba 100644 --- a/rules/web/web_cve_2020_0688_msexchange.yml +++ b/rules/web/web_cve_2020_0688_msexchange.yml @@ -1,28 +1,29 @@ title: CVE-2020-0688 Exchange Exploitation via Web Log id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5 -status: experimental -description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 +status: test +description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 author: Florian Roth -date: 2020/02/29 references: - - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ + - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ +date: 2020/02/29 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection1: - cs-method: 'GET' - c-uri|contains: - - '/ecp/' - - '/owa/' - selection2: - c-uri|contains: '__VIEWSTATE=' - condition: selection1 and selection2 + selection1: + cs-method: 'GET' + c-uri|contains: + - '/ecp/' + - '/owa/' + selection2: + c-uri|contains: '__VIEWSTATE=' + condition: selection1 and selection2 fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml index 92608b05b..e2715da28 100644 --- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml @@ -1,30 +1,30 @@ title: Oracle WebLogic Exploit CVE-2020-14882 id: 85d466b0-d74c-4514-84d3-2bdd3327588b -status: experimental +status: test description: Detects exploitation attempts on WebLogic servers author: Florian Roth -date: 2020/11/02 -modified: 2020/11/04 references: - - https://isc.sans.edu/diary/26734 - - https://twitter.com/jas502n/status/1321416053050667009?s=20 - - https://twitter.com/sudo_sudoka/status/1323951871078223874 + - https://isc.sans.edu/diary/26734 + - https://twitter.com/jas502n/status/1321416053050667009?s=20 + - https://twitter.com/sudo_sudoka/status/1323951871078223874 +date: 2020/11/02 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection: - c-uri|contains: - - '/console/images/%252E%252E%252Fconsole.portal' - - '/console/css/%2e' - condition: selection + selection: + c-uri|contains: + - '/console/images/%252E%252E%252Fconsole.portal' + - '/console/css/%2e' + condition: selection fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - Unknown + - Unknown level: high tags: - - attack.t1100 # an old one - - attack.t1190 - - attack.initial_access - - cve.2020.14882 + - attack.t1100 # an old one + - attack.t1190 + - attack.initial_access + - cve.2020.14882 diff --git a/rules/web/web_cve_2020_5902_f5_bigip.yml b/rules/web/web_cve_2020_5902_f5_bigip.yml index c8ab6a366..6065733fa 100644 --- a/rules/web/web_cve_2020_5902_f5_bigip.yml +++ b/rules/web/web_cve_2020_5902_f5_bigip.yml @@ -1,34 +1,33 @@ title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt id: 44b53b1c-e60f-4a7b-948e-3435a7918478 -status: experimental +status: test description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902 -references: - - https://support.f5.com/csp/article/K52145254 - - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - - https://twitter.com/yorickkoster/status/1279709009151434754 - - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ author: Florian Roth +references: + - https://support.f5.com/csp/article/K52145254 + - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ + - https://twitter.com/yorickkoster/status/1279709009151434754 + - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ date: 2020/07/05 -modified: 2020/07/07 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection_base: - c-uri|contains: - - '/tmui/' - - '/hsqldb' - selection_traversal: - c-uri|contains: - - '..;/' - - '.jsp/..' - condition: selection_base and selection_traversal + selection_base: + c-uri|contains: + - '/tmui/' + - '/hsqldb' + selection_traversal: + c-uri|contains: + - '..;/' + - '.jsp/..' + condition: selection_base and selection_traversal fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - Unknown -tags: - - attack.initial_access - - attack.t1190 + - Unknown level: critical - +tags: + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml index 0d0e853bc..d0cbe57b7 100644 --- a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -1,29 +1,30 @@ title: CVE-2021-21978 Exploitation Attempt id: 77586a7f-7ea4-4c41-b19c-820140b84ca9 -status: experimental +status: test description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 author: Bhabesh Raj -date: 2020/03/10 references: - - https://twitter.com/wugeej/status/1369476795255320580 - - https://paper.seebug.org/1495/ + - https://twitter.com/wugeej/status/1369476795255320580 + - https://paper.seebug.org/1495/ +date: 2020/03/10 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection: - cs-method: 'POST' - c-uri|contains|all: - - 'logupload' - - 'logMetaData' - - 'wsgi_log_upload.py' - condition: selection + selection: + cs-method: 'POST' + c-uri|contains|all: + - 'logupload' + - 'logMetaData' + - 'wsgi_log_upload.py' + condition: selection fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - None + - None level: high tags: - - attack.initial_access - - attack.t1190 - - cve.2021.21978 + - attack.initial_access + - attack.t1190 + - cve.2021.21978 diff --git a/rules/web/web_exchange_cve_2020_0688_exploit.yml b/rules/web/web_exchange_cve_2020_0688_exploit.yml index 644123d37..7e25ca23a 100644 --- a/rules/web/web_exchange_cve_2020_0688_exploit.yml +++ b/rules/web/web_exchange_cve_2020_0688_exploit.yml @@ -1,12 +1,12 @@ title: CVE-2020-0688 Exploitation Attempt id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a -status: experimental +status: test description: Detects CVE-2020-0688 Exploitation attempts author: NVISO -date: 2020/02/27 -modified: 2020/09/03 references: - https://github.com/Ridter/cve-2020-0688 +date: 2020/02/27 +modified: 2021/11/27 logsource: category: webserver detection: @@ -20,5 +20,5 @@ falsepositives: - Unknown level: high tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml index 4cd902524..1c36ac531 100644 --- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml +++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml @@ -1,30 +1,30 @@ title: Multiple Suspicious Resp Codes Caused by Single Client id: 6fdfc796-06b3-46e8-af08-58f3505318af -status: experimental +status: test description: Detects possible exploitation activity or bugs in a web application author: Thomas Patzke date: 2017/02/19 -modified: 2020/09/03 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection: - sc-status: - - 400 - - 401 - - 403 - - 500 - timeframe: 10m - condition: selection | count() by clientip > 10 + selection: + sc-status: + - 400 + - 401 + - 403 + - 500 + timeframe: 10m + condition: selection | count() by clientip > 10 fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - Unstable application - - Application that misuses the response codes + - Unstable application + - Application that misuses the response codes level: medium tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_pulsesecure_cve_2019_11510.yml b/rules/web/web_pulsesecure_cve_2019_11510.yml index c3637d71a..c1a5ad7ad 100644 --- a/rules/web/web_pulsesecure_cve_2019_11510.yml +++ b/rules/web/web_pulsesecure_cve_2019_11510.yml @@ -1,26 +1,26 @@ title: Pulse Secure Attack CVE-2019-11510 id: 2dbc10d7-a797-49a8-8776-49efa6442e60 -status: experimental +status: test description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole author: Florian Roth -date: 2019/11/18 -modified: 2020/09/03 references: - - https://www.exploit-db.com/exploits/47297 + - https://www.exploit-db.com/exploits/47297 +date: 2019/11/18 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection: - c-uri: '*?/dana/html5acc/guacamole/*' - condition: selection + selection: + c-uri: '*?/dana/html5acc/guacamole/*' + condition: selection fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml index 341760b20..84819110c 100644 --- a/rules/web/web_source_code_enumeration.yml +++ b/rules/web/web_source_code_enumeration.yml @@ -1,27 +1,27 @@ title: Source Code Enumeration Detection by Keyword id: 953d460b-f810-420a-97a2-cfca4c98e602 -status: experimental +status: test description: Detects source code enumeration that use GET requests by keyword searches in URL strings author: James Ahearn -date: 2019/06/08 -modified: 2020/09/03 references: - - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html - - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 + - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html + - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 +date: 2019/06/08 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - keywords: - - '*.git/*' - condition: keywords + keywords: + - '*.git/*' + condition: keywords fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - unknown + - unknown level: medium tags: - - attack.discovery - - attack.t1083 \ No newline at end of file + - attack.discovery + - attack.t1083 diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index a57a9ed6a..34e6786a6 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -1,28 +1,28 @@ title: Webshell Detection by Keyword id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729 -status: experimental +status: test description: Detects webshells that use GET requests by keyword searches in URL strings author: Florian Roth date: 2017/02/19 -modified: 2020/09/03 +modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - keywords: - - =whoami - - =net%20user - - =cmd%20/c%20 - condition: keywords + keywords: + - =whoami + - =net%20user + - =cmd%20/c%20 + condition: keywords fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs - - User searches in search boxes of the respective website + - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs + - User searches in search boxes of the respective website level: high tags: - - attack.persistence - - attack.t1100 # an old one - - attack.t1505.003 \ No newline at end of file + - attack.persistence + - attack.t1100 # an old one + - attack.t1505.003 diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml index b3ebbc942..779fe0302 100644 --- a/rules/windows/builtin/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -1,27 +1,28 @@ title: AD Object WriteDAC Access id: 028c7842-4243-41cd-be6f-12f3cf1a26c7 +status: test description: Detects WRITE_DAC access to a domain object -status: experimental -date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html -tags: - - attack.defense_evasion - - attack.t1222 # an old one - - attack.t1222.001 + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html +date: 2019/09/12 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4662 - ObjectServer: 'DS' - AccessMask: '0x40000' - ObjectType: - - '19195a5b-6da0-11d0-afd3-00c04fd930c9' - - 'domainDNS' - condition: selection + selection: + EventID: 4662 + ObjectServer: 'DS' + AccessMask: '0x40000' + ObjectType: + - '19195a5b-6da0-11d0-afd3-00c04fd930c9' + - 'domainDNS' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1222 # an old one + - attack.t1222.001 diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index 2fe27687b..f87dba3b8 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -1,35 +1,35 @@ title: Active Directory Replication from Non Machine Account id: 17d619c1-e020-4347-957e-1d1207455c93 +status: test description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. -status: experimental -date: 2019/07/26 -modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.006 + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +date: 2019/07/26 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4662 - AccessMask: '0x100' - Properties|contains: - - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - - '89e95b76-444d-4c62-991a-0facbeda640c' - filter: - - SubjectUserName|endswith: '$' - - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account - condition: selection and not filter + selection: + EventID: 4662 + AccessMask: '0x100' + Properties|contains: + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' + filter: + - SubjectUserName|endswith: '$' + - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account + condition: selection and not filter fields: - - ComputerName - - SubjectDomainName - - SubjectUserName + - ComputerName + - SubjectDomainName + - SubjectUserName falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.006 diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 33ea11512..fd78ca8a7 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -1,25 +1,25 @@ title: Access to ADMIN$ Share id: 098d7118-55bc-4912-a836-dc6483a8d150 +status: test description: Detects access to $ADMIN share -tags: - - attack.lateral_movement - - attack.t1077 # an old one - - attack.t1021.002 -status: experimental author: Florian Roth date: 2017/03/04 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' detection: - selection: - EventID: 5140 - ShareName: Admin$ - filter: - SubjectUserName|endswith: '$' - condition: selection and not filter + selection: + EventID: 5140 + ShareName: Admin$ + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: low +tags: + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 3aac7b53b..a00a6162b 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,26 +1,26 @@ title: Enabled User Right in AD to Control User Objects id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd +status: test description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. -status: experimental -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' +references: + - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ date: 2017/07/30 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' + product: windows + service: security + definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: - selection: - EventID: 4704 - keywords: - PrivilegeList|contains: - - 'SeEnableDelegationPrivilege' - condition: all of them + selection: + EventID: 4704 + keywords: + PrivilegeList|contains: + - 'SeEnableDelegationPrivilege' + condition: all of them falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.t1098 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index a5b473bfb..a9ddeddde 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,40 +1,39 @@ title: Active Directory User Backdoors id: 300bac00-e041-4ee2-9c36-e262656a6ecc +status: test description: Detects scenarios where one can control another users or computers account without having to use their credentials. -status: experimental -references: - - https://msdn.microsoft.com/en-us/library/cc220234.aspx - - https://adsecurity.org/?p=3466 - - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ author: '@neu5ron' +references: + - https://msdn.microsoft.com/en-us/library/cc220234.aspx + - https://adsecurity.org/?p=3466 + - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ date: 2017/04/13 -modified: 2020/08/23 -tags: - - attack.t1098 - - attack.persistence +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, - DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' + product: windows + service: security + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' detection: - selection1: - EventID: 4738 - filter_null: - AllowedToDelegateTo: null - filter1: - AllowedToDelegateTo: '-' - selection2: - EventID: 5136 - AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo' - selection3: - EventID: 5136 - ObjectClass: 'user' - AttributeLDAPDisplayName: 'servicePrincipalName' - selection4: - EventID: 5136 - AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity' - condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4 + selection1: + EventID: 4738 + filter_null: + AllowedToDelegateTo: + filter1: + AllowedToDelegateTo: '-' + selection2: + EventID: 5136 + AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo' + selection3: + EventID: 5136 + ObjectClass: 'user' + AttributeLDAPDisplayName: 'servicePrincipalName' + selection4: + EventID: 5136 + AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity' + condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4 falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.t1098 + - attack.persistence diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 4ec2fce0f..ab46a0015 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,89 +1,90 @@ title: Weak Encryption Enabled and Kerberoast id: f6de9536-0441-4b3f-a646-f4e00f300ffd +status: test description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. -status: experimental -references: - - https://adsecurity.org/?p=2053 - - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' +references: + - https://adsecurity.org/?p=2053 + - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ date: 2017/07/30 -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' + product: windows + service: security + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' detection: - selection: - EventID: 4738 + selection: + EventID: 4738 # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties # and the actual flags that are used are quite different and, unfortunately, not documented. # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract # the following values. - olduac_des: # 0x8000 - OldUacValue|endswith: - - 8??? - - 9??? - - A??? - - B??? - - C??? - - D??? - - E??? - - F??? - newuac_des: - NewUacValue|endswith: - - 8??? - - 9??? - - A??? - - B??? - - C??? - - D??? - - E??? - - F??? - olduac_preauth: # 0x10000 - OldUacValue|endswith: - - 1???? - - 3???? - - 5???? - - 7???? - - 9???? - - B???? - - D???? - - F???? - newuac_preauth: - NewUacValue|endswith: - - 1???? - - 3???? - - 5???? - - 7???? - - 9???? - - B???? - - D???? - - F???? - olduac_encrypted: # 0x800 - OldUacValue|endswith: - - 8?? - - 9?? - - A?? - - B?? - - C?? - - D?? - - E?? - - F?? - newuac_encrypted: - NewUacValue|endswith: - - 8?? - - 9?? - - A?? - - B?? - - C?? - - D?? - - E?? - - F?? - condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted)) + olduac_des: # 0x8000 + OldUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + newuac_des: + NewUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + olduac_preauth: # 0x10000 + OldUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + newuac_preauth: + NewUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + olduac_encrypted: # 0x800 + OldUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + newuac_encrypted: + NewUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted)) falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml index 52b744691..1e14e667d 100644 --- a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml @@ -1,44 +1,44 @@ -title: File Was Not Allowed To Run +title: File Was Not Allowed To Run id: 401e5d00-b944-11ea-8f9a-00163ecd60ae +status: test description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. -status: experimental -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1064 # an old one - - attack.t1204 # an old one - - attack.t1035 # an old one - - attack.t1204.002 - - attack.t1059.001 - - attack.t1059.003 - - attack.t1059.005 - - attack.t1059.006 - - attack.t1059.007 -references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker - - https://nxlog.co/documentation/nxlog-user-guide/applocker.html author: Pushkarev Dmitry +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker + - https://nxlog.co/documentation/nxlog-user-guide/applocker.html date: 2020/06/28 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - product: windows - service: applocker + product: windows + service: applocker detection: - selection: - EventID: - - 8004 - - 8007 - condition: selection + selection: + EventID: + - 8004 + - 8007 + condition: selection fields: - - PolicyName - - RuleId - - RuleName - - TargetUser - - TargetProcessId - - FilePath - - FileHash - - Fqbn + - PolicyName + - RuleId + - RuleName + - TargetUser + - TargetProcessId + - FilePath + - FileHash + - Fqbn falsepositives: - - need tuning applocker or add exceptions in SIEM + - need tuning applocker or add exceptions in SIEM level: medium +tags: + - attack.execution + - attack.t1086 # an old one + - attack.t1064 # an old one + - attack.t1204 # an old one + - attack.t1035 # an old one + - attack.t1204.002 + - attack.t1059.001 + - attack.t1059.003 + - attack.t1059.005 + - attack.t1059.006 + - attack.t1059.007 diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index 3817449da..d7122e028 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -1,27 +1,28 @@ title: Turla Service Install id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 +status: test description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET -status: experimental -references: - - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ -tags: - - attack.persistence - - attack.g0010 - - attack.t1050 # an old one - - attack.t1543.003 -date: 2017/03/31 author: Florian Roth +references: + - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +date: 2017/03/31 +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - EventID: 7045 - ServiceName: - - 'srservice' - - 'ipvpn' - - 'hkmsvc' - condition: selection + selection: + EventID: 7045 + ServiceName: + - 'srservice' + - 'ipvpn' + - 'hkmsvc' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.g0010 + - attack.t1050 # an old one + - attack.t1543.003 diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index f0a829606..3950f8d5c 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -1,25 +1,26 @@ title: StoneDrill Service Install id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 +status: test description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky -status: experimental author: Florian Roth -date: 2017/03/07 references: - - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ -tags: - - attack.persistence - - attack.g0064 - - attack.t1050 # an old one - - attack.t1543.003 + - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +date: 2017/03/07 +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - EventID: 7045 - ServiceName: NtsSrv - ServiceFileName|endswith: ' LocalService' - condition: selection + selection: + EventID: 7045 + ServiceName: NtsSrv + ServiceFileName|endswith: ' LocalService' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.persistence + - attack.g0064 + - attack.t1050 # an old one + - attack.t1543.003 diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index f8a5038a1..69a8e3872 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -1,24 +1,25 @@ title: Turla PNG Dropper Service id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 +status: test description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 -status: experimental -references: - - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ author: Florian Roth +references: + - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ date: 2018/11/23 -tags: - - attack.persistence - - attack.g0010 - - attack.t1050 # an old one - - attack.t1543.003 +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - EventID: 7045 - ServiceName: 'WerFaultSvc' - condition: selection + selection: + EventID: 7045 + ServiceName: 'WerFaultSvc' + condition: selection falsepositives: - - unlikely + - unlikely level: critical +tags: + - attack.persistence + - attack.g0010 + - attack.t1050 # an old one + - attack.t1543.003 diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index b9d394901..b812a7066 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -1,29 +1,30 @@ title: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 +status: test description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe -status: experimental author: Samir Bousseaden -date: 2019/04/03 references: - - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -tags: - - attack.lateral_movement - - attack.persistence - - attack.t1053 # an old one - - car.2013-05-004 - - car.2015-04-001 - - attack.t1053.002 + - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +date: 2019/04/03 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName: atsvc - Accesses|contains: 'WriteData' - condition: selection + selection: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: atsvc + Accesses|contains: 'WriteData' + condition: selection falsepositives: - - pentesting + - pentesting level: medium +tags: + - attack.lateral_movement + - attack.persistence + - attack.t1053 # an old one + - car.2013-05-004 + - car.2015-04-001 + - attack.t1053.002 diff --git a/rules/windows/builtin/win_camera_microphone_access.yml b/rules/windows/builtin/win_camera_microphone_access.yml index 66ffcb1e2..9b78a70b8 100644 --- a/rules/windows/builtin/win_camera_microphone_access.yml +++ b/rules/windows/builtin/win_camera_microphone_access.yml @@ -1,29 +1,30 @@ title: Processes Accessing the Microphone and Webcam id: 8cd538a4-62d5-4e83-810b-12d41e428d6e +status: test description: Potential adversaries accessing the microphone and webcam in an endpoint. -status: experimental -date: 2020/06/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.collection - - attack.t1123 references: - https://twitter.com/duzvik/status/1269671601852813320 - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 +date: 2020/06/07 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection1: - EventID: - - 4657 - - 4656 - - 4663 - selection2: - ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged' - selection3: - ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged' - condition: selection1 and (selection2 or selection3) + selection1: + EventID: + - 4657 + - 4656 + - 4663 + selection2: + ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged' + selection3: + ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged' + condition: selection1 and (selection2 or selection3) falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.collection + - attack.t1123 diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml index 040b921f8..4ab64e5c4 100644 --- a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,25 +1,26 @@ title: DCERPC SMB Spoolss Named Pipe id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e -description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -status: experimental -references: - - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - - https://twitter.com/_dirkjan/status/1309214379003588608 -tags: - - attack.lateral_movement - - attack.t1021.002 -date: 2018/11/28 +status: test +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. author: OTR (Open Threat Research) +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +date: 2018/11/28 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName: spoolss - condition: selection + selection: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: spoolss + condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' + - 'Domain Controllers acting as printer servers too? :)' level: medium +tags: + - attack.lateral_movement + - attack.t1021.002 diff --git a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml index dc76cad1b..293fa0aad 100644 --- a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml @@ -1,25 +1,26 @@ title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack id: c39f0c81-7348-4965-ab27-2fde35a1b641 +status: test description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. -status: experimental -date: 2020/10/12 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -tags: - - attack.lateral_movement - - attack.t1021.002 - - attack.t1021.003 references: - - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html +date: 2020/10/12 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll' - filter: - SubjectUserName|endswith: '$' - condition: selection and not filter + selection: + EventID: 5145 + RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter falsepositives: - - Unknown -level: critical \ No newline at end of file + - Unknown +level: critical +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index bad6fabb1..9f3b32e5c 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,26 +1,27 @@ title: Disabling Windows Event Auditing id: 69aeb277-f15f-4d2d-b32a-55e883609563 +status: test description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' -status: experimental -references: - - https://bit.ly/WinLogsZero2Hero -tags: - - attack.defense_evasion - - attack.t1054 # an old one - - attack.t1562.002 author: '@neu5ron' +references: + - https://bit.ly/WinLogsZero2Hero date: 2017/11/19 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' + product: windows + service: security + definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: - selection: - EventID: 4719 - AuditPolicyChanges|contains: - - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" - condition: selection + selection: + EventID: 4719 + AuditPolicyChanges|contains: + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1054 # an old one + - attack.t1562.002 diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index f913f7531..bf6c020e3 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -1,25 +1,26 @@ title: DPAPI Domain Backup Key Extraction id: 4ac1f50b-3bd0-4968-902d-868b4647937e +status: test description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers -status: experimental -date: 2019/06/20 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.004 + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html +date: 2019/06/20 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4662 - ObjectType: 'SecretObject' - AccessMask: '0x2' - ObjectName: 'BCKUPKEY' - condition: selection + selection: + EventID: 4662 + ObjectType: 'SecretObject' + AccessMask: '0x2' + ObjectName: 'BCKUPKEY' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.004 diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index c65a24252..07159fd3f 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -1,26 +1,27 @@ title: DPAPI Domain Master Key Backup Attempt id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014 +status: test description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. -status: experimental -date: 2019/08/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.004 + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html +date: 2019/08/10 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4692 - condition: selection + selection: + EventID: 4692 + condition: selection fields: - - ComputerName - - SubjectDomainName - - SubjectUserName + - ComputerName + - SubjectDomainName + - SubjectUserName falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.004 diff --git a/rules/windows/builtin/win_etw_modification.yml b/rules/windows/builtin/win_etw_modification.yml index 489bcd8d2..aaa84638e 100644 --- a/rules/windows/builtin/win_etw_modification.yml +++ b/rules/windows/builtin/win_etw_modification.yml @@ -1,7 +1,8 @@ title: COMPlus_ETWEnabled Registry Modification id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc -status: experimental +status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,21 +13,21 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -tags: - - attack.defense_evasion - - attack.t1112 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4657 - ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' - ObjectValueName: 'ETWEnabled' - NewValue: '0' - condition: selection + selection: + EventID: 4657 + ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' + ObjectValueName: 'ETWEnabled' + NewValue: '0' + condition: selection falsepositives: - - unknown -level: critical \ No newline at end of file + - unknown +level: critical +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml index 7bfc0539a..7c3b1dc8c 100644 --- a/rules/windows/builtin/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/win_gpo_scheduledtasks.yml @@ -1,30 +1,31 @@ title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 +status: test description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale -status: experimental author: Samir Bousseaden -date: 2019/04/03 references: - - https://twitter.com/menasec1/status/1106899890377052160 - - https://www.secureworks.com/blog/ransomware-as-a-distraction -tags: - - attack.persistence - - attack.lateral_movement - - attack.t1053 # an old one - - attack.t1053.005 + - https://twitter.com/menasec1/status/1106899890377052160 + - https://www.secureworks.com/blog/ransomware-as-a-distraction +date: 2019/04/03 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection: - EventID: 5145 - ShareName: \\*\SYSVOL - RelativeTargetName|endswith: 'ScheduledTasks.xml' - Accesses|contains: - - 'WriteData' - - '%%4417' - condition: selection + selection: + EventID: 5145 + ShareName: \\*\SYSVOL + RelativeTargetName|endswith: 'ScheduledTasks.xml' + Accesses|contains: + - 'WriteData' + - '%%4417' + condition: selection falsepositives: - - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks + - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high +tags: + - attack.persistence + - attack.lateral_movement + - attack.t1053 # an old one + - attack.t1053.005 diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 17666ce74..9d401a6de 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -1,32 +1,32 @@ title: smbexec.py Service Installation id: 52a85084-6989-40c3-8f32-091e12e13f09 +status: test description: Detects the use of smbexec.py tool by detecting a specific service installation -status: experimental author: Omer Faruk Celik -date: 2018/03/20 -modified: 2020/08/23 references: - - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ -tags: - - attack.lateral_movement - - attack.execution - - attack.t1077 # an old one - - attack.t1021.002 - - attack.t1035 # an old one - - attack.t1569.002 + - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ +date: 2018/03/20 +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - service_installation: - EventID: 7045 - ServiceName: 'BTOBTO' - ServiceFileName|endswith: '\execute.bat' - condition: service_installation + service_installation: + EventID: 7045 + ServiceName: 'BTOBTO' + ServiceFileName|endswith: '\execute.bat' + condition: service_installation fields: - - ServiceName - - ServiceFileName + - ServiceName + - ServiceFileName falsepositives: - - Penetration Test - - Unknown + - Penetration Test + - Unknown level: critical +tags: + - attack.lateral_movement + - attack.execution + - attack.t1077 # an old one + - attack.t1021.002 + - attack.t1035 # an old one + - attack.t1569.002 diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index df3a87181..d18f16fb6 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,45 +1,46 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad +status: test description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes -status: experimental author: Samir Bousseaden -date: 2019/04/03 references: - - https://twitter.com/menasec1/status/1104489274387451904 -tags: - - attack.lateral_movement - - attack.t1077 # an old one - - attack.t1021.002 + - https://twitter.com/menasec1/status/1104489274387451904 +date: 2019/04/03 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection1: - EventID: 5145 - ShareName: \\*\IPC$ - selection2: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' - condition: selection1 and not selection2 + selection1: + EventID: 5145 + ShareName: \\*\IPC$ + selection2: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' + condition: selection1 and not selection2 falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - update the excluded named pipe to filter out any newly observed legit named pipe level: high +tags: + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index e188aa447..d88704d0f 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -1,28 +1,29 @@ title: WCE wceaux.dll Access id: 1de68c67-af5c-4097-9c85-fe5578e09e67 -status: experimental +status: test description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke -date: 2017/06/14 references: - - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - - https://jpcertcc.github.io/ToolAnalysisResultSheet -tags: - - attack.credential_access - - attack.t1003 - - attack.s0005 + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://jpcertcc.github.io/ToolAnalysisResultSheet +date: 2017/06/14 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 4656 - - 4658 - - 4660 - - 4663 - ObjectName|endswith: '\wceaux.dll' - condition: selection + selection: + EventID: + - 4656 + - 4658 + - 4660 + - 4663 + ObjectName|endswith: '\wceaux.dll' + condition: selection falsepositives: - - Penetration testing + - Penetration testing level: critical +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index a25b0ce0c..4a2128d2f 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,26 +1,26 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd +status: test description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -status: experimental author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' -date: 2020/03/04 -modified: 2020/08/23 references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing -tags: - - attack.execution - - attack.t1175 # an old one - - attack.t1021.003 + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing +date: 2020/03/04 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\svchost.exe' - Image|endswith: '\mmc.exe' - CommandLine|contains: '-Embedding' - condition: selection + selection: + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mmc.exe' + CommandLine|contains: '-Embedding' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.execution + - attack.t1175 # an old one + - attack.t1021.003 diff --git a/rules/windows/builtin/win_not_allowed_rdp_access.yml b/rules/windows/builtin/win_not_allowed_rdp_access.yml index 692576ec7..7b48f7705 100644 --- a/rules/windows/builtin/win_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/win_not_allowed_rdp_access.yml @@ -1,27 +1,27 @@ title: Denied Access To Remote Desktop id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9 -description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. - Often, this event can be generated by attackers when searching for available windows servers in the network. -status: experimental -tags: - - attack.lateral_movement - - attack.t1076 # an old one - - attack.t1021.001 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 +status: test +description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network. author: Pushkarev Dmitry +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 date: 2020/06/27 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4825 - condition: selection + selection: + EventID: 4825 + condition: selection fields: - - EventCode - - AccountName - - ClientAddress + - EventCode + - AccountName + - ClientAddress falsepositives: - - Valid user was not added to RDP group + - Valid user was not added to RDP group level: medium +tags: + - attack.lateral_movement + - attack.t1076 # an old one + - attack.t1021.001 diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/win_overpass_the_hash.yml index dbadc1f18..a123ed2be 100644 --- a/rules/windows/builtin/win_overpass_the_hash.yml +++ b/rules/windows/builtin/win_overpass_the_hash.yml @@ -1,26 +1,27 @@ title: Successful Overpass the Hash Attempt id: 192a0330-c20b-4356-90b6-7b7049ae0b87 -status: experimental +status: test description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. -references: - - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) +references: + - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html date: 2018/02/12 -tags: - - attack.lateral_movement - - attack.t1075 # an old one - - attack.s0002 - - attack.t1550.002 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4624 - LogonType: 9 - LogonProcessName: seclogo - AuthenticationPackageName: Negotiate - condition: selection + selection: + EventID: 4624 + LogonType: 9 + LogonProcessName: seclogo + AuthenticationPackageName: Negotiate + condition: selection falsepositives: - - Runas command-line tool using /netonly parameter + - Runas command-line tool using /netonly parameter level: high +tags: + - attack.lateral_movement + - attack.t1075 # an old one + - attack.s0002 + - attack.t1550.002 diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 42af2c801..a4f230b0c 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -1,33 +1,34 @@ title: Pass the Hash Activity id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 -status: experimental +status: test description: Detects the attack technique pass the hash which is used to move laterally inside the network -references: - - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) +references: + - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events date: 2017/03/08 -tags: - - attack.lateral_movement - - attack.t1075 # an old one - - car.2016-04-004 - - attack.t1550.002 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 + product: windows + service: security + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 detection: - selection: - EventID: - - 4624 - - 4625 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' - filter: - AccountName: 'ANONYMOUS LOGON' - condition: selection and not filter + selection: + EventID: + - 4624 + - 4625 + LogonType: '3' + LogonProcessName: 'NtLmSsp' + WorkstationName: '%Workstations%' + ComputerName: '%Workstations%' + filter: + AccountName: 'ANONYMOUS LOGON' + condition: selection and not filter falsepositives: - - Administrator activity - - Penetration tests + - Administrator activity + - Penetration tests level: medium +tags: + - attack.lateral_movement + - attack.t1075 # an old one + - car.2016-04-004 + - attack.t1550.002 diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml index cd0a8900a..0716acb0e 100644 --- a/rules/windows/builtin/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -1,25 +1,25 @@ title: Protected Storage Service Access id: 45545954-4016-43c6-855e-eae8f1c369dc +status: test description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers -status: experimental -date: 2019/08/10 -modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -tags: - - attack.lateral_movement - - attack.t1021 # an old one - - attack.t1021.002 + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html +date: 2019/08/10 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - ShareName|contains: 'IPC' - RelativeTargetName: "protected_storage" - condition: selection + selection: + EventID: 5145 + ShareName|contains: 'IPC' + RelativeTargetName: "protected_storage" + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.lateral_movement + - attack.t1021 # an old one + - attack.t1021.002 diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml index c36cccaf9..b4604cec8 100644 --- a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml @@ -1,23 +1,23 @@ title: QuarksPwDump Clearing Access History id: 39f919f3-980b-4e6f-a975-8af7e507ef2b -status: experimental +status: test description: Detects QuarksPwDump clearing access history in hive author: Florian Roth date: 2017/05/15 -modified: 2019/11/13 -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 -level: critical +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - EventID: 16 - HiveName|contains: '\AppData\Local\Temp\SAM' - HiveName|endswith: '.dmp' - condition: selection + selection: + EventID: 16 + HiveName|contains: '\AppData\Local\Temp\SAM' + HiveName|endswith: '.dmp' + condition: selection falsepositives: - - Unknown + - Unknown +level: critical +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index 51b28a589..4e25bed94 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -1,26 +1,27 @@ title: Rare Schtasks Creations id: b0d77106-7bb0-41fe-bd94-d1752164d066 +status: test description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code -status: experimental author: Florian Roth date: 2017/03/23 -tags: - - attack.execution - - attack.privilege_escalation - - attack.persistence - - attack.t1053 # an old one - - car.2013-08-001 - - attack.t1053.005 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.' detection: - selection: - EventID: 4698 - timeframe: 7d - condition: selection | count() by TaskName < 5 + selection: + EventID: 4698 + timeframe: 7d + condition: selection | count() by TaskName < 5 falsepositives: - - Software installation - - Software updates + - Software installation + - Software updates level: low +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053 # an old one + - car.2013-08-001 + - attack.t1053.005 diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index f42b28262..6684e2fda 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -1,24 +1,25 @@ title: Rare Service Installs id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae +status: test description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services -status: experimental author: Florian Roth date: 2017/03/08 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1050 # an old one - - car.2013-09-005 - - attack.t1543.003 +modified: 2021/11/27 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - EventID: 7045 - timeframe: 7d - condition: selection | count() by ServiceFileName < 5 + selection: + EventID: 7045 + timeframe: 7d + condition: selection | count() by ServiceFileName < 5 falsepositives: - - Software installation - - Software updates + - Software installation + - Software updates level: low +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1050 # an old one + - car.2013-09-005 + - attack.t1543.003 diff --git a/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml index 7fe4d7985..63e4763fd 100644 --- a/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml +++ b/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml @@ -1,30 +1,30 @@ title: Remote Registry Management Using Reg Utility id: 68fcba0d-73a5-475e-a915-e8b4c576827e +status: test description: Remote registry management using REG utility from non-admin workstation author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2020/08/23 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.defense_evasion - - attack.t1112 - - attack.discovery - - attack.t1012 - - attack.credential_access - - attack.t1552.002 - - attack.s0075 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/10/22 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection_1: - EventID: 5145 - RelativeTargetName|contains: '\winreg' - selection_2: - IpAddress: '%Admins_Workstations%' - condition: selection_1 and not selection_2 + selection_1: + EventID: 5145 + RelativeTargetName|contains: '\winreg' + selection_2: + IpAddress: '%Admins_Workstations%' + condition: selection_1 and not selection_2 falsepositives: - - Legitimate usage of remote registry management by administrator + - Legitimate usage of remote registry management by administrator level: medium -status: experimental +tags: + - attack.defense_evasion + - attack.t1112 + - attack.discovery + - attack.t1012 + - attack.credential_access + - attack.t1552.002 + - attack.s0075 diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml index da2eac46f..ed1ec811b 100644 --- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -1,32 +1,32 @@ title: SAM Registry Hive Handle Request id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332 +status: test description: Detects handles requested to SAM registry hive -status: experimental -date: 2019/08/12 -modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html -tags: - - attack.discovery - - attack.t1012 - - attack.credential_access - - attack.t1552.002 + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html +date: 2019/08/12 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4656 - ObjectType: 'Key' - ObjectName|endswith: '\SAM' - condition: selection + selection: + EventID: 4656 + ObjectType: 'Key' + ObjectName|endswith: '\SAM' + condition: selection fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - ProcessName - - ObjectName + - ComputerName + - SubjectDomainName + - SubjectUserName + - ProcessName + - ObjectName falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.discovery + - attack.t1012 + - attack.credential_access + - attack.t1552.002 diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 5c59eb7e6..952176861 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -1,26 +1,27 @@ title: SCM Database Privileged Operation id: dae8171c-5ec6-4396-b210-8466585b53e9 +status: test description: Detects non-system users performing privileged operation os the SCM database -status: experimental -date: 2019/08/15 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html +date: 2019/08/15 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4674 - ObjectType: 'SC_MANAGER OBJECT' - ObjectName: 'servicesactive' - PrivilegeList: 'SeTakeOwnershipPrivilege' - filter: - SubjectLogonId: "0x3e4" - condition: selection and not filter + selection: + EventID: 4674 + ObjectType: 'SC_MANAGER OBJECT' + ObjectName: 'servicesactive' + PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: + SubjectLogonId: "0x3e4" + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.privilege_escalation - - attack.t1548 \ No newline at end of file + - attack.privilege_escalation + - attack.t1548 diff --git a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml index ea32b4b6a..8c5ac0325 100644 --- a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml @@ -1,27 +1,28 @@ title: Remote WMI ActiveScriptEventConsumers id: 9599c180-e3a8-4743-8f92-7fb96d3be648 +status: test description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network -status: experimental -date: 2020/09/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.persistence - - attack.t1546.003 references: - - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +date: 2020/09/02 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4624 - LogonType: 3 - ProcessName|endswith: 'scrcons.exe' - filter: - TargetLogonId: '0x3e7' - condition: selection and not filter + selection: + EventID: 4624 + LogonType: 3 + ProcessName|endswith: 'scrcons.exe' + filter: + TargetLogonId: '0x3e7' + condition: selection and not filter falsepositives: - - SCCM -level: high \ No newline at end of file + - SCCM +level: high +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml index 0569c9822..5f19a2da4 100644 --- a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml @@ -1,26 +1,27 @@ title: SMB Create Remote File Admin Share id: b210394c-ba12-4f89-9117-44a2464b9511 +status: test description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). -status: experimental -date: 2020/08/06 author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -tags: - - attack.lateral_movement - - attack.t1021.002 references: - - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml - - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file + - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml + - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file +date: 2020/08/06 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - ShareName|endswith: 'C$' - AccessMask: '0x2' - filter: - SubjectUserName|endswith: '$' - condition: selection and not filter + selection: + EventID: 5145 + ShareName|endswith: 'C$' + AccessMask: '0x2' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.lateral_movement + - attack.t1021.002 diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index 6173cbe74..6254caca7 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -1,28 +1,27 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL id: cbe51394-cd93-4473-b555-edf0144952d9 +status: test description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded -status: experimental -date: 2017/05/08 -references: - - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - - https://twitter.com/gentilkiwi/status/861641945944391680 -tags: - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1574.002 author: Florian Roth +references: + - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 + - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx + - https://twitter.com/gentilkiwi/status/861641945944391680 +date: 2017/05/08 +modified: 2021/11/27 logsource: - product: windows - service: dns-server + product: windows + service: dns-server detection: - selection: - EventID: - - 150 - - 770 - condition: selection + selection: + EventID: + - 150 + - 770 + condition: selection falsepositives: - - Unknown + - Unknown level: critical - - +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/win_susp_failed_logon_source.yml index 05d2a5b6d..a91d9a393 100644 --- a/rules/windows/builtin/win_susp_failed_logon_source.yml +++ b/rules/windows/builtin/win_susp_failed_logon_source.yml @@ -1,52 +1,53 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 +status: test description: A login from a public IP can indicate a misconfigured firewall or network boundary. -status: experimental author: NVISO date: 2020/05/06 -tags: - - attack.initial_access - - attack.persistence - - attack.t1078 - - attack.t1190 - - attack.t1133 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4625 - unknown: - IpAddress|contains: '-' - privatev4: - IpAddress|startswith: - - '10.' #10.0.0.0/8 - - '192.168.' #192.168.0.0/16 - - '172.16.' #172.16.0.0/12 - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' #127.0.0.0/8 - - '169.254.' #169.254.0.0/16 - privatev6: - - IpAddress: '::1' #loopback - - IpAddress|startswith: - - 'fe80::' #link-local - - 'fc00::' #unique local - condition: selection and not (unknown or privatev4 or privatev6) + selection: + EventID: 4625 + unknown: + IpAddress|contains: '-' + privatev4: + IpAddress|startswith: + - '10.' #10.0.0.0/8 + - '192.168.' #192.168.0.0/16 + - '172.16.' #172.16.0.0/12 + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' #127.0.0.0/8 + - '169.254.' #169.254.0.0/16 + privatev6: + - IpAddress: '::1' #loopback + - IpAddress|startswith: + - 'fe80::' #link-local + - 'fc00::' #unique local + condition: selection and not (unknown or privatev4 or privatev6) falsepositives: - - Legitimate logon attempts over the internet - - IPv4-to-IPv6 mapped IPs + - Legitimate logon attempts over the internet + - IPv4-to-IPv6 mapped IPs level: medium +tags: + - attack.initial_access + - attack.persistence + - attack.t1078 + - attack.t1190 + - attack.t1133 diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml index b3238bfb3..21901949d 100644 --- a/rules/windows/builtin/win_susp_interactive_logons.yml +++ b/rules/windows/builtin/win_susp_interactive_logons.yml @@ -1,30 +1,31 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf +status: test description: Detects interactive console logons to Server Systems -status: experimental author: Florian Roth date: 2017/03/17 -tags: - - attack.lateral_movement - - attack.t1078 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 528 - - 529 - - 4624 - - 4625 - LogonType: 2 - ComputerName: - - '%ServerSystems%' - - '%DomainControllers%' - filter: - LogonProcessName: Advapi - ComputerName: '%Workstations%' - condition: selection and not filter + selection: + EventID: + - 528 + - 529 + - 4624 + - 4625 + LogonType: 2 + ComputerName: + - '%ServerSystems%' + - '%DomainControllers%' + filter: + LogonProcessName: Advapi + ComputerName: '%Workstations%' + condition: selection and not filter falsepositives: - - Administrative activity via KVM or ILO board + - Administrative activity via KVM or ILO board level: medium +tags: + - attack.lateral_movement + - attack.t1078 diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index dcca0e261..0ac976672 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,54 +1,55 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 +status: test description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages -status: experimental author: Florian Roth date: 2017/02/10 -tags: - - attack.credential_access - - attack.t1212 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 675 - - 4768 - - 4769 - - 4771 - FailureCode: - - '0x9' - - '0xA' - - '0xB' - - '0xF' - - '0x10' - - '0x11' - - '0x13' - - '0x14' - - '0x1A' - - '0x1F' - - '0x21' - - '0x22' - - '0x23' - - '0x24' - - '0x26' - - '0x27' - - '0x28' - - '0x29' - - '0x2C' - - '0x2D' - - '0x2E' - - '0x2F' - - '0x31' - - '0x32' - - '0x3E' - - '0x3F' - - '0x40' - - '0x41' - - '0x43' - - '0x44' - condition: selection + selection: + EventID: + - 675 + - 4768 + - 4769 + - 4771 + FailureCode: + - '0x9' + - '0xA' + - '0xB' + - '0xF' + - '0x10' + - '0x11' + - '0x13' + - '0x14' + - '0x1A' + - '0x1F' + - '0x21' + - '0x22' + - '0x23' + - '0x24' + - '0x26' + - '0x27' + - '0x28' + - '0x29' + - '0x2C' + - '0x2D' + - '0x2E' + - '0x2F' + - '0x31' + - '0x32' + - '0x3E' + - '0x3F' + - '0x40' + - '0x41' + - '0x43' + - '0x44' + condition: selection falsepositives: - - Faulty legacy applications + - Faulty legacy applications level: high +tags: + - attack.credential_access + - attack.t1212 diff --git a/rules/windows/builtin/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/win_susp_ldap_dataexchange.yml index f2fb0f325..3084f30bb 100644 --- a/rules/windows/builtin/win_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/win_susp_ldap_dataexchange.yml @@ -1,30 +1,30 @@ title: Suspicious LDAP-Attributes Used id: d00a9a72-2c09-4459-ad03-5e0a23351e36 +status: test description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. -status: experimental -date: 2019/03/24 -modified: 2020/08/23 author: xknow @xknow_infosec references: - - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - - https://github.com/fox-it/LDAPFragger -tags: - - attack.t1071 # an old one - - attack.t1001.003 - - attack.command_and_control + - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 + - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ + - https://github.com/fox-it/LDAPFragger +date: 2019/03/24 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5136 - AttributeValue: '*' - AttributeLDAPDisplayName: - - 'primaryInternationalISDNNumber' - - 'otherFacsimileTelephoneNumber' - - 'primaryTelexNumber' - condition: selection + selection: + EventID: 5136 + AttributeValue: '*' + AttributeLDAPDisplayName: + - 'primaryInternationalISDNNumber' + - 'otherFacsimileTelephoneNumber' + - 'primaryTelexNumber' + condition: selection falsepositives: - - Companies, who may use these default LDAP-Attributes for personal information + - Companies, who may use these default LDAP-Attributes for personal information level: high +tags: + - attack.t1071 # an old one + - attack.t1001.003 + - attack.command_and_control diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index cac81fb5b..72db499df 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -1,36 +1,35 @@ title: MSHTA Suspicious Execution 01 id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 -status: experimental +status: test description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -date: 2019/02/22 -modified: 2020/08/23 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) references: - - http://blog.sevagas.com/?Hacking-around-HTA-files - - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 - - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script - - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1218.005 + - http://blog.sevagas.com/?Hacking-around-HTA-files + - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 + - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script + - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 +date: 2019/02/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: high + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\mshta.exe' - CommandLine|contains: - - 'vbscript' - - '.jpg' - - '.png' - - '.lnk' + selection1: + Image|endswith: '\mshta.exe' + CommandLine|contains: + - 'vbscript' + - '.jpg' + - '.png' + - '.lnk' # - '.chm' # could be prone to false positives - - '.xls' - - '.doc' - - '.zip' - condition: - selection1 + - '.xls' + - '.doc' + - '.zip' + condition: selection1 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1218.005 diff --git a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml index 0bc1a547a..0d429211d 100644 --- a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,27 +1,28 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 +status: test description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). -status: experimental -tags: - - attack.impact - - attack.t1486 author: Vasiliy Burov, oscd.community -date: 2020/10/16 references: - - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +date: 2020/10/16 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' + product: windows + service: security + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' detection: - selection: - EventID: 4663 - ObjectType: 'File' - AccessList: '%%1537' - Keywords: '0x8020000000000000' - timeframe: 30s - condition: selection | count() by SubjectLogonId > 10 + selection: + EventID: 4663 + ObjectType: 'File' + AccessList: '%%1537' + Keywords: '0x8020000000000000' + timeframe: 30s + condition: selection | count() by SubjectLogonId > 10 falsepositives: - - Software uninstallation - - Files restore activities + - Software uninstallation + - Files restore activities level: medium +tags: + - attack.impact + - attack.t1486 diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 3fa612999..380774c5e 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -1,37 +1,37 @@ title: Reconnaissance Activity id: 968eef52-9cff-4454-8992-1e74b9cbad6c -status: experimental +status: test description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" -references: - - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community +references: + - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html date: 2017/03/07 -modified: 2020/08/23 -tags: - - attack.discovery - - attack.t1087 # an old one - - attack.t1087.002 - - attack.t1069 # an old one - - attack.t1069.002 - - attack.s0039 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems + product: windows + service: security + definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: - selection: - EventID: 4661 - ObjectType: - - 'SAM_USER' - - 'SAM_GROUP' - ObjectName|startswith: 'S-1-5-21-' - AccessMask: '0x2d' - selection2: - ObjectName|endswith: - - '-500' - - '-512' - condition: selection and selection2 + selection: + EventID: 4661 + ObjectType: + - 'SAM_USER' + - 'SAM_GROUP' + ObjectName|startswith: 'S-1-5-21-' + AccessMask: '0x2d' + selection2: + ObjectName|endswith: + - '-500' + - '-512' + condition: selection and selection2 falsepositives: - - Administrator activity - - Penetration tests + - Administrator activity + - Penetration tests level: high +tags: + - attack.discovery + - attack.t1087 # an old one + - attack.t1087.002 + - attack.t1069 # an old one + - attack.t1069.002 + - attack.s0039 diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml index 96e1d00a8..658223ac7 100644 --- a/rules/windows/builtin/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml @@ -1,30 +1,31 @@ title: Potential Remote Desktop Connection to Non-Domain Host id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad -status: experimental +status: test description: Detects logons using NTLM to hosts that are potentially not part of the domain. -references: - - n/a author: James Pemberton +references: + - n/a date: 2020/05/22 -tags: - - attack.command_and_control - - attack.t1219 +modified: 2021/11/27 logsource: - product: windows - service: ntlm - definition: Requires events from Microsoft-Windows-NTLM/Operational + product: windows + service: ntlm + definition: Requires events from Microsoft-Windows-NTLM/Operational detection: - selection: - EventID: 8001 - TargetName|startswith: TERMSRV - condition: selection + selection: + EventID: 8001 + TargetName|startswith: TERMSRV + condition: selection fields: - - Computer - - UserName - - DomainName - - TargetName + - Computer + - UserName + - DomainName + - TargetName falsepositives: - - Host connections to valid domains, exclude these. - - Host connections not using host FQDN. - - Host connections to external legitimate domains. + - Host connections to valid domains, exclude these. + - Host connections not using host FQDN. + - Host connections to external legitimate domains. level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index f82a1ee68..b4f2d1421 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,32 +1,33 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 +status: test description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one -status: experimental author: Samir Bousseaden -date: 2019/04/03 references: - - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html -tags: - - attack.lateral_movement - - attack.t1077 # an old one - - attack.t1021.002 + - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html +date: 2019/04/03 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection1: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName|endswith: - - '-stdin' - - '-stdout' - - '-stderr' - selection2: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName|startswith: 'PSEXESVC' - condition: selection1 and not selection2 + selection1: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName|endswith: + - '-stdin' + - '-stdout' + - '-stderr' + selection2: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName|startswith: 'PSEXESVC' + condition: selection1 and not selection2 falsepositives: - - nothing observed so far + - nothing observed so far level: high +tags: + - attack.lateral_movement + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 27304ec91..ad4617a57 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -1,24 +1,25 @@ title: SAM Dump to AppData id: 839dd1e8-eda8-4834-8145-01beeee33acd -status: experimental +status: test description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 author: Florian Roth date: 2018/01/27 +modified: 2021/11/27 logsource: - product: windows - service: system - definition: The source of this type of event is Kernel-General + product: windows + service: system + definition: The source of this type of event is Kernel-General detection: - selection: - EventID: 16 - keywords: - - '\AppData\Local\Temp\SAM-' - - '.dmp' - condition: selection and all of keywords + selection: + EventID: 16 + keywords: + - '\AppData\Local\Temp\SAM-' + - '.dmp' + condition: selection and all of keywords falsepositives: - - Penetration testing + - Penetration testing level: high +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index 0eeed1c10..b1ca0b547 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -1,24 +1,24 @@ title: Possible Remote Password Change Through SAMR id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 -description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced - Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. -status: experimental +status: test +description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. author: Dimitrios Slamaris date: 2017/06/09 -tags: - - attack.credential_access - - attack.t1212 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - samrpipe: - EventID: 5145 - RelativeTargetName: samr - passwordchanged: - EventID: 4738 - passwordchanged_filter: - PasswordLastSet: null - timeframe: 15s - condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe + samrpipe: + EventID: 5145 + RelativeTargetName: samr + passwordchanged: + EventID: 4738 + passwordchanged_filter: + PasswordLastSet: + timeframe: 15s + condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe level: medium +tags: + - attack.credential_access + - attack.t1212 diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 6dea56173..a01737771 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -1,37 +1,37 @@ title: Secure Deletion with SDelete id: 39a80702-d7ca-4a83-b776-525b1f86a36d -status: experimental +status: test description: Detects renaming of file while deletion with SDelete tool. author: Thomas Patzke -date: 2017/06/14 -modified: 2020/08/02 references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - - https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete -tags: - - attack.impact - - attack.defense_evasion - - attack.t1107 # an old one - - attack.t1070.004 - - attack.t1066 # an old one - - attack.t1027.005 - - attack.t1485 - - attack.t1553.002 - - attack.s0195 + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete +date: 2017/06/14 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 4656 - - 4663 - - 4658 - ObjectName|endswith: - - '.AAA' - - '.ZZZ' - condition: selection + selection: + EventID: + - 4656 + - 4663 + - 4658 + ObjectName|endswith: + - '.AAA' + - '.ZZZ' + condition: selection falsepositives: - - Legitimate usage of SDelete + - Legitimate usage of SDelete level: medium +tags: + - attack.impact + - attack.defense_evasion + - attack.t1107 # an old one + - attack.t1070.004 + - attack.t1066 # an old one + - attack.t1027.005 + - attack.t1485 + - attack.t1553.002 + - attack.s0195 diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 360e1a872..9539d2366 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -1,33 +1,33 @@ title: Unauthorized System Time Modification id: faa031b5-21ed-4e02-8881-2591f98d82ed -status: experimental +status: test description: Detect scenarios where a potentially unauthorized application or user is modifying the system time. author: '@neu5ron' references: - - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - - Live environment caused by malware - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 + - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) + - Live environment caused by malware + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 date: 2019/02/05 -modified: 2020/01/27 -tags: - - attack.defense_evasion - - attack.t1099 # an old one - - attack.t1070.006 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change' + product: windows + service: security + definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change' detection: - selection: - EventID: 4616 - filter1: - ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe' - filter2: - ProcessName: 'C:\Windows\System32\VBoxService.exe' - filter3: - ProcessName: 'C:\Windows\System32\svchost.exe' - SubjectUserSid: 'S-1-5-19' - condition: selection and not ( filter1 or filter2 or filter3 ) + selection: + EventID: 4616 + filter1: + ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe' + filter2: + ProcessName: 'C:\Windows\System32\VBoxService.exe' + filter3: + ProcessName: 'C:\Windows\System32\svchost.exe' + SubjectUserSid: 'S-1-5-19' + condition: selection and not ( filter1 or filter2 or filter3 ) falsepositives: - - HyperV or other virtualization technologies with binary not listed in filter portion of detection + - HyperV or other virtualization technologies with binary not listed in filter portion of detection level: medium +tags: + - attack.defense_evasion + - attack.t1099 # an old one + - attack.t1070.006 diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 6b172fb38..a7df9e611 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -1,30 +1,30 @@ title: Suspicious Outbound Kerberos Connection id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 -status: experimental +status: test description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -references: - - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community +references: + - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2019/11/13 -tags: - - attack.lateral_movement - - attack.t1208 # an old one - - attack.t1558.003 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5156 - DestinationPort: 88 - filter: - Image|endswith: - - '\lsass.exe' - - '\opera.exe' - - '\chrome.exe' - - '\firefox.exe' - condition: selection and not filter + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter falsepositives: - - Other browsers + - Other browsers level: high +tags: + - attack.lateral_movement + - attack.t1208 # an old one + - attack.t1558.003 diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index 9ca27223a..02c5249e4 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -1,27 +1,28 @@ title: Remote Service Activity via SVCCTL Named Pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 +status: test description: Detects remote service activity via remote access to the svcctl named pipe -status: experimental author: Samir Bousseaden -date: 2019/04/03 references: - - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -tags: - - attack.lateral_movement - - attack.persistence - - attack.t1077 # an old one - - attack.t1021.002 + - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +date: 2019/04/03 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection: - EventID: 5145 - ShareName: \\*\IPC$ - RelativeTargetName: svcctl - Accesses|contains: 'WriteData' - condition: selection + selection: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: svcctl + Accesses|contains: 'WriteData' + condition: selection falsepositives: - - pentesting + - pentesting level: medium +tags: + - attack.lateral_movement + - attack.persistence + - attack.t1077 # an old one + - attack.t1021.002 diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml index 0c36525b1..dd972ae9e 100644 --- a/rules/windows/builtin/win_syskey_registry_access.yml +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -1,30 +1,30 @@ title: SysKey Registry Keys Access id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 +status: test description: Detects handle requests and access operations to specific registry keys to calculate the SysKey -status: experimental -date: 2019/08/12 -modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html -tags: - - attack.discovery - - attack.t1012 + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html +date: 2019/08/12 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: - - 4656 - - 4663 - ObjectType: 'key' - ObjectName|endswith: - - 'lsa\JD' - - 'lsa\GBG' - - 'lsa\Skew1' - - 'lsa\Data' - condition: selection + selection: + EventID: + - 4656 + - 4663 + ObjectType: 'key' + ObjectName|endswith: + - 'lsa\JD' + - 'lsa\GBG' + - 'lsa\Skew1' + - 'lsa\Data' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.discovery + - attack.t1012 diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml index 040fe5a60..fb811ece0 100644 --- a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml @@ -1,35 +1,36 @@ title: Sysmon Channel Reference Deletion id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc -status: experimental +status: test description: Potential threat actor tampering with Sysmon manifest and eventually disabling it +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://twitter.com/Flangvik/status/1283054508084473861 - https://twitter.com/SecurityJosh/status/1283027365770276866 - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/07/14 -tags: - - attack.defense_evasion - - attack.t1112 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection1: - EventID: 4657 - ObjectName|contains: - - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' - - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' - ObjectValueName: 'Enabled' - NewValue: '0' - selection2: - EventID: 4663 - ObjectName|contains: - - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' - - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' - AccessMask: 0x10000 - condition: selection1 or selection2 + selection1: + EventID: 4657 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + ObjectValueName: 'Enabled' + NewValue: '0' + selection2: + EventID: 4663 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + AccessMask: 0x10000 + condition: selection1 or selection2 falsepositives: - - unknown -level: critical \ No newline at end of file + - unknown +level: critical +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index b611a04cd..2bed3b359 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -1,33 +1,34 @@ title: Transferring Files with Credential Data via Network Shares id: 910ab938-668b-401b-b08c-b596e80fdca5 +status: test description: Transferring files with well-known filenames (sensitive files with credential data) using network shares -status: experimental author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 - - attack.t1003.001 - - attack.t1003.003 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/10/22 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - RelativeTargetName|contains: - - '\mimidrv' - - '\lsass' - - '\windows\minidump\' - - '\hiberfil' - - '\sqldmpr' - - '\sam' - - '\ntds.dit' - - '\security' - condition: selection + selection: + EventID: 5145 + RelativeTargetName|contains: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection falsepositives: - - Transferring sensitive files for legitimate administration work by legitimate administrator + - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index a61f460da..954cecd06 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -1,25 +1,26 @@ title: USB Device Plugged id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 +status: test description: Detects plugged USB devices -references: - - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ -status: experimental author: Florian Roth +references: + - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ + - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ date: 2017/11/09 -tags: - - attack.initial_access - - attack.t1200 +modified: 2021/11/27 logsource: - product: windows - service: driver-framework + product: windows + service: driver-framework detection: - selection: - EventID: - - 2003 # Loading drivers - - 2100 # Pnp or power management - - 2102 # Pnp or power management - condition: selection + selection: + EventID: + - 2003 # Loading drivers + - 2100 # Pnp or power management + - 2102 # Pnp or power management + condition: selection falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: low +tags: + - attack.initial_access + - attack.t1200 diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/win_user_creation.yml index d2fc67aa0..1750bbb7b 100644 --- a/rules/windows/builtin/win_user_creation.yml +++ b/rules/windows/builtin/win_user_creation.yml @@ -1,29 +1,28 @@ title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea -description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows - server logs and not on your DC logs. -status: experimental -tags: - - attack.persistence - - attack.t1136 # an old one - - attack.t1136.001 -references: - - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ +status: test +description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. author: Patrick Bareiss +references: + - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ date: 2019/04/18 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4720 - condition: selection + selection: + EventID: 4720 + condition: selection fields: - - EventCode - - AccountName - - AccountDomain + - EventCode + - AccountName + - AccountDomain falsepositives: - - Domain Controller Logs - - Local accounts managed by privileged account management tools + - Domain Controller Logs + - Local accounts managed by privileged account management tools level: low +tags: + - attack.persistence + - attack.t1136 # an old one + - attack.t1136.001 diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 7d1630089..edcd4172c 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -1,39 +1,40 @@ title: Suspicious Driver Loaded By User id: f63508a0-c809-4435-b3be-ed819394d612 +status: test description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. -status: experimental -references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 -tags: - - attack.t1089 # an old one - - attack.defense_evasion - - attack.t1562.001 -date: 2019/04/08 author: xknow (@xknow_infosec), xorxes (@xor_xes) +references: + - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 +date: 2019/04/08 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection_1: - EventID: 4673 - PrivilegeList: 'SeLoadDriverPrivilege' - Service: '-' - selection_2: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - - '\Google\Chrome\Application\chrome.exe' - condition: selection_1 and not selection_2 + selection_1: + EventID: 4673 + PrivilegeList: 'SeLoadDriverPrivilege' + Service: '-' + selection_2: + ProcessName|endswith: + - '\Windows\System32\Dism.exe' + - '\Windows\System32\rundll32.exe' + - '\Windows\System32\fltMC.exe' + - '\Windows\HelpPane.exe' + - '\Windows\System32\mmc.exe' + - '\Windows\System32\svchost.exe' + - '\Windows\System32\wimserv.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + - '\Google\Chrome\Application\chrome.exe' + condition: selection_1 and not selection_2 falsepositives: - - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' + - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' level: medium +tags: + - attack.t1089 # an old one + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml index 83bf381a1..083a98ded 100644 --- a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,26 +1,27 @@ title: T1047 Wmiprvse Wbemcomn DLL Hijack id: f6c68d5f-e101-4b86-8c84-7d96851fd65c +status: test description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. -status: experimental -date: 2020/10/12 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -tags: - - attack.execution - - attack.t1047 - - attack.lateral_movement - - attack.t1021.002 references: - - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html +date: 2020/10/12 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - RelativeTargetName|endswith: '\wbem\wbemcomn.dll' - filter: - SubjectUserName|endswith: '$' - condition: selection and not filter + selection: + EventID: 5145 + RelativeTargetName|endswith: '\wbem\wbemcomn.dll' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter falsepositives: - - Unknown -level: critical \ No newline at end of file + - Unknown +level: critical +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1021.002 diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 30b3da1b2..04829d335 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -1,24 +1,24 @@ title: CreateRemoteThread API and LoadLibrary id: 052ec6f6-1adc-41e6-907a-f1c813478bee +status: test description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process -status: experimental -date: 2019/08/11 -modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html -tags: - - attack.defense_evasion - - attack.t1055 # an old one - - attack.t1055.001 + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html +date: 2019/08/11 +modified: 2021/11/27 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - StartModule|endswith: '\kernel32.dll' - StartFunction: 'LoadLibraryA' - condition: selection + selection: + StartModule|endswith: '\kernel32.dll' + StartFunction: 'LoadLibraryA' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1055 # an old one + - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml index 829a9dba8..3289b67ec 100644 --- a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml @@ -1,22 +1,23 @@ title: Accessing WinAPI in PowerShell. Code Injection. id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 -status: experimental +status: test description: Detecting Code injection with PowerShell in another process author: Nikita Nazarov, oscd.community -date: 2020/10/06 references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -tags: - - attack.execution - - attack.t1059.001 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +date: 2020/10/06 +modified: 2021/11/27 logsource: - product: windows - category: create_remote_thread - definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' + product: windows + category: create_remote_thread + definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' detection: - selection: - SourceImage|endswith: '\powershell.exe' - condition: selection + selection: + SourceImage|endswith: '\powershell.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index 5a0995305..4a096cc38 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -1,31 +1,30 @@ title: Executable in ADS id: b69888d4-380c-45ce-9cf9-d9ce46e67821 -status: experimental +status: test description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) -references: - - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 -tags: - - attack.defense_evasion - - attack.t1027 # an old one - - attack.s0139 - - attack.t1564.004 author: Florian Roth, @0xrawsec +references: + - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 date: 2018/06/03 -modified: 2020/08/26 +modified: 2021/11/27 logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' + product: windows + category: create_stream_hash + definition: 'Requirements: Sysmon config with Imphash logging activated' detection: - filter1: - Imphash: '00000000000000000000000000000000' - filter2: - Imphash: null - condition: not 1 of filter* + filter1: + Imphash: '00000000000000000000000000000000' + filter2: + Imphash: + condition: not 1 of filter* fields: - - TargetFilename - - Image + - TargetFilename + - Image falsepositives: - - unknown + - unknown level: critical - +tags: + - attack.defense_evasion + - attack.t1027 # an old one + - attack.s0139 + - attack.t1564.004 diff --git a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml index 34652dad4..39a38bcc1 100644 --- a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -1,24 +1,25 @@ title: Exports Registry Key To an Alternate Data Stream id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 -status: experimental +status: test description: Exports the target Registry key and hides it in the specified alternate data stream. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.defense_evasion - - attack.t1564.004 author: Oddvar Moe, Sander Wiebing, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/07 +modified: 2021/11/27 logsource: - product: windows - category: create_stream_hash + product: windows + category: create_stream_hash detection: - selection: - Image|endswith: '\regedit.exe' - condition: selection + selection: + Image|endswith: '\regedit.exe' + condition: selection fields: - - TargetFilename + - TargetFilename falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/dns_query/dns_query_possible_dns_rebinding.yml b/rules/windows/dns_query/dns_query_possible_dns_rebinding.yml index bf301a32a..a6cfdc3b1 100644 --- a/rules/windows/dns_query/dns_query_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/dns_query_possible_dns_rebinding.yml @@ -1,43 +1,43 @@ title: Possible DNS Rebinding id: eb07e747-2552-44cd-af36-b659ae0958e4 -status: experimental +status: test description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). -date: 2019/10/25 -modified: 2020/08/28 author: Ilyas Ochkov, oscd.community references: - - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 -tags: - - attack.initial_access - - attack.t1189 + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +date: 2019/10/25 +modified: 2021/11/27 logsource: - product: windows - category: dns_query + product: windows + category: dns_query detection: - dns_answer: - QueryName: '*' - QueryStatus: '0' - filter_int_ip: - QueryResults|startswith: - - '(::ffff:)?10.' - - '(::ffff:)?192.168.' - - '(::ffff:)?172.16.' - - '(::ffff:)?172.17.' - - '(::ffff:)?172.18.' - - '(::ffff:)?172.19.' - - '(::ffff:)?172.20.' - - '(::ffff:)?172.21.' - - '(::ffff:)?172.22.' - - '(::ffff:)?172.23.' - - '(::ffff:)?172.24.' - - '(::ffff:)?172.25.' - - '(::ffff:)?172.26.' - - '(::ffff:)?172.27.' - - '(::ffff:)?172.28.' - - '(::ffff:)?172.29.' - - '(::ffff:)?172.30.' - - '(::ffff:)?172.31.' - - '(::ffff:)?127.' - timeframe: 30s - condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 + dns_answer: + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium +tags: + - attack.initial_access + - attack.t1189 diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index e61045ae8..1db8cc4d0 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -1,22 +1,22 @@ title: Suspicious Driver Load from Temp id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 +status: test description: Detects a driver load from a temporary directory -status: experimental author: Florian Roth date: 2017/02/12 -modified: 2020/08/23 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1050 # an old one - - attack.t1543.003 +modified: 2021/11/27 logsource: - category: driver_load - product: windows + category: driver_load + product: windows detection: - selection: - ImageLoaded|contains: '\Temp\' - condition: selection + selection: + ImageLoaded|contains: '\Temp\' + condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the environment + - there is a relevant set of false positives depending on applications in the environment level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1050 # an old one + - attack.t1543.003 diff --git a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml index f376c51db..be3e39dc3 100644 --- a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -1,24 +1,25 @@ title: Sysinternals SDelete File Deletion id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc +status: test description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1070.004 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: - selection: - TargetFilename|endswith: - - '.AAA' - - '.ZZZ' - condition: selection + selection: + TargetFilename|endswith: + - '.AAA' + - '.ZZZ' + condition: selection falsepositives: - - Legitime usage of SDelete -level: medium \ No newline at end of file + - Legitime usage of SDelete +level: medium +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml index 434aeceaa..818a89cb8 100755 --- a/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -1,52 +1,52 @@ title: Cred Dump Tools Dropped Files id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 +status: test description: Files with well-known filenames (parts of credential dump software or files produced by them) creation author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2020/08/23 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.003 - - attack.t1003.004 - - attack.t1003.005 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/11/01 +modified: 2021/11/27 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection: - TargetFilename|contains: - - '\pwdump' - - '\kirbi' - - '\pwhashes' - - '\wce_ccache' - - '\wce_krbtkts' - - '\fgdump-log' - TargetFilename|endswith: - - '\test.pwd' - - '\lsremora64.dll' - - '\lsremora.dll' - - '\fgexec.exe' - - '\wceaux.dll' - - '\SAM.out' - - '\SECURITY.out' - - '\SYSTEM.out' - - '\NTDS.out' - - '\DumpExt.dll' - - '\DumpSvc.exe' - - '\cachedump64.exe' - - '\cachedump.exe' - - '\pstgdump.exe' - - '\servpw.exe' - - '\servpw64.exe' - - '\pwdump.exe' - - '\procdump64.exe' - condition: selection + selection: + TargetFilename|contains: + - '\pwdump' + - '\kirbi' + - '\pwhashes' + - '\wce_ccache' + - '\wce_krbtkts' + - '\fgdump-log' + TargetFilename|endswith: + - '\test.pwd' + - '\lsremora64.dll' + - '\lsremora.dll' + - '\fgexec.exe' + - '\wceaux.dll' + - '\SAM.out' + - '\SECURITY.out' + - '\SYSTEM.out' + - '\NTDS.out' + - '\DumpExt.dll' + - '\DumpSvc.exe' + - '\cachedump64.exe' + - '\cachedump.exe' + - '\pstgdump.exe' + - '\servpw.exe' + - '\servpw64.exe' + - '\pwdump.exe' + - '\procdump64.exe' + condition: selection falsepositives: - - Legitimate Administrator using tool for password recovery + - Legitimate Administrator using tool for password recovery level: high -status: experimental +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.003 + - attack.t1003.004 + - attack.t1003.005 diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index 3019ca420..72e876b02 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -1,23 +1,23 @@ title: Detection of SafetyKatz id: e074832a-eada-4fd7-94a1-10642b130e16 -status: experimental +status: test description: Detects possible SafetyKatz Behaviour -references: - - https://github.com/GhostPack/SafetyKatz -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 author: Markus Neis +references: + - https://github.com/GhostPack/SafetyKatz date: 2018/07/24 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection: - TargetFilename|endswith: '\Temp\debug.bin' - condition: selection + selection: + TargetFilename|endswith: '\Temp\debug.bin' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml index a10039624..2f67a1a0c 100644 --- a/rules/windows/file_event/sysmon_office_persistence.yml +++ b/rules/windows/file_event/sysmon_office_persistence.yml @@ -1,32 +1,32 @@ title: Microsoft Office Add-In Loading id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 -status: experimental +status: test description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). -references: - - Internal Research -tags: - - attack.persistence - - attack.t1137 # an old one - - attack.t1137.006 author: NVISO +references: + - Internal Research date: 2020/05/11 -modified: 2020/08/23 +modified: 2021/11/27 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - wlldropped: - TargetFilename|contains: \Microsoft\Word\Startup\ - TargetFilename|endswith: .wll - xlldropped: - TargetFilename|contains: \Microsoft\Excel\Startup\ - TargetFilename|endswith: .xll - generic: - TargetFilename|contains: \Microsoft\Addins\ - TargetFilename|endswith: - - .xlam - - .xla - condition: (wlldropped or xlldropped or generic) + wlldropped: + TargetFilename|contains: \Microsoft\Word\Startup\ + TargetFilename|endswith: .wll + xlldropped: + TargetFilename|contains: \Microsoft\Excel\Startup\ + TargetFilename|endswith: .xll + generic: + TargetFilename|contains: \Microsoft\Addins\ + TargetFilename|endswith: + - .xlam + - .xla + condition: (wlldropped or xlldropped or generic) falsepositives: - - Legitimate add-ins + - Legitimate add-ins level: high +tags: + - attack.persistence + - attack.t1137 # an old one + - attack.t1137.006 diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index e446c5307..ebda72aba 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -1,117 +1,118 @@ title: Malicious PowerShell Commandlet Names id: f331aa1f-8c53-4fc3-b083-cc159bc971cb -status: experimental +status: test description: Detects the creation of known powershell scripts for exploitation -references: - - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 author: Markus Neis +references: + - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml date: 2018/04/07 +modified: 2021/11/27 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection: - TargetFilename|endswith: - - '\Invoke-DllInjection.ps1' - - '\Invoke-WmiCommand.ps1' - - '\Get-GPPPassword.ps1' - - '\Get-Keystrokes.ps1' - - '\Get-VaultCredential.ps1' - - '\Invoke-CredentialInjection.ps1' - - '\Invoke-Mimikatz.ps1' - - '\Invoke-NinjaCopy.ps1' - - '\Invoke-TokenManipulation.ps1' - - '\Out-Minidump.ps1' - - '\VolumeShadowCopyTools.ps1' - - '\Invoke-ReflectivePEInjection.ps1' - - '\Get-TimedScreenshot.ps1' - - '\Invoke-UserHunter.ps1' - - '\Find-GPOLocation.ps1' - - '\Invoke-ACLScanner.ps1' - - '\Invoke-DowngradeAccount.ps1' - - '\Get-ServiceUnquoted.ps1' - - '\Get-ServiceFilePermission.ps1' - - '\Get-ServicePermission.ps1' - - '\Invoke-ServiceAbuse.ps1' - - '\Install-ServiceBinary.ps1' - - '\Get-RegAutoLogon.ps1' - - '\Get-VulnAutoRun.ps1' - - '\Get-VulnSchTask.ps1' - - '\Get-UnattendedInstallFile.ps1' - - '\Get-WebConfig.ps1' - - '\Get-ApplicationHost.ps1' - - '\Get-RegAlwaysInstallElevated.ps1' - - '\Get-Unconstrained.ps1' - - '\Add-RegBackdoor.ps1' - - '\Add-ScrnSaveBackdoor.ps1' - - '\Gupt-Backdoor.ps1' - - '\Invoke-ADSBackdoor.ps1' - - '\Enabled-DuplicateToken.ps1' - - '\Invoke-PsUaCme.ps1' - - '\Remove-Update.ps1' - - '\Check-VM.ps1' - - '\Get-LSASecret.ps1' - - '\Get-PassHashes.ps1' - - '\Show-TargetScreen.ps1' - - '\Port-Scan.ps1' - - '\Invoke-PoshRatHttp.ps1' - - '\Invoke-PowerShellTCP.ps1' - - '\Invoke-PowerShellWMI.ps1' - - '\Add-Exfiltration.ps1' - - '\Add-Persistence.ps1' - - '\Do-Exfiltration.ps1' - - '\Start-CaptureServer.ps1' - - '\Invoke-ShellCode.ps1' - - '\Get-ChromeDump.ps1' - - '\Get-ClipboardContents.ps1' - - '\Get-FoxDump.ps1' - - '\Get-IndexedItem.ps1' - - '\Get-Screenshot.ps1' - - '\Invoke-Inveigh.ps1' - - '\Invoke-NetRipper.ps1' - - '\Invoke-EgressCheck.ps1' - - '\Invoke-PostExfil.ps1' - - '\Invoke-PSInject.ps1' - - '\Invoke-RunAs.ps1' - - '\MailRaider.ps1' - - '\New-HoneyHash.ps1' - - '\Set-MacAttribute.ps1' - - '\Invoke-DCSync.ps1' - - '\Invoke-PowerDump.ps1' - - '\Exploit-Jboss.ps1' - - '\Invoke-ThunderStruck.ps1' - - '\Invoke-VoiceTroll.ps1' - - '\Set-Wallpaper.ps1' - - '\Invoke-InveighRelay.ps1' - - '\Invoke-PsExec.ps1' - - '\Invoke-SSHCommand.ps1' - - '\Get-SecurityPackages.ps1' - - '\Install-SSP.ps1' - - '\Invoke-BackdoorLNK.ps1' - - '\PowerBreach.ps1' - - '\Get-SiteListPassword.ps1' - - '\Get-System.ps1' - - '\Invoke-BypassUAC.ps1' - - '\Invoke-Tater.ps1' - - '\Invoke-WScriptBypassUAC.ps1' - - '\PowerUp.ps1' - - '\PowerView.ps1' - - '\Get-RickAstley.ps1' - - '\Find-Fruit.ps1' - - '\HTTP-Login.ps1' - - '\Find-TrustedDocuments.ps1' - - '\Invoke-Paranoia.ps1' - - '\Invoke-WinEnum.ps1' - - '\Invoke-ARPScan.ps1' - - '\Invoke-PortScan.ps1' - - '\Invoke-ReverseDNSLookup.ps1' - - '\Invoke-SMBScanner.ps1' - - '\Invoke-Mimikittenz.ps1' - condition: selection + selection: + TargetFilename|endswith: + - '\Invoke-DllInjection.ps1' + - '\Invoke-WmiCommand.ps1' + - '\Get-GPPPassword.ps1' + - '\Get-Keystrokes.ps1' + - '\Get-VaultCredential.ps1' + - '\Invoke-CredentialInjection.ps1' + - '\Invoke-Mimikatz.ps1' + - '\Invoke-NinjaCopy.ps1' + - '\Invoke-TokenManipulation.ps1' + - '\Out-Minidump.ps1' + - '\VolumeShadowCopyTools.ps1' + - '\Invoke-ReflectivePEInjection.ps1' + - '\Get-TimedScreenshot.ps1' + - '\Invoke-UserHunter.ps1' + - '\Find-GPOLocation.ps1' + - '\Invoke-ACLScanner.ps1' + - '\Invoke-DowngradeAccount.ps1' + - '\Get-ServiceUnquoted.ps1' + - '\Get-ServiceFilePermission.ps1' + - '\Get-ServicePermission.ps1' + - '\Invoke-ServiceAbuse.ps1' + - '\Install-ServiceBinary.ps1' + - '\Get-RegAutoLogon.ps1' + - '\Get-VulnAutoRun.ps1' + - '\Get-VulnSchTask.ps1' + - '\Get-UnattendedInstallFile.ps1' + - '\Get-WebConfig.ps1' + - '\Get-ApplicationHost.ps1' + - '\Get-RegAlwaysInstallElevated.ps1' + - '\Get-Unconstrained.ps1' + - '\Add-RegBackdoor.ps1' + - '\Add-ScrnSaveBackdoor.ps1' + - '\Gupt-Backdoor.ps1' + - '\Invoke-ADSBackdoor.ps1' + - '\Enabled-DuplicateToken.ps1' + - '\Invoke-PsUaCme.ps1' + - '\Remove-Update.ps1' + - '\Check-VM.ps1' + - '\Get-LSASecret.ps1' + - '\Get-PassHashes.ps1' + - '\Show-TargetScreen.ps1' + - '\Port-Scan.ps1' + - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellWMI.ps1' + - '\Add-Exfiltration.ps1' + - '\Add-Persistence.ps1' + - '\Do-Exfiltration.ps1' + - '\Start-CaptureServer.ps1' + - '\Invoke-ShellCode.ps1' + - '\Get-ChromeDump.ps1' + - '\Get-ClipboardContents.ps1' + - '\Get-FoxDump.ps1' + - '\Get-IndexedItem.ps1' + - '\Get-Screenshot.ps1' + - '\Invoke-Inveigh.ps1' + - '\Invoke-NetRipper.ps1' + - '\Invoke-EgressCheck.ps1' + - '\Invoke-PostExfil.ps1' + - '\Invoke-PSInject.ps1' + - '\Invoke-RunAs.ps1' + - '\MailRaider.ps1' + - '\New-HoneyHash.ps1' + - '\Set-MacAttribute.ps1' + - '\Invoke-DCSync.ps1' + - '\Invoke-PowerDump.ps1' + - '\Exploit-Jboss.ps1' + - '\Invoke-ThunderStruck.ps1' + - '\Invoke-VoiceTroll.ps1' + - '\Set-Wallpaper.ps1' + - '\Invoke-InveighRelay.ps1' + - '\Invoke-PsExec.ps1' + - '\Invoke-SSHCommand.ps1' + - '\Get-SecurityPackages.ps1' + - '\Install-SSP.ps1' + - '\Invoke-BackdoorLNK.ps1' + - '\PowerBreach.ps1' + - '\Get-SiteListPassword.ps1' + - '\Get-System.ps1' + - '\Invoke-BypassUAC.ps1' + - '\Invoke-Tater.ps1' + - '\Invoke-WScriptBypassUAC.ps1' + - '\PowerUp.ps1' + - '\PowerView.ps1' + - '\Get-RickAstley.ps1' + - '\Find-Fruit.ps1' + - '\HTTP-Login.ps1' + - '\Find-TrustedDocuments.ps1' + - '\Invoke-Paranoia.ps1' + - '\Invoke-WinEnum.ps1' + - '\Invoke-ARPScan.ps1' + - '\Invoke-PortScan.ps1' + - '\Invoke-ReverseDNSLookup.ps1' + - '\Invoke-SMBScanner.ps1' + - '\Invoke-Mimikittenz.ps1' + condition: selection falsepositives: - - Penetration Tests + - Penetration Tests level: high +tags: + - attack.execution + - attack.t1086 # an old one + - attack.t1059.001 diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 66d153487..431d86d6a 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -1,26 +1,26 @@ title: QuarksPwDump Dump File id: 847def9e-924d-4e90-b7c4-5f581395a2b4 -status: experimental +status: test description: Detects a dump file written by QuarksPwDump password dumper -references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm author: Florian Roth +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm date: 2018/02/10 -modified: 2020/08/23 +modified: 2021/11/27 +logsource: + category: file_event + product: windows +detection: + selection: + # Sysmon: File Creation (ID 11) + TargetFilename|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' + condition: selection +falsepositives: + - Unknown +level: critical tags: - attack.credential_access - attack.t1003 # an old one - attack.t1003.002 -level: critical -logsource: - category: file_event - product: windows -detection: - selection: - # Sysmon: File Creation (ID 11) - TargetFilename|contains|all: - - '\AppData\Local\Temp\SAM-' - - '.dmp' - condition: selection -falsepositives: - - Unknown diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml index bb2d14f70..6674129da 100644 --- a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -1,24 +1,25 @@ title: RedMimicry Winnti Playbook Dropped File id: 130c9e58-28ac-4f83-8574-0a4cc913b97e +status: test description: Detects actions caused by the RedMimicry Winnti playbook -status: experimental -references: - - https://redmimicry.com author: Alexander Rausch +references: + - https://redmimicry.com date: 2020/06/24 -tags: - - attack.defense_evasion - - attack.t1027 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|contains: - - gthread-3.6.dll - - sigcmm-2.4.dll - - \Windows\Temp\tmp.bat - condition: selection + selection: + TargetFilename|contains: + - gthread-3.6.dll + - sigcmm-2.4.dll + - \Windows\Temp\tmp.bat + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/file_event/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml index d20ad26ed..ebb332912 100644 --- a/rules/windows/file_event/sysmon_startup_folder_file_write.yml +++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml @@ -1,22 +1,23 @@ title: Startup Folder File Write id: 2aa0a6b4-a865-495b-ab51-c28249537b75 +status: test description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.persistence - - attack.t1547.001 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/12 - - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/12 + - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' - condition: selection + selection: + TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' + condition: selection falsepositives: - - unknown -level: low \ No newline at end of file + - unknown +level: low +tags: + - attack.persistence + - attack.t1547.001 diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 7ec9950cd..30ad13c1c 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -1,33 +1,33 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb +status: test description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -status: experimental -date: 2019/03/24 -modified: 2020/08/23 author: xknow @xknow_infosec references: - - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - - https://github.com/fox-it/LDAPFragger -tags: - - attack.t1071 # an old one - - attack.t1001.003 - - attack.command_and_control + - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 + - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ + - https://github.com/fox-it/LDAPFragger +date: 2019/03/24 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection_1: - TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' - TargetFilename|endswith: '.sch' - selection_2: - Image: - - 'C:\windows\system32\svchost.exe' - - 'C:\windows\system32\dllhost.exe' - - 'C:\windows\system32\mmc.exe' - - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' - - 'C:\Windows\CCM\CcmExec.exe' - condition: selection_1 and not selection_2 + selection_1: + TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' + TargetFilename|endswith: '.sch' + selection_2: + Image: + - 'C:\windows\system32\svchost.exe' + - 'C:\windows\system32\dllhost.exe' + - 'C:\windows\system32\mmc.exe' + - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' + - 'C:\Windows\CCM\CcmExec.exe' + condition: selection_1 and not selection_2 falsepositives: - - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. + - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high +tags: + - attack.t1071 # an old one + - attack.t1001.003 + - attack.command_and_control diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 800fcfbd5..46d7ed89b 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -1,28 +1,28 @@ title: Suspicious desktop.ini Action id: 81315b50-6b60-4d8f-9928-3466e1022515 -status: experimental +status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Maxime Thiebaut (@0xThiebaut) +references: + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2020/08/23 -tags: - - attack.persistence - - attack.t1023 # an old one - - attack.t1547.009 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - filter: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\System32\mmc.exe' - selection: - TargetFilename|endswith: '\desktop.ini' - condition: selection and not filter + filter: + Image: + - 'C:\Windows\explorer.exe' + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\mmc.exe' + selection: + TargetFilename|endswith: '\desktop.ini' + condition: selection and not filter falsepositives: - - Operations performed through Windows SCCM or equivalent + - Operations performed through Windows SCCM or equivalent level: medium +tags: + - attack.persistence + - attack.t1023 # an old one + - attack.t1547.009 diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index 8c010b15d..b0d8886e6 100644 --- a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -1,22 +1,23 @@ title: Suspicious PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 +status: test description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.credential_access - - attack.t1552.004 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/14 + - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '.pfx' - condition: selection + selection: + TargetFilename|endswith: '.pfx' + condition: selection falsepositives: - - System administrators managing certififcates. + - System administrators managing certififcates. level: medium +tags: + - attack.credential_access + - attack.t1552.004 diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index a929366d2..ba0a1127c 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -1,29 +1,30 @@ title: Suspicious PROCEXP152.sys File Created In TMP id: 3da70954-0f2c-4103-adff-b7440368f50e +status: test description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. -status: experimental -date: 2019/04/08 author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -tags: - - attack.t1089 # an old one - - attack.t1562.001 - - attack.defense_evasion + - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +date: 2019/04/08 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection_1: - TargetFilename|contains: '\AppData\Local\Temp\' - TargetFilename|endswith: 'PROCEXP152.sys' - selection_2: - Image|contains: - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - condition: selection_1 and not selection_2 + selection_1: + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'PROCEXP152.sys' + selection_2: + Image|contains: + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + condition: selection_1 and not selection_2 falsepositives: - - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. + - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. level: medium +tags: + - attack.t1089 # an old one + - attack.t1562.001 + - attack.defense_evasion diff --git a/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml index e07a660ad..ba07ecf39 100644 --- a/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml +++ b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml @@ -1,29 +1,29 @@ title: Powershell Profile.ps1 Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf -status: experimental +status: test description: Detects a change in profile.ps1 of the Powershell profile -references: - - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ author: HieuTT35 +references: + - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ date: 2019/10/24 -modified: 2020/08/24 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - target1: - TargetFilename|contains|all: - - '\My Documents\PowerShell\' - - '\profile.ps1' - target2: - TargetFilename|contains|all: - - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - - '\profile.ps1' - condition: target1 or target2 + target1: + TargetFilename|contains|all: + - '\My Documents\PowerShell\' + - '\profile.ps1' + target2: + TargetFilename|contains|all: + - 'C:\Windows\System32\WindowsPowerShell\v1.0\' + - '\profile.ps1' + condition: target1 or target2 falsepositives: - - System administrator create Powershell profile manually + - System administrator create Powershell profile manually level: high tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.013 + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index d11fd2b34..43e503fff 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -1,20 +1,21 @@ title: Hijack Legit RDP Session to Move Laterally id: 52753ea4-b3a0-4365-910d-36cff487b789 -status: experimental +status: test description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder -date: 2019/02/21 author: Samir Bousseaden +date: 2019/02/21 +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image|endswith: '\mstsc.exe' - TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' - condition: selection + selection: + Image|endswith: '\mstsc.exe' + TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' + condition: selection falsepositives: - - unknown + - unknown level: high tags: - - attack.command_and_control - - attack.t1219 \ No newline at end of file + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml index 49473f329..655ddfe50 100755 --- a/rules/windows/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml @@ -1,46 +1,46 @@ title: Windows Webshell Creation id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 -status: experimental +status: test description: Possible webshell file creation on a static web site -references: - - PT ESC rule and personal experience author: Beyu Denis, oscd.community +references: + - PT ESC rule and personal experience date: 2019/10/22 -modified: 2020/08/23 -tags: - - attack.persistence - - attack.t1100 # an old one - - attack.t1505.003 -level: critical +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection_2: - TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: - TargetFilename|contains: - - '.asp' - - '.ashx' - - '.ph' - selection_4: - TargetFilename|contains: - - '\www\' - - '\htdocs\' - - '\html\' - selection_5: - TargetFilename|contains: '.ph' - selection_6: - - TargetFilename|endswith: '.jsp' - - TargetFilename|contains|all: - - '\cgi-bin\' - - '.pl' - false_positives: # false positives when unpacking some executables in $TEMP - TargetFilename|contains: - - '\AppData\Local\Temp\' - - '\Windows\Temp\' + selection_2: + TargetFilename|contains: '\inetpub\wwwroot\' + selection_3: + TargetFilename|contains: + - '.asp' + - '.ashx' + - '.ph' + selection_4: + TargetFilename|contains: + - '\www\' + - '\htdocs\' + - '\html\' + selection_5: + TargetFilename|contains: '.ph' + selection_6: + - TargetFilename|endswith: '.jsp' + - TargetFilename|contains|all: + - '\cgi-bin\' + - '.pl' + false_positives: # false positives when unpacking some executables in $TEMP + TargetFilename|contains: + - '\AppData\Local\Temp\' + - '\Windows\Temp\' # kind of ugly but sigmac seems not to handle double parenthesis "((" # we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) - condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives) + condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives) falsepositives: - - Legitimate administrator or developer creating legitimate executable files in a web application folder + - Legitimate administrator or developer creating legitimate executable files in a web application folder +level: critical +tags: + - attack.persistence + - attack.t1100 # an old one + - attack.t1505.003 diff --git a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index 4a976d684..5d736bc2e 100755 --- a/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -1,23 +1,23 @@ title: WMI Persistence - Script Event Consumer File Write id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 -status: experimental +status: test description: Detects file writes of WMI script event consumer -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ date: 2018/03/07 -modified: 2020/08/23 -tags: - - attack.t1084 # an old one - - attack.t1546.003 - - attack.persistence +modified: 2021/11/27 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - condition: selection -falsepositives: - - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) + selection: + Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' + condition: selection +falsepositives: + - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) level: high +tags: + - attack.t1084 # an old one + - attack.t1546.003 + - attack.persistence diff --git a/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml b/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml index 21d652147..425ba150b 100644 --- a/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml +++ b/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml @@ -1,33 +1,34 @@ title: Suspicious Desktopimgdownldr Target File id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 -status: experimental +status: test description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension author: Florian Roth -date: 2020/07/03 references: - - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - - https://twitter.com/SBousseaden/status/1278977301745741825 + - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + - https://twitter.com/SBousseaden/status/1278977301745741825 +date: 2020/07/03 +modified: 2021/11/27 logsource: - product: windows - category: file_event -tags: - - attack.defense_evasion - - attack.t1105 + product: windows + category: file_event detection: - selection: - Image|endswith: svchost.exe - TargetFilename|contains: '\Personalization\LockScreenImage\' - filter1: - TargetFilename|contains: 'C:\Windows\' - filter2: - TargetFilename|contains: - - '.jpg' - - '.jpeg' - - '.png' - condition: selection and not filter1 and not filter2 + selection: + Image|endswith: svchost.exe + TargetFilename|contains: '\Personalization\LockScreenImage\' + filter1: + TargetFilename|contains: 'C:\Windows\' + filter2: + TargetFilename|contains: + - '.jpg' + - '.jpeg' + - '.png' + condition: selection and not filter1 and not filter2 fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high +tags: + - attack.defense_evasion + - attack.t1105 diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml index db4a867fc..cdd19b2a0 100755 --- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml @@ -1,41 +1,42 @@ title: Mimikatz In-Memory id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e -status: experimental -author: sigma +status: test description: Detects certain DLL loads when Mimikatz gets executed +author: sigma references: - - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ -tags: - - attack.s0002 - - attack.t1003 - - attack.lateral_movement - - attack.credential_access - - car.2019-04-004 -logsource: - category: image_load - product: windows + - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ date: 2017/03/13 +modified: 2021/11/27 +logsource: + category: image_load + product: windows detection: - selector: - Image: 'C:\Windows\System32\rundll32.exe' - dllload1: - ImageLoaded|endswith: '\vaultcli.dll' - dllload2: - ImageLoaded|endswith: '\wlanapi.dll' - exclusion: - ImageLoaded: - - 'ntdsapi.dll' - - 'netapi32.dll' - - 'imm32.dll' - - 'samlib.dll' - - 'combase.dll' - - 'srvcli.dll' - - 'shcore.dll' - - 'ntasn1.dll' - - 'cryptdll.dll' - - 'logoncli.dll' - timeframe: 30s - condition: selector | near dllload1 and dllload2 and not exclusion + selector: + Image: 'C:\Windows\System32\rundll32.exe' + dllload1: + ImageLoaded|endswith: '\vaultcli.dll' + dllload2: + ImageLoaded|endswith: '\wlanapi.dll' + exclusion: + ImageLoaded: + - 'ntdsapi.dll' + - 'netapi32.dll' + - 'imm32.dll' + - 'samlib.dll' + - 'combase.dll' + - 'srvcli.dll' + - 'shcore.dll' + - 'ntasn1.dll' + - 'cryptdll.dll' + - 'logoncli.dll' + timeframe: 30s + condition: selector | near dllload1 and dllload2 and not exclusion falsepositives: - - unknown + - unknown level: medium +tags: + - attack.s0002 + - attack.t1003 + - attack.lateral_movement + - attack.credential_access + - car.2019-04-004 diff --git a/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml index 59f8621ed..a4e498c9d 100644 --- a/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml @@ -1,30 +1,31 @@ title: WMI Script Host Process Image Loaded id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 +status: test description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. -status: experimental -date: 2020/09/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.persistence - - attack.t1546.003 references: - - https://twitter.com/HunterPlaybook/status/1301207718355759107 - - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html + - https://twitter.com/HunterPlaybook/status/1301207718355759107 + - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +date: 2020/09/02 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: '\scrcons.exe' - ImageLoaded|endswith: - - '\vbscript.dll' - - '\wbemdisp.dll' - - '\wshom.ocx' - - '\scrrun.dll' - condition: selection + selection: + Image|endswith: '\scrcons.exe' + ImageLoaded|endswith: + - '\vbscript.dll' + - '\wbemdisp.dll' + - '\wshom.ocx' + - '\scrrun.dll' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml index 2c0d4f6fc..39d0d7621 100644 --- a/rules/windows/image_load/sysmon_susp_fax_dll.yml +++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml @@ -1,32 +1,32 @@ title: Fax Service DLL Search Order Hijack id: 828af599-4c53-4ed2-ba4a-a9f835c434ea -status: experimental +status: test description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -references: - - https://windows-internals.com/faxing-your-way-to-system/ author: NVISO +references: + - https://windows-internals.com/faxing-your-way-to-system/ date: 2020/05/04 -modified: 2020/08/23 -tags: - - attack.persistence - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1038 # an old one - - attack.t1574.001 - - attack.t1574.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - fxssvc.exe - ImageLoaded|endswith: - - ualapi.dll - filter: - ImageLoaded|startswith: - - C:\Windows\WinSxS\ - condition: selection and not filter + selection: + Image|endswith: + - fxssvc.exe + ImageLoaded|endswith: + - ualapi.dll + filter: + ImageLoaded|startswith: + - C:\Windows\WinSxS\ + condition: selection and not filter falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1038 # an old one + - attack.t1574.001 + - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 5bf530559..726a87dd1 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -1,27 +1,27 @@ title: Possible Process Hollowing Image Loading id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 -status: experimental +status: test description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz -references: - - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html author: Markus Neis +references: + - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html date: 2018/01/07 -modified: 2020/08/23 -tags: - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1574.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\notepad.exe' - ImageLoaded|endswith: - - '\samlib.dll' - - '\WinSCard.dll' - condition: selection + selection: + Image|endswith: + - '\notepad.exe' + ImageLoaded|endswith: + - '\samlib.dll' + - '\WinSCard.dll' + condition: selection falsepositives: - - Very likely, needs more tuning + - Very likely, needs more tuning level: high +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index c9d881196..f8d5be4aa 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -1,29 +1,29 @@ title: dotNET DLL Loaded Via Office Applications id: ff0f2b05-09db-4095-b96d-1b75ca24894a -status: experimental +status: test description: Detects any assembly DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\assembly\' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\assembly\' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index f75cce094..36b37ccb3 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -1,29 +1,29 @@ title: CLR DLL Loaded Via Office Applications id: d13c43f0-f66b-4279-8b2c-5912077c1780 -status: experimental +status: test description: Detects CLR DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|contains: - - '\clr.dll' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\clr.dll' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index fa0182796..c30288f94 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -1,29 +1,29 @@ title: GAC DLL Loaded Via Office Applications id: 90217a70-13fc-48e4-b3db-0d836c5824ac -status: experimental +status: test description: Detects any GAC DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index f6297faef..47a3b0424 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -1,29 +1,29 @@ title: Active Directory Parsing DLL Loaded Via Office Applications id: a2a3b925-7bb0-433b-b508-db9003263cc4 -status: experimental +status: test description: Detects DSParse DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|contains: - - '\dsparse.dll' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\dsparse.dll' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index b42030734..54bf26095 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -1,29 +1,29 @@ title: Active Directory Kerberos DLL Loaded Via Office Applications id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 -status: experimental +status: test description: Detects Kerberos DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|endswith: - - '\kerberos.dll' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\kerberos.dll' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index 701d372fa..7c636c840 100644 --- a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -1,31 +1,32 @@ title: CLR DLL Loaded Via Scripting Applications id: 4508a70e-97ef-4300-b62b-ff27992990ea -status: experimental +status: test description: Detects CLR DLL being loaded by an scripting applications -references: - - https://github.com/tyranid/DotNetToJScript - - https://thewover.github.io/Introducing-Donut/ - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: omkar72, oscd.community +references: + - https://github.com/tyranid/DotNetToJScript + - https://thewover.github.io/Introducing-Donut/ + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html date: 2020/10/14 -tags: - - attack.execution - - attack.privilege_escalation - - attack.t1055 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - ImageLoaded|endswith: - - '\clr.dll' - - '\mscoree.dll' - - '\mscorlib.dll' - condition: selection + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + ImageLoaded|endswith: + - '\clr.dll' + - '\mscoree.dll' + - '\mscorlib.dll' + condition: selection falsepositives: - - unknown + - unknown level: high +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1055 diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index 262d9c7dc..802b5df9d 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -1,31 +1,31 @@ title: VBA DLL Loaded Via Microsoft Word id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -status: experimental +status: test description: Detects DLL's Loaded Via Word Containing VBA Macros -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 date: 2020/02/19 -modified: 2020/08/23 -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|endswith: - - '\VBE7.DLL' - - '\VBEUI.DLL' - - '\VBE7INTL.DLL' - condition: selection + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\VBE7.DLL' + - '\VBEUI.DLL' + - '\VBE7INTL.DLL' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index e5b5b443e..5533105fb 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,64 +1,64 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 -status: experimental +status: test description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -date: 2019/10/27 -modified: 2020/08/24 author: Perez Diego (@darkquassar), oscd.community, Ecco references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 +date: 2019/10/27 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - signedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' + signedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\msbuild.exe' + - '\cmd.exe' # - '\svchost.exe' - - '\rundll32.exe' - - '\powershell.exe' - - '\word.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' + - '\rundll32.exe' + - '\powershell.exe' + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\monitoringhost.exe' + - '\wmic.exe' # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\schtasks.exe' - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - unsignedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Signed: 'FALSE' - filter1: - Image|contains: 'Visual Studio' - filter2: # Not available in Sysmon, but in Aurora - CommandLine: 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding' - condition: (signedprocess or unsignedprocess) and not filter1 and not filter2 + - '\bash.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\schtasks.exe' + - '\dnx.exe' + - '\regsvcs.exe' + - '\sc.exe' + - '\scriptrunner.exe' + unsignedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Signed: 'FALSE' + filter1: + Image|contains: 'Visual Studio' + filter2: # Not available in Sysmon, but in Aurora + CommandLine: 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not filter1 and not filter2 fields: - - ComputerName - - User - - Image - - ImageLoaded + - ComputerName + - User + - Image + - ImageLoaded falsepositives: - - Penetration tests + - Penetration tests level: high +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 6247ee4f9..393876e94 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -1,36 +1,34 @@ title: Svchost DLL Search Order Hijack id: 602a1f13-c640-4d73-b053-be9a2fa58b77 -status: experimental -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their - malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a - remote machine. -references: - - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +status: test +description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. author: SBousseaden +references: + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 date: 2019/10/28 -modified: 2020/08/23 -tags: - - attack.persistence - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1574.002 - - attack.t1038 # an old one - - attack.t1574.001 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: - - '\svchost.exe' - ImageLoaded|endswith: - - '\tsmsisrv.dll' - - '\tsvipsrv.dll' - - '\wlbsctrl.dll' - filter: - ImageLoaded|startswith: - - 'C:\Windows\WinSxS\' - condition: selection and not filter + selection: + Image|endswith: + - '\svchost.exe' + ImageLoaded|endswith: + - '\tsmsisrv.dll' + - '\tsvipsrv.dll' + - '\wlbsctrl.dll' + filter: + ImageLoaded|startswith: + - 'C:\Windows\WinSxS\' + condition: selection and not filter falsepositives: - - Pentest + - Pentest level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 + - attack.t1038 # an old one + - attack.t1574.001 diff --git a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index adde3fc3b..d167e1004 100755 --- a/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -1,24 +1,24 @@ title: Unsigned Image Loaded Into LSASS Process id: 857c8db3-c89b-42fb-882b-f681c7cf4da2 +status: test description: Loading unsigned image (DLL, EXE) into LSASS process author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2020/08/23 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: '\lsass.exe' - Signed: 'false' - condition: selection + selection: + Image|endswith: '\lsass.exe' + Signed: 'false' + condition: selection falsepositives: - - Valid user connecting using RDP -status: experimental + - Valid user connecting using RDP level: medium +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 diff --git a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index 50e992f0e..2b7a1420d 100755 --- a/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -1,24 +1,24 @@ title: WMI Persistence - Command Line Event Consumer id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 -status: experimental +status: test description: Detects WMI command line event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ date: 2018/03/07 -modified: 2020/08/23 -tags: - - attack.t1084 # an old one - - attack.t1546.003 - - attack.persistence +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' - ImageLoaded|endswith: '\wbemcons.dll' - condition: selection -falsepositives: - - Unknown (data set is too small; further testing needed) + selection: + Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' + ImageLoaded|endswith: '\wbemcons.dll' + condition: selection +falsepositives: + - Unknown (data set is too small; further testing needed) level: high +tags: + - attack.t1084 # an old one + - attack.t1546.003 + - attack.persistence diff --git a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml index b3020349e..a78876f13 100644 --- a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -1,26 +1,27 @@ title: WMIC Loading Scripting Libraries id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 +status: test description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). -status: experimental -date: 2020/10/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1220 references: - - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html - - https://twitter.com/dez_/status/986614411711442944 - - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ + - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html + - https://twitter.com/dez_/status/986614411711442944 + - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ +date: 2020/10/17 +modified: 2021/11/27 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection: - Image|endswith: '\wmic.exe' - ImageLoaded|endswith: - - '\jscript.dll' - - '\vbscript.dll' - condition: selection + selection: + Image|endswith: '\wmic.exe' + ImageLoaded|endswith: + - '\jscript.dll' + - '\vbscript.dll' + condition: selection falsepositives: - - Apparently, wmic os get lastboottuptime loads vbscript.dll + - Apparently, wmic os get lastboottuptime loads vbscript.dll level: high +tags: + - attack.defense_evasion + - attack.t1220 diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index eed623163..26c5cf2f5 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,39 +1,39 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 +status: test description: Detects a highly relevant Antivirus alert that reports an exploitation framework -status: experimental -date: 2018/09/09 -modified: 2019/01/16 author: Florian Roth references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ -tags: - - attack.execution - - attack.t1203 - - attack.command_and_control - - attack.t1219 + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ +date: 2018/09/09 +modified: 2021/11/27 logsource: - product: antivirus + product: antivirus detection: - selection: - Signature|contains: - - "MeteTool" - - "MPreter" - - "Meterpreter" - - "Metasploit" - - "PowerSploit" - - "CobaltSrike" - - "Swrort" - - "Rozena" - - "Backdoor.Cobalt" - - "CobaltStr" - - "COBEACON" - - "Cometer" - - "Razy" - condition: selection + selection: + Signature|contains: + - "MeteTool" + - "MPreter" + - "Meterpreter" + - "Metasploit" + - "PowerSploit" + - "CobaltSrike" + - "Swrort" + - "Rozena" + - "Backdoor.Cobalt" + - "CobaltStr" + - "COBEACON" + - "Cometer" + - "Razy" + condition: selection fields: - - FileName - - User + - FileName + - User falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.execution + - attack.t1203 + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 34a4314f7..5b6992800 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -1,40 +1,40 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 +status: test description: Detects a highly relevant Antivirus alert that reports a password dumper -status: experimental -date: 2018/09/09 -modified: 2019/10/04 author: Florian Roth references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ - - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection -tags: - - attack.credential_access - - attack.t1003 - - attack.t1558 - - attack.t1003.001 - - attack.t1003.002 + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection +date: 2018/09/09 +modified: 2021/11/27 logsource: - product: antivirus + product: antivirus detection: - selection: - Signature|contains: - - "DumpCreds" - - "Mimikatz" - - "PWCrack" - - "HTool/WCE" - - "PSWtool" - - "PWDump" - - "SecurityTool" - - "PShlSpy" - - "Rubeus" - - "Kekeo" - - "LsassDump" - - "Outflank" - condition: selection + selection: + Signature|contains: + - "DumpCreds" + - "Mimikatz" + - "PWCrack" + - "HTool/WCE" + - "PSWtool" + - "PWDump" + - "SecurityTool" + - "PShlSpy" + - "Rubeus" + - "Kekeo" + - "LsassDump" + - "Outflank" + condition: selection fields: - - FileName - - User + - FileName + - User falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.credential_access + - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 diff --git a/rules/windows/malware/file_event_mal_octopus_scanner.yml b/rules/windows/malware/file_event_mal_octopus_scanner.yml index a76955bea..89ae6af09 100644 --- a/rules/windows/malware/file_event_mal_octopus_scanner.yml +++ b/rules/windows/malware/file_event_mal_octopus_scanner.yml @@ -1,14 +1,12 @@ title: Octopus Scanner Malware id: 805c55d9-31e6-4846-9878-c34c75054fe9 -status: experimental +status: test description: Detects Octopus Scanner Malware. +author: NVISO references: - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain -tags: - - attack.t1195 - - attack.t1195.001 -author: NVISO date: 2020/06/09 +modified: 2021/11/27 logsource: product: windows category: file_event @@ -21,3 +19,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.t1195 + - attack.t1195.001 diff --git a/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml index c22d83ab7..5be624b8e 100644 --- a/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml +++ b/rules/windows/malware/process_creation_mal_lockergoga_ransomware.yml @@ -1,23 +1,24 @@ title: LockerGoga Ransomware id: 74db3488-fd28-480a-95aa-b7af626de068 -author: Vasiliy Burov, oscd.community -date: 2020/10/18 +status: test description: Detects LockerGoga Ransomware command line. -status: experimental +author: Vasiliy Burov, oscd.community references: - - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a - - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ - - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ -tags: - - attack.impact - - attack.t1486 + - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a + - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ + - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: '-i SM-tgytutrc -s' - condition: selection + selection: + CommandLine|contains: '-i SM-tgytutrc -s' + condition: selection falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.impact + - attack.t1486 diff --git a/rules/windows/malware/process_creation_mal_ryuk.yml b/rules/windows/malware/process_creation_mal_ryuk.yml index 156ee19ab..979550345 100644 --- a/rules/windows/malware/process_creation_mal_ryuk.yml +++ b/rules/windows/malware/process_creation_mal_ryuk.yml @@ -1,29 +1,30 @@ title: Ryuk Ransomware id: 0acaad27-9f02-4136-a243-c357202edd74 +status: test description: Detects Ryuk Ransomware command lines -status: experimental -references: - - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Vasiliy Burov +references: + - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ date: 2019/08/06 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains|all: - - 'stop' - CommandLine|contains: - - 'samss' - - 'audioendpointbuilder' - - 'unistoresvc_?????' - condition: selection + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'stop' + CommandLine|contains: + - 'samss' + - 'audioendpointbuilder' + - 'unistoresvc_?????' + condition: selection falsepositives: - - Unlikely + - Unlikely level: critical tags: - - attack.execution - - attack.t1204 + - attack.execution + - attack.t1204 diff --git a/rules/windows/malware/registry_event_mal_azorult.yml b/rules/windows/malware/registry_event_mal_azorult.yml index 987e7a7fe..8825a00e7 100644 --- a/rules/windows/malware/registry_event_mal_azorult.yml +++ b/rules/windows/malware/registry_event_mal_azorult.yml @@ -1,14 +1,12 @@ title: Registry Entries For Azorult Malware id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 +status: test description: Detects the presence of a registry key created during Azorult execution -status: experimental +author: Trent Liffick references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a -author: Trent Liffick date: 2020/05/08 -tags: - - attack.execution - - attack.t1112 +modified: 2021/11/27 logsource: product: windows category: registry_event @@ -27,3 +25,6 @@ fields: falsepositives: - unknown level: critical +tags: + - attack.execution + - attack.t1112 diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index 4dad7b038..e68489a5f 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -1,26 +1,27 @@ title: Silenttrinity Stager Msbuild Activity id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 +status: test description: Detects a possible remote connections to Silenttrinity c2 -references: - - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ -tags: - - attack.execution - - attack.t1127.001 -status: experimental author: Kiran kumar s, oscd.community +references: + - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ date: 2020/10/11 +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Image|endswith: '\msbuild.exe' - filter: - DestinationPort: - - '80' - - '443' - Initiated: 'true' - condition: selection and filter + selection: + Image|endswith: '\msbuild.exe' + filter: + DestinationPort: + - '80' + - '443' + Initiated: 'true' + condition: selection and filter falsepositives: - - unknown + - unknown level: high +tags: + - attack.execution + - attack.t1127.001 diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index e97176154..a1993a352 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -1,47 +1,47 @@ title: Dllhost Internet Connection id: cfed2f44-16df-4bf3-833a-79405198b277 -status: experimental +status: test description: Detects Dllhost that communicates with public IP addresses -references: - - https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml author: bartblaze +references: + - https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml date: 2020/07/13 -modified: 2020/08/24 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution - - attack.t1559.001 - - attack.t1175 # an old one +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Image|endswith: '\dllhost.exe' - Initiated: 'true' - filter: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' - condition: selection and not filter + selection: + Image|endswith: '\dllhost.exe' + Initiated: 'true' + filter: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' + condition: selection and not filter falsepositives: - - Communication to other corporate systems that use IP addresses from public address spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution + - attack.t1559.001 + - attack.t1175 # an old one diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index 6ab3c851a..804ddbebe 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -1,99 +1,99 @@ title: Suspicious Typical Malware Back Connect Ports id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 -status: experimental +status: test description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo date: 2017/03/19 -modified: 2020/08/24 -tags: - - attack.command_and_control - - attack.t1571 - - attack.t1043 # an old one +modified: 2021/11/27 logsource: - category: network_connection - product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + category: network_connection + product: windows + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: - selection: - Initiated: 'true' - DestinationPort: - - '4443' - - '2448' - - '8143' - - '1777' - - '1443' - - '243' - - '65535' - - '13506' - - '3360' - - '200' - - '198' - - '49180' - - '13507' - - '6625' - - '4444' - - '4438' - - '1904' - - '13505' - - '13504' - - '12102' - - '9631' - - '5445' - - '2443' - - '777' - - '13394' - - '13145' - - '12103' - - '5552' - - '3939' - - '3675' - - '666' - - '473' - - '5649' - - '4455' - - '4433' - - '1817' - - '100' - - '65520' - - '1960' - - '1515' - - '743' - - '700' - - '14154' - - '14103' - - '14102' - - '12322' - - '10101' - - '7210' - - '4040' - - '9943' - filter1: - Image|contains: '\Program Files' - filter2: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' - DestinationIsIpv6: 'false' - condition: selection and not ( filter1 or filter2 ) + selection: + Initiated: 'true' + DestinationPort: + - '4443' + - '2448' + - '8143' + - '1777' + - '1443' + - '243' + - '65535' + - '13506' + - '3360' + - '200' + - '198' + - '49180' + - '13507' + - '6625' + - '4444' + - '4438' + - '1904' + - '13505' + - '13504' + - '12102' + - '9631' + - '5445' + - '2443' + - '777' + - '13394' + - '13145' + - '12103' + - '5552' + - '3939' + - '3675' + - '666' + - '473' + - '5649' + - '4455' + - '4433' + - '1817' + - '100' + - '65520' + - '1960' + - '1515' + - '743' + - '700' + - '14154' + - '14103' + - '14102' + - '12322' + - '10101' + - '7210' + - '4040' + - '9943' + filter1: + Image|contains: '\Program Files' + filter2: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' + DestinationIsIpv6: 'false' + condition: selection and not ( filter1 or filter2 ) falsepositives: - - unknown + - unknown level: medium +tags: + - attack.command_and_control + - attack.t1571 + - attack.t1043 # an old one diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml index 0ab14bd51..dceaca53d 100755 --- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml +++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml @@ -1,27 +1,27 @@ title: Notepad Making Network Connection id: e81528db-fc02-45e8-8e98-4e84aba1f10b -status: experimental +status: test description: Detects suspicious network connection by Notepad -references: - - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ -tags: - - attack.command_and_control - - attack.execution - - attack.defense_evasion - - attack.t1055 author: EagleEye Team -logsource: - category: network_connection - product: windows +references: + - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf + - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ date: 2020/05/14 -modified: 2020/08/24 +modified: 2021/11/27 +logsource: + category: network_connection + product: windows detection: - selection: - Image|endswith: '\notepad.exe' - filter: - DestinationPort: '9100' - condition: selection and not filter + selection: + Image|endswith: '\notepad.exe' + filter: + DestinationPort: '9100' + condition: selection and not filter falsepositives: - - None observed so far + - None observed so far level: high +tags: + - attack.command_and_control + - attack.execution + - attack.defense_evasion + - attack.t1055 diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index ce01eeb58..a3a16207b 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -1,30 +1,30 @@ title: Remote PowerShell Session id: c539afac-c12a-46ed-b1bd-5a5567c9f045 +status: test description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account. -status: experimental -date: 2019/09/12 -modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.lateral_movement - - attack.t1021.006 - - attack.t1028 # an old one + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +date: 2019/09/12 +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - DestinationPort: - - 5985 - - 5986 - filter: - User: 'NT AUTHORITY\NETWORK SERVICE' - condition: selection and not filter + selection: + DestinationPort: + - 5985 + - 5986 + filter: + User: 'NT AUTHORITY\NETWORK SERVICE' + condition: selection and not filter falsepositives: - - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. + - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.lateral_movement + - attack.t1021.006 + - attack.t1028 # an old one diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 75920a653..bc9e26624 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -1,46 +1,46 @@ title: Rundll32 Internet Connection id: cdc8da7d-c303-42f8-b08c-b4ab47230263 -status: experimental +status: test description: Detects a rundll32 that communicates with public IP addresses -references: - - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth +references: + - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 date: 2017/11/04 -modified: 2020/08/24 -tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.t1085 # an old one - - attack.execution +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Image|endswith: '\rundll32.exe' - Initiated: 'true' - filter: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' - condition: selection and not filter + selection: + Image|endswith: '\rundll32.exe' + Initiated: 'true' + filter: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' + condition: selection and not filter falsepositives: - - Communication to other corporate systems that use IP addresses from public address spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.t1085 # an old one + - attack.execution diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index f93c48f5a..0c06e08d6 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -1,36 +1,37 @@ title: Suspicious Program Location with Network Connections id: 7b434893-c57d-4f41-908d-6a17bf1ae98f -status: experimental +status: test description: Detects programs with network connections running in suspicious files system locations -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth +references: + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo date: 2017/03/19 +modified: 2021/11/27 logsource: - category: network_connection - product: windows - definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + category: network_connection + product: windows + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: - selection: - - Image|contains: + selection: + - Image|contains: # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\Public\' - - '\Users\Contacts\' - - '\Users\Searches\' - - '\config\systemprofile\' - - '\Windows\Fonts\' - - '\Windows\IME\' - - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' - condition: selection + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' + condition: selection falsepositives: - - unknown + - unknown level: high tags: - - attack.command_and_control - - attack.t1105 \ No newline at end of file + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 9867e2b1d..96444dfea 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -1,48 +1,48 @@ title: Suspicious Outbound RDP Connections id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 -status: experimental +status: test description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -references: - - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis - Swisscom +references: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 date: 2019/05/15 -modified: 2020/08/24 -tags: - - attack.lateral_movement - - attack.t1021.001 - - attack.t1076 # an old one - - car.2013-07-002 +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - DestinationPort: 3389 - Initiated: 'true' - filter: - Image|endswith: - - '\mstsc.exe' - - '\RTSApp.exe' - - '\RTS2App.exe' - - '\RDCMan.exe' - - '\ws_TunnelService.exe' - - '\RSSensor.exe' - - '\RemoteDesktopManagerFree.exe' - - '\RemoteDesktopManager.exe' - - '\RemoteDesktopManager64.exe' - - '\mRemoteNG.exe' - - '\mRemote.exe' - - '\Terminals.exe' - - '\spiceworks-finder.exe' - - '\FSDiscovery.exe' - - '\FSAssessment.exe' - - '\MobaRTE.exe' - - '\chrome.exe' - - '\System32\dns.exe' - - '\thor.exe' - - '\thor64.exe' - condition: selection and not filter + selection: + DestinationPort: 3389 + Initiated: 'true' + filter: + Image|endswith: + - '\mstsc.exe' + - '\RTSApp.exe' + - '\RTS2App.exe' + - '\RDCMan.exe' + - '\ws_TunnelService.exe' + - '\RSSensor.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RemoteDesktopManager.exe' + - '\RemoteDesktopManager64.exe' + - '\mRemoteNG.exe' + - '\mRemote.exe' + - '\Terminals.exe' + - '\spiceworks-finder.exe' + - '\FSDiscovery.exe' + - '\FSAssessment.exe' + - '\MobaRTE.exe' + - '\chrome.exe' + - '\System32\dns.exe' + - '\thor.exe' + - '\thor64.exe' + condition: selection and not filter falsepositives: - - Other Remote Desktop RDP tools - - domain controller using dns.exe + - Other Remote Desktop RDP tools + - domain controller using dns.exe level: high +tags: + - attack.lateral_movement + - attack.t1021.001 + - attack.t1076 # an old one + - car.2013-07-002 diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 0dea6daaf..b98915d14 100755 --- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -1,33 +1,33 @@ title: Suspicious Outbound Kerberos Connection id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 -status: experimental +status: test description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -references: - - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community +references: + - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2020/08/24 -tags: - - attack.credential_access - - attack.t1558 - - attack.t1208 # an old one - - attack.lateral_movement - - attack.t1550.003 - - attack.t1097 # an old one +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - DestinationPort: 88 - Initiated: 'true' - filter: - Image|endswith: - - '\lsass.exe' - - '\opera.exe' - - '\chrome.exe' - - '\firefox.exe' - condition: selection and not filter + selection: + DestinationPort: 88 + Initiated: 'true' + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter falsepositives: - - Other browsers + - Other browsers level: high +tags: + - attack.credential_access + - attack.t1558 + - attack.t1208 # an old one + - attack.lateral_movement + - attack.t1550.003 + - attack.t1097 # an old one diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index a63c8b1e0..915ef7f25 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -1,32 +1,32 @@ title: Microsoft Binary Github Communication id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 -status: experimental +status: test description: Detects an executable in the Windows folder accessing github.com -references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Michael Haag (idea), Florian Roth (rule) +references: + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 date: 2017/08/24 -modified: 2020/08/24 -tags: - - attack.lateral_movement - - attack.t1105 - - attack.exfiltration - - attack.t1567.001 - - attack.t1048 # an old one +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - '.github.com' - - '.githubusercontent.com' - Image|startswith: 'C:\Windows\' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: + - '.github.com' + - '.githubusercontent.com' + Image|startswith: 'C:\Windows\' + condition: selection falsepositives: - - 'Unknown' - - '@subTee in your network' + - 'Unknown' + - '@subTee in your network' level: high +tags: + - attack.lateral_movement + - attack.t1105 + - attack.exfiltration + - attack.t1567.001 + - attack.t1048 # an old one diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml index 4422fc1e5..25a11312a 100755 --- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml @@ -1,27 +1,28 @@ title: Microsoft Binary Suspicious Communication Endpoint id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 -status: experimental +status: test description: Detects an executable in the Windows folder accessing suspicious domains -references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 author: Florian Roth +references: + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 date: 2018/08/30 -tags: - - attack.lateral_movement - - attack.t1105 +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - 'dl.dropboxusercontent.com' - - '.pastebin.com' - - '.githubusercontent.com' # includes both gists and github repositories - Image|startswith: 'C:\Windows\' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'dl.dropboxusercontent.com' + - '.pastebin.com' + - '.githubusercontent.com' # includes both gists and github repositories + Image|startswith: 'C:\Windows\' + condition: selection falsepositives: - - 'Unknown' + - 'Unknown' level: high +tags: + - attack.lateral_movement + - attack.t1105 diff --git a/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml index 5407c0a6d..b52dceebf 100644 --- a/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml @@ -1,21 +1,22 @@ title: Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +status: test description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. -status: experimental -date: 2020/10/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1218 references: - - https://dtm.uk/wuauclt/ + - https://dtm.uk/wuauclt/ +date: 2020/10/12 +modified: 2021/11/27 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Image|contains: wuauclt - condition: selection + selection: + Image|contains: wuauclt + condition: selection falsepositives: - - Legitimate use of wuauclt.exe over the network. + - Legitimate use of wuauclt.exe over the network. level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index d4fd592a3..7367db3ce 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -1,28 +1,29 @@ title: Windows Defender Exclusion Set id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +status: test description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' -status: experimental -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 author: "@BarryShooshooga" +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ date: 2019/10/26 +modified: 2021/11/27 logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: - selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection + selection: + EventID: + - 4657 + - 4656 + - 4660 + - 4663 + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection falsepositives: - - Intended inclusions by administrator + - Intended inclusions by administrator level: high +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index eac2c43d1..49d47422e 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -1,39 +1,40 @@ title: Windows Pcap Drivers id: 7b687634-ab20-11ea-bb37-0242ac130002 -status: experimental +status: test description: Detects Windows Pcap driver installation based on a list of associated .sys files. author: Cian Heasley -date: 2020/06/10 references: - - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more -tags: - - attack.discovery - - attack.credential_access - - attack.t1040 + - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more +date: 2020/06/10 +modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4697 - ServiceFileName|contains: - - 'pcap' - - 'npcap' - - 'npf' - - 'nm3' - - 'ndiscap' - - 'nmnt' - - 'windivert' - - 'USBPcap' - - 'pktmon' - condition: selection + selection: + EventID: 4697 + ServiceFileName|contains: + - 'pcap' + - 'npcap' + - 'npf' + - 'nm3' + - 'ndiscap' + - 'nmnt' + - 'windivert' + - 'USBPcap' + - 'pktmon' + condition: selection fields: - - EventID - - ServiceFileName - - Account_Name - - Computer_Name - - Originating_Computer - - ServiceName + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName falsepositives: - - unknown + - unknown level: medium +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index 2f021d214..1b33035d0 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -1,22 +1,23 @@ title: Rare Scheduled Task Creations id: b20f6158-9438-41be-83da-a5a16ac90c2b -status: experimental +status: test description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. -tags: - - attack.persistence - - attack.t1053 # an old one - - attack.s0111 - - attack.t1053.005 author: Florian Roth date: 2017/03/17 +modified: 2021/11/27 logsource: - product: windows - service: taskscheduler + product: windows + service: taskscheduler detection: - selection: - EventID: 106 - timeframe: 7d - condition: selection | count() by TaskName < 5 + selection: + EventID: 106 + timeframe: 7d + condition: selection | count() by TaskName < 5 falsepositives: - - Software installation + - Software installation level: low +tags: + - attack.persistence + - attack.t1053 # an old one + - attack.s0111 + - attack.t1053.005 diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 22f601327..aff2804f7 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -1,34 +1,34 @@ title: Alternate PowerShell Hosts Pipe id: 58cb02d5-78ce-4692-b3e1-dce850aae41a +status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -status: experimental -date: 2019/09/12 -modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html +date: 2019/09/12 +modified: 2021/11/27 logsource: - product: windows - category: pipe_created + product: windows + category: pipe_created detection: - selection: - PipeName|startswith: '\PSHost' - filter1: - Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' - filter2: - Image: null - condition: selection and not filter1 and not filter2 + selection: + PipeName|startswith: '\PSHost' + filter1: + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + filter2: + Image: + condition: selection and not filter1 and not filter2 fields: - - ComputerName - - User - - Image - - PipeName + - ComputerName + - User + - Image + - PipeName falsepositives: - - Programs using PowerShell directly without invocation of a dedicated interpreter. + - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium +tags: + - attack.execution + - attack.t1086 # an old one + - attack.t1059.001 diff --git a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index a8dea10d8..3d86a34b3 100755 --- a/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -1,30 +1,31 @@ title: Turla Group Named Pipes id: 739915e4-1e70-4778-8b8a-17db02f66db1 -status: experimental +status: test description: Detects a named pipe used by Turla group samples -references: - - Internal Research - - https://attack.mitre.org/groups/G0010/ -date: 2017/11/06 -tags: - - attack.g0010 - - attack.execution - - attack.t1106 author: Markus Neis +references: + - Internal Research + - https://attack.mitre.org/groups/G0010/ +date: 2017/11/06 +modified: 2021/11/27 logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection: - PipeName: - - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - - '\userpipe' # ruag apt case - - '\iehelper' # ruag apt case - - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + selection: + PipeName: + - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection + - '\userpipe' # ruag apt case + - '\iehelper' # ruag apt case + - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 - condition: selection + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.g0010 + - attack.execution + - attack.t1106 diff --git a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index e4c7897d9..5fa249bee 100644 --- a/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -1,30 +1,30 @@ title: Cred Dump-Tools Named Pipes id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e +status: test description: Detects well-known credential dumping tools execution via specific named pipes author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2020/08/28 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/11/01 +modified: 2021/11/27 logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection: - PipeName|contains: - - '\lsadump' - - '\cachedump' - - '\wceservicepipe' - condition: selection + selection: + PipeName|contains: + - '\lsadump' + - '\cachedump' + - '\wceservicepipe' + condition: selection falsepositives: - - Legitimate Administrator using tool for password recovery + - Legitimate Administrator using tool for password recovery level: critical -status: experimental +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 diff --git a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml index 0546b2cdc..092581650 100644 --- a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml @@ -1,21 +1,22 @@ title: T1086 PowerShell Execution id: ac7102b4-9e1e-4802-9b4f-17c5524c015c +status: test description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.execution - - attack.t1059.001 references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html +date: 2019/09/12 +modified: 2021/11/27 logsource: - product: windows - category: pipe_created + product: windows + category: pipe_created detection: - selection: - PipeName|startswith: '\PSHost' - condition: selection + selection: + PipeName|startswith: '\PSHost' + condition: selection falsepositives: - - Unknown + - Unknown level: informational +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml index fa35acced..38ff48444 100644 --- a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -1,26 +1,27 @@ title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 -status: experimental +status: test description: Detecting use PsExec via Pipe Creation/Access to pipes author: Nikita Nazarov, oscd.community -date: 2020/05/10 references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.t1021.002 + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +date: 2020/05/10 +modified: 2021/11/27 logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection: - PipeName|startswith: - - 'psexec' - - 'paexec' - - 'remcom' - - 'csexec' - condition: selection + selection: + PipeName|startswith: + - 'psexec' + - 'paexec' + - 'remcom' + - 'csexec' + condition: selection falsepositives: - - Legitimate Administrator activity + - Legitimate Administrator activity level: medium +tags: + - attack.lateral_movement + - attack.t1021.002 diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 703f86b32..f3482258d 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -1,29 +1,30 @@ title: Load Undocumented Autoelevated COM Interface id: fb3722e4-1a06-46b6-b772-253e2e7db933 -status: experimental +status: test description: COM interface (EditionUpgradeManager) that is not used by standard executables. -references: - - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 author: oscd.community, Dmitry Uchakin +references: + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_access - product: windows + category: process_access + product: windows detection: - selection: - CallTrace|contains: 'editionupgrademanagerobj.dll' - condition: selection + selection: + CallTrace|contains: 'editionupgrademanagerobj.dll' + condition: selection fields: - - ComputerName - - User - - SourceImage - - TargetImage - - CallTrace + - ComputerName + - User + - SourceImage + - TargetImage + - CallTrace falsepositives: - - unknown -level: high \ No newline at end of file + - unknown +level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml index 55855b3bc..35abd86d3 100755 --- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml @@ -1,31 +1,32 @@ title: Malware Shellcode in Verclsid Target Process id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1 -status: experimental +status: test description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -references: - - https://twitter.com/JohnLaTwC/status/837743453039534080 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 author: John Lambert (tech), Florian Roth (rule) +references: + - https://twitter.com/JohnLaTwC/status/837743453039534080 date: 2017/03/04 +modified: 2021/11/27 logsource: - category: process_access - product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + category: process_access + product: windows + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: - selection: - TargetImage|endswith: '\verclsid.exe' - GrantedAccess: '0x1FFFFF' - combination1: - CallTrace|contains|all: - - '|UNKNOWN(' - - 'VBE7.DLL' - combination2: - SourceImage|contains: '\Microsoft Office\' - CallTrace|contains: '|UNKNOWN' - condition: selection and 1 of combination* + selection: + TargetImage|endswith: '\verclsid.exe' + GrantedAccess: '0x1FFFFF' + combination1: + CallTrace|contains|all: + - '|UNKNOWN(' + - 'VBE7.DLL' + combination2: + SourceImage|contains: '\Microsoft Office\' + CallTrace|contains: '|UNKNOWN' + condition: selection and 1 of combination* falsepositives: - - unknown + - unknown level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 1c7b2054c..e6b12a975 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -1,33 +1,34 @@ title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN -status: experimental id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 -author: Beyu Denis, oscd.community -date: 2020/10/18 +status: test description: dotnet.exe will execute any DLL and execute unsigned code +author: Beyu Denis, oscd.community references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml - - https://twitter.com/_felamos/status/1204705548668555264 - - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ -tags: - - attack.execution - - attack.t1218 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml + - https://twitter.com/_felamos/status/1204705548668555264 + - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|endswith: - - '.dll' - - '.csproj' - Image|endswith: - - '\dotnet.exe' - condition: selection + selection: + CommandLine|endswith: + - '.dll' + - '.csproj' + Image|endswith: + - '\dotnet.exe' + condition: selection fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + - ComputerName + - User + - CommandLine + - ParentCommandLine falsepositives: - - System administrator Usage - - Penetration test + - System administrator Usage + - Penetration test level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 08b586762..7930ea39d 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,34 +1,35 @@ title: Execute Files with Msdeploy.exe -status: experimental id: 646bc99f-6682-4b47-a73a-17b1b64c9d34 -author: Beyu Denis, oscd.community -date: 2020/10/18 +status: test description: Detects file execution using the msdeploy.exe lolbin +author: Beyu Denis, oscd.community references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml - - https://twitter.com/pabraeken/status/995837734379032576 - - https://twitter.com/pabraeken/status/999090532839313408 -tags: - - attack.execution - - attack.t1218 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml + - https://twitter.com/pabraeken/status/995837734379032576 + - https://twitter.com/pabraeken/status/999090532839313408 +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'verb:sync' - - '-source:RunCommand' - - '-dest:runCommand' - Image|endswith: - - '\msdeploy.exe' - condition: selection + selection: + CommandLine|contains|all: + - 'verb:sync' + - '-source:RunCommand' + - '-dest:runCommand' + Image|endswith: + - '\msdeploy.exe' + condition: selection fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + - ComputerName + - User + - CommandLine + - ParentCommandLine falsepositives: - - System administrator Usage - - Penetration test + - System administrator Usage + - Penetration test level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 041bba07a..24e602704 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -1,46 +1,47 @@ title: Abused Debug Privilege by Arbitrary Parent Processes id: d522eca2-2973-4391-a3e0-ef0374321dae -status: experimental +status: test description: Detection of unusual child processes by different system processes -references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg -date: 2020/10/28 -tags: - - attack.privilege_escalation - - attack.t1548 author: 'Semanur Guneysu @semanurtg, oscd.community' +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg +date: 2020/10/28 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection1: - ParentImage|endswith: - - '\winlogon.exe' - - '\services.exe' - - '\lsass.exe' - - '\csrss.exe' - - '\smss.exe' - - '\wininit.exe' - - '\spoolsv.exe' - - '\searchindexer.exe' - selection2: - Image|endswith: - - '\powershell.exe' - - '\cmd.exe' - selection3: - User|startswith: - - 'NT AUTHORITY\SYSTEM' - - 'AUTORITE NT\Sys' # French language settings - filter: - CommandLine|contains|all: - - ' route ' - - ' ADD ' - condition: selection1 and selection2 and selection3 and not filter + selection1: + ParentImage|endswith: + - '\winlogon.exe' + - '\services.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\smss.exe' + - '\wininit.exe' + - '\spoolsv.exe' + - '\searchindexer.exe' + selection2: + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + selection3: + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings + filter: + CommandLine|contains|all: + - ' route ' + - ' ADD ' + condition: selection1 and selection2 and selection3 and not filter fields: - - ParentImage - - Image - - User - - CommandLine + - ParentImage + - Image + - User + - CommandLine falsepositives: - - unknown + - unknown level: high +tags: + - attack.privilege_escalation + - attack.t1548 diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index 75785c5ac..052a374e1 100644 --- a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -1,30 +1,31 @@ title: Accesschk Usage After Privilege Escalation id: c625d754-6a3d-4f65-9c9a-536aea960d37 -description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not -status: experimental +status: test +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg date: 2020/10/13 -references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg -tags: - - attack.discovery - - attack.t1069.001 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - integrity_level: - IntegrityLevel: 'Medium' - product: - Product|endswith: 'AccessChk' - description: - Description|contains: 'Reports effective permissions' - condition: integrity_level and (product or description) + integrity_level: + IntegrityLevel: 'Medium' + product: + Product|endswith: 'AccessChk' + description: + Description|contains: 'Reports effective permissions' + condition: integrity_level and (product or description) fields: - - IntegrityLevel - - Product - - Description + - IntegrityLevel + - Product + - Description falsepositives: - - System administrator Usage - - Penetration test + - System administrator Usage + - Penetration test level: high +tags: + - attack.discovery + - attack.t1069.001 diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index 73a21e295..082dc9ace 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -1,32 +1,33 @@ title: Always Install Elevated MSI Spawned Cmd And Powershell id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa +status: test description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell -status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -date: 2020/10/13 references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg -tags: - - attack.privilege_escalation - - attack.t1548.002 + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +date: 2020/10/13 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - image: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - parent_image: - ParentImage|contains|all: - - '\Windows\Installer\' - - 'msi' - ParentImage|endswith: - - 'tmp' - condition: image and parent_image + image: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + parent_image: + ParentImage|contains|all: + - '\Windows\Installer\' + - 'msi' + ParentImage|endswith: + - 'tmp' + condition: image and parent_image fields: - - Image - - ParentImage + - Image + - ParentImage falsepositives: - - Penetration test -level: medium \ No newline at end of file + - Penetration test +level: medium +tags: + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 8fa47e702..2a3b27316 100644 --- a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -1,28 +1,29 @@ title: DNS Tunnel Technique from MuddyWater id: 36222790-0d43-4fe8-86e4-674b27809543 +status: test description: Detecting DNS tunnel activity for Muddywater actor author: '@caliskanfurkan_' -status: experimental -date: 2020/06/04 references: - - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ - - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html -tags: - - attack.command_and_control - - attack.t1071 # an old one - - attack.t1071.004 + - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ + - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html +date: 2020/06/04 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\powershell.exe' - ParentImage|endswith: - - '\excel.exe' - CommandLine|contains: - - 'DataExchange.dll' - condition: selection + selection: + Image|endswith: + - '\powershell.exe' + ParentImage|endswith: + - '\excel.exe' + CommandLine|contains: + - 'DataExchange.dll' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.command_and_control + - attack.t1071 # an old one + - attack.t1071.004 diff --git a/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml index 837cf20c1..c3cef36b1 100644 --- a/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml +++ b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml @@ -1,24 +1,25 @@ title: High Integrity Sdclt Process id: 40f9af16-589d-4984-b78d-8c2aec023197 +status: test description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/6 + - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: 'sdclt.exe' - IntegrityLevel: 'High' - condition: selection + selection: + Image|endswith: 'sdclt.exe' + IntegrityLevel: 'High' + condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - unknown +level: medium +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 365be7dcf..5b5e197b5 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -1,32 +1,32 @@ title: Logon Scripts (UserInitMprLogonScript) id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 -status: experimental +status: test description: Detects creation or execution of UserInitMprLogonScript persistence method -references: - - https://attack.mitre.org/techniques/T1037/ -tags: - - attack.t1037 # an old one - - attack.t1037.001 - - attack.persistence author: Tom Ueltschi (@c_APT_ure) +references: + - https://attack.mitre.org/techniques/T1037/ date: 2019/01/12 -modified: 2020/08/26 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - exec_selection: - ParentImage|endswith: '\userinit.exe' - exec_exclusion1: - Image|endswith: '\explorer.exe' - exec_exclusion2: - CommandLine|contains: - - 'netlogon.bat' - - 'UsrLogon.cmd' - create_keywords_cli: - CommandLine|contains: 'UserInitMprLogonScript' - condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli + exec_selection: + ParentImage|endswith: '\userinit.exe' + exec_exclusion1: + Image|endswith: '\explorer.exe' + exec_exclusion2: + CommandLine|contains: + - 'netlogon.bat' + - 'UsrLogon.cmd' + create_keywords_cli: + CommandLine|contains: 'UserInitMprLogonScript' + condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli falsepositives: - - exclude legitimate logon scripts - - penetration tests, red teaming + - exclude legitimate logon scripts + - penetration tests, red teaming level: high +tags: + - attack.t1037 # an old one + - attack.t1037.001 + - attack.persistence diff --git a/rules/windows/process_creation/sysmon_sdclt_child_process.yml b/rules/windows/process_creation/sysmon_sdclt_child_process.yml index 8e328a304..dcba32e7e 100644 --- a/rules/windows/process_creation/sysmon_sdclt_child_process.yml +++ b/rules/windows/process_creation/sysmon_sdclt_child_process.yml @@ -1,22 +1,23 @@ title: Sdclt Child Processes id: da2738f2-fadb-4394-afa7-0a0674885afa +status: test description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.privilege_escalation - - attack.t1548.002 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/6 + - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\sdclt.exe' - condition: selection + selection: + ParentImage|endswith: '\sdclt.exe' + condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - unknown +level: medium +tags: + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml index 6e66c04a3..dad55bb72 100644 --- a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml @@ -1,23 +1,24 @@ title: Suspicious WebDav Client Execution id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 +status: test description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.exfiltration - - attack.t1048.003 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 + - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\rundll32.exe' - CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' - condition: selection + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' + condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - unknown +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 20c216949..86145e21a 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -1,30 +1,30 @@ title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f +status: test description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. -status: experimental -references: - - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html -tags: - - attack.execution - - attack.g0016 - - attack.t1086 # an old one - - attack.t1059 # an old one - - attack.t1059.001 author: Florian Roth +references: + - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ + - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html date: 2018/12/04 -modified: 2020/08/26 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - '-noni' - - '-ep' - - 'bypass' - - '$' - condition: selection + selection: + CommandLine|contains|all: + - '-noni' + - '-ep' + - 'bypass' + - '$' + condition: selection falsepositives: - - unknown + - unknown level: critical +tags: + - attack.execution + - attack.g0016 + - attack.t1086 # an old one + - attack.t1059 # an old one + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index 97fd7e1cc..964fdd165 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -1,34 +1,34 @@ title: Baby Shark Activity id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35 -status: experimental +status: test description: Detects activity that could be related to Baby Shark malware -references: - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -tags: - - attack.execution - - attack.t1059 # an old one - - attack.t1086 # an old one - - attack.t1059.003 - - attack.t1059.001 - - attack.discovery - - attack.t1012 - - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218 # an old one - - attack.t1218.005 -logsource: - category: process_creation - product: windows author: Florian Roth +references: + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ date: 2019/02/24 -modified: 2020/08/26 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows detection: - selection: - CommandLine: - - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" - - powershell.exe mshta.exe http* - - cmd.exe /c taskkill /im cmd.exe - condition: selection + selection: + CommandLine: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - powershell.exe mshta.exe http* + - cmd.exe /c taskkill /im cmd.exe + condition: selection falsepositives: - - unknown + - unknown level: high +tags: + - attack.execution + - attack.t1059 # an old one + - attack.t1086 # an old one + - attack.t1059.003 + - attack.t1059.001 + - attack.discovery + - attack.t1012 + - attack.defense_evasion + - attack.t1170 # an old one + - attack.t1218 # an old one + - attack.t1218.005 diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index f13e874d2..c78bea144 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -1,38 +1,38 @@ title: Judgement Panda Credential Access Activity id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee +status: test description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike -status: experimental -references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth +references: + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ date: 2019/02/21 -modified: 2020/08/26 -tags: - - attack.credential_access - - attack.t1081 # an old one - - attack.t1003 # an old one - - attack.t1552.001 - - attack.t1003.003 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\xcopy.exe' - CommandLine|contains|all: - - '/S' - - '/E' - - '/C' - - '/Q' - - '/H' - - '\\' - selection2: - Image|endswith: '\adexplorer.exe' - CommandLine|contains|all: - - '-snapshot' - - '""' - - 'c:\users\' - condition: selection1 or selection2 + selection1: + Image|endswith: '\xcopy.exe' + CommandLine|contains|all: + - '/S' + - '/E' + - '/C' + - '/Q' + - '/H' + - '\\' + selection2: + Image|endswith: '\adexplorer.exe' + CommandLine|contains|all: + - '-snapshot' + - '""' + - 'c:\users\' + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical +tags: + - attack.credential_access + - attack.t1081 # an old one + - attack.t1003 # an old one + - attack.t1552.001 + - attack.t1003.003 diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index dedb3b2d5..79e714806 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -1,27 +1,28 @@ title: BlueMashroom DLL Load id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 -status: experimental +status: test description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report -references: - - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software -tags: - - attack.defense_evasion - - attack.t1117 # an old one - - attack.t1218.010 author: Florian Roth +references: + - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software date: 2019/10/02 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains|all: - - '\regsvr32' - - '\AppData\Local\' - - CommandLine|contains|all: - - '\AppData\Local\' - - ',DllEntry' - condition: selection + selection: + - CommandLine|contains|all: + - '\regsvr32' + - '\AppData\Local\' + - CommandLine|contains|all: + - '\AppData\Local\' + - ',DllEntry' + condition: selection falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.defense_evasion + - attack.t1117 # an old one + - attack.t1218.010 diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index b277ea9d7..417f1e5e9 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -1,29 +1,30 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f +status: test description: Detects suspicious file execution by wscript and cscript -status: experimental author: Florian Roth -date: 2017/04/07 references: - - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf -tags: - - attack.execution - - attack.g0045 - - attack.t1064 # an old one - - attack.t1059.005 + - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +date: 2017/04/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - '.vbs' - - '/shell' - condition: selection + selection: + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - '.vbs' + - '/shell' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.execution + - attack.g0045 + - attack.t1064 # an old one + - attack.t1059.005 diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml index dc72a1aa7..4131df7e4 100755 --- a/rules/windows/process_creation/win_apt_dragonfly.yml +++ b/rules/windows/process_creation/win_apt_dragonfly.yml @@ -1,26 +1,27 @@ title: CrackMapExecWin id: 04d9079e-3905-4b70-ad37-6bdf11304965 +status: test description: Detects CrackMapExecWin Activity as Described by NCSC -status: experimental -references: - - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control - - https://attack.mitre.org/software/S0488/ -tags: - - attack.g0035 - - attack.credential_access - - attack.discovery - - attack.t1110 - - attack.t1087 author: Markus Neis +references: + - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control + - https://attack.mitre.org/software/S0488/ date: 2018/04/08 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\crackmapexec.exe' - condition: selection + selection: + Image|endswith: + - '\crackmapexec.exe' + condition: selection falsepositives: - - None + - None level: critical +tags: + - attack.g0035 + - attack.credential_access + - attack.discovery + - attack.t1110 + - attack.t1087 diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index 3758f698d..ad472d872 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -1,29 +1,29 @@ title: Elise Backdoor id: e507feb7-5f73-4ef6-a970-91bb6f6d744f -status: experimental +status: test description: Detects Elise backdoor acitivty as used by APT32 -references: - - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting -tags: - - attack.g0030 - - attack.g0050 - - attack.s0081 - - attack.execution - - attack.t1059 # an old one - - attack.t1059.003 author: Florian Roth +references: + - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting date: 2018/01/31 -modified: 2020/08/26 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: 'C:\Windows\SysWOW64\cmd.exe' - CommandLine|contains: '\Windows\Caches\NavShExt.dll ' - selection2: - CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' - condition: 1 of them + selection1: + Image: 'C:\Windows\SysWOW64\cmd.exe' + CommandLine|contains: '\Windows\Caches\NavShExt.dll ' + selection2: + CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' + condition: 1 of them falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.g0030 + - attack.g0050 + - attack.s0081 + - attack.execution + - attack.t1059 # an old one + - attack.t1059.003 diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index aae0f52a5..de8445e1d 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -1,25 +1,25 @@ title: Emissary Panda Malware SLLauncher id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014 -status: experimental +status: test description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 -references: - - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 - - https://twitter.com/cyb3rops/status/1168863899531132929 -tags: - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1574.002 author: Florian Roth +references: + - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 + - https://twitter.com/cyb3rops/status/1168863899531132929 date: 2018/09/03 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\sllauncher.exe' - Image|endswith: '\svchost.exe' - condition: selection + selection: + ParentImage|endswith: '\sllauncher.exe' + Image|endswith: '\svchost.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 5ced1c076..d2f5677ae 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -1,27 +1,27 @@ title: Empire Monkey id: 10152a7b-b566-438f-a33c-390b607d1c8d +status: test description: Detects EmpireMonkey APT reported Activity -status: experimental -references: - - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b -tags: - - attack.defense_evasion - - attack.t1218.010 - - attack.t1117 # an old one -date: 2019/04/02 -modified: 2020/08/27 author: Markus Neis +references: + - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b +date: 2019/04/02 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_cutil: - CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' - Image|endswith: '\cutil.exe' - selection_regsvr32: - CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' - Description: 'Microsoft(C) Registerserver' - condition: 1 of them + selection_cutil: + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Image|endswith: '\cutil.exe' + selection_regsvr32: + CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' + Description: 'Microsoft(C) Registerserver' + condition: 1 of them falsepositives: - - Very Unlikely -level: critical \ No newline at end of file + - Very Unlikely +level: critical +tags: + - attack.defense_evasion + - attack.t1218.010 + - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 92aa1e508..73646153f 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -1,29 +1,29 @@ title: Equation Group DLL_U Load id: d465d1d8-27a2-4cca-9621-a800f37cf72e -author: Florian Roth -date: 2019/03/04 -modified: 2020/08/27 +status: test description: Detects a specific tool and export used by EquationGroup -status: experimental +author: Florian Roth references: - - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - - https://securelist.com/apt-slingshot/84312/ - - https://twitter.com/cyb3rops/status/972186477512839170 -tags: - - attack.g0020 - - attack.defense_evasion - - attack.t1085 # an old one - - attack.t1218.011 + - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= + - https://securelist.com/apt-slingshot/84312/ + - https://twitter.com/cyb3rops/status/972186477512839170 +date: 2019/03/04 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\rundll32.exe' - CommandLine|endswith: ',dll_u' - selection2: - CommandLine|contains: ' -export dll_u ' - condition: 1 of them + selection1: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: ',dll_u' + selection2: + CommandLine|contains: ' -export dll_u ' + condition: 1 of them falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.g0020 + - attack.defense_evasion + - attack.t1085 # an old one + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index df63be5a5..2d859fc06 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -1,29 +1,29 @@ title: EvilNum Golden Chickens Deployment via OCX Files id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 -status: experimental +status: test description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 -references: - - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ author: Florian Roth +references: + - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ + - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ date: 2020/07/10 -modified: 2020/08/27 -tags: - - attack.defense_evasion - - attack.t1085 # an old one - - attack.t1218.011 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'regsvr32' - - '/s' - - '/i' - - '\AppData\Roaming\' - - '.ocx' - condition: selection + selection: + CommandLine|contains|all: + - 'regsvr32' + - '/s' + - '/i' + - '\AppData\Roaming\' + - '.ocx' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1085 # an old one + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml index 8f7f0eedd..e8169e203 100755 --- a/rules/windows/process_creation/win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml @@ -1,27 +1,28 @@ title: Hurricane Panda Activity id: 0eb2107b-a596-422e-b123-b389d5594ed7 -author: Florian Roth -date: 2019/03/04 -status: experimental +status: test description: Detects Hurricane Panda Activity +author: Florian Roth references: - - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ -tags: - - attack.privilege_escalation - - attack.g0009 - - attack.t1068 + - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ +date: 2019/03/04 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains|all: - - 'localgroup' - - 'admin' - - '/add' - - CommandLine|contains: - - '\Win64.exe' - condition: selection + selection: + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '/add' + - CommandLine|contains: + - '\Win64.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.g0009 + - attack.t1068 diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index 0eb8742d9..4ac634838 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -1,38 +1,38 @@ title: Judgement Panda Exfil Activity id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 +status: test description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike -status: experimental -references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth +references: + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ date: 2019/02/21 -modified: 2020/08/27 -tags: - - attack.lateral_movement - - attack.g0010 - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.exfiltration - - attack.t1002 # an old one - - attack.t1560.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - - CommandLine|endswith: 'eprod.ldf' - - CommandLine|contains: - - '\ldifde.exe -f -n ' - - '\7za.exe a 1.7z ' - - '\aaaa\procdump64.exe' - - '\aaaa\netsess.exe' - - '\aaaa\7za.exe' - - 'copy .\1.7z \' - - 'copy \\client\c$\aaaa\' - selection2: - Image: C:\Users\Public\7za.exe - condition: selection1 or selection2 + selection1: + - CommandLine|endswith: 'eprod.ldf' + - CommandLine|contains: + - '\ldifde.exe -f -n ' + - '\7za.exe a 1.7z ' + - '\aaaa\procdump64.exe' + - '\aaaa\netsess.exe' + - '\aaaa\7za.exe' + - 'copy .\1.7z \' + - 'copy \\client\c$\aaaa\' + selection2: + Image: C:\Users\Public\7za.exe + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical +tags: + - attack.lateral_movement + - attack.g0010 + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.exfiltration + - attack.t1002 # an old one + - attack.t1560.001 diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index ce489eb89..ab2c43ff3 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -1,32 +1,33 @@ title: Ke3chang Registry Key Modifications id: 7b544661-69fc-419f-9a59-82ccc328f205 -status: experimental +status: test description: Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020 +author: Markus Neis, Swisscom references: - - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ -tags: - - attack.g0004 - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 -author: Markus Neis, Swisscom + - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf + - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ date: 2020/06/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: + selection1: # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. # Setting these registry keys is unique to the Ke3chang and TidePool malware families. # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden - CommandLine|contains: - - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force' - - '-Property String -name Check_Associations -value' - - '-Property DWORD -name IEHarden -value 0 -Force' - condition: selection1 + CommandLine|contains: + - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force' + - '-Property String -name Check_Associations -value' + - '-Property DWORD -name IEHarden -value 0 -Force' + condition: selection1 falsepositives: - - Will need to be looked for combinations of those processes + - Will need to be looked for combinations of those processes level: critical +tags: + - attack.g0004 + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 41edce51f..53f793c7f 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -1,28 +1,29 @@ title: Lazarus Session Highjacker id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b +status: test description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff) -status: experimental -references: - - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf -tags: - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.005 author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) +references: + - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf date: 2020/06/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\msdtc.exe' - - '\gpvc.exe' - filter: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - condition: selection and not filter + selection: + Image|endswith: + - '\msdtc.exe' + - '\gpvc.exe' + filter: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: selection and not filter falsepositives: - - unknown + - unknown level: high +tags: + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.005 diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 2ed3d867c..c1bac606d 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -1,37 +1,38 @@ title: Mustang Panda Dropper id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00 -status: experimental +status: test description: Detects specific process parameters as used by Mustang Panda droppers author: Florian Roth, oscd.community -date: 2019/10/30 references: - - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ - - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ - - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations + - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ + - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations +date: 2019/10/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - - CommandLine|contains: - - 'Temp\wtask.exe /create' - - '%windir:~-3,1%%PUBLIC:~-9,1%' - - '/tn "Security Script ' - - '%windir:~-1,1%' - - CommandLine|contains|all: - - '/E:vbscript' - - 'C:\Users\' - - '.txt' - - '/F' - selection2: - Image|endswith: 'Temp\winwsh.exe' - condition: 1 of them + selection1: + - CommandLine|contains: + - 'Temp\wtask.exe /create' + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + - CommandLine|contains|all: + - '/E:vbscript' + - 'C:\Users\' + - '.txt' + - '/F' + selection2: + Image|endswith: 'Temp\winwsh.exe' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.t1587.001 - - attack.resource_development \ No newline at end of file + - attack.t1587.001 + - attack.resource_development diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index 56823a59e..f337f4580 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -1,25 +1,25 @@ title: Ps.exe Renamed SysInternals Tool id: 18da1007-3f26-470f-875d-f77faf1cab31 +status: test description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report -status: experimental -references: - - https://www.us-cert.gov/ncas/alerts/TA17-293A -tags: - - attack.defense_evasion - - attack.g0035 - - attack.t1036 # an old one - - attack.t1036.003 - - car.2013-05-009 author: Florian Roth +references: + - https://www.us-cert.gov/ncas/alerts/TA17-293A date: 2017/10/22 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: 'ps.exe -accepteula' - condition: selection + selection: + CommandLine: 'ps.exe -accepteula' + condition: selection falsepositives: - - Renamed SysInternals tool -level: high \ No newline at end of file + - Renamed SysInternals tool +level: high +tags: + - attack.defense_evasion + - attack.g0035 + - attack.t1036 # an old one + - attack.t1036.003 + - car.2013-05-009 diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml index 45b38a584..3115b3104 100644 --- a/rules/windows/process_creation/win_apt_taidoor.yml +++ b/rules/windows/process_creation/win_apt_taidoor.yml @@ -1,30 +1,31 @@ title: TAIDOOR RAT DLL Load id: d1aa3382-abab-446f-96ea-4de52908210b -status: experimental +status: test description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load -references: - - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a author: Florian Roth +references: + - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a date: 2020/07/30 -tags: - - attack.execution - - attack.t1055 # an old one - - attack.t1055.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: - - 'dll,MyStart' - - 'dll MyStart' - selection2a: - CommandLine|endswith: - - ' MyStart' - selection2b: - CommandLine|contains: - - 'rundll32.exe' - condition: selection1 or ( selection2a and selection2b ) + selection1: + CommandLine|contains: + - 'dll,MyStart' + - 'dll MyStart' + selection2a: + CommandLine|endswith: + - ' MyStart' + selection2b: + CommandLine|contains: + - 'rundll32.exe' + condition: selection1 or ( selection2a and selection2b ) falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.execution + - attack.t1055 # an old one + - attack.t1055.001 diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index f742d136c..c30876f52 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -1,34 +1,34 @@ title: Turla Group Commands May 2020 id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c -status: experimental +status: test description: Detects commands used by Turla group as reported by ESET in May 2020 -references: - - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf -tags: - - attack.g0010 - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 - - attack.t1053 # an old one - - attack.t1053.005 - - attack.t1027 author: Florian Roth +references: + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf date: 2020/05/26 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -falsepositives: - - Unknown + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: - - 'tracert -h 10 yahoo.com' - - '.WSqmCons))|iex;' - - 'Fr`omBa`se6`4Str`ing' - selection2: - CommandLine|contains|all: - - 'net use https://docs.live.net' - - '@aol.co.uk' - condition: 1 of them + selection1: + CommandLine|contains: + - 'tracert -h 10 yahoo.com' + - '.WSqmCons))|iex;' + - 'Fr`omBa`se6`4Str`ing' + selection2: + CommandLine|contains|all: + - 'net use https://docs.live.net' + - '@aol.co.uk' + condition: 1 of them +falsepositives: + - Unknown level: critical +tags: + - attack.g0010 + - attack.execution + - attack.t1086 # an old one + - attack.t1059.001 + - attack.t1053 # an old one + - attack.t1053.005 + - attack.t1027 diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index bf55b402a..1994397ba 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -1,37 +1,38 @@ title: Winnti Malware HK University Campaign id: 3121461b-5aa0-4a41-b910-66d25524edbb -status: experimental +status: test description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities -references: - - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ -tags: - - attack.defense_evasion - - attack.t1574.002 - - attack.t1073 # an old one - - attack.g0044 author: Florian Roth, Markus Neis +references: + - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ date: 2020/02/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - ParentImage|contains: - - 'C:\Windows\Temp' - - '\hpqhvind.exe' - Image|startswith: 'C:\ProgramData\DRM' - selection2: - ParentImage|startswith: 'C:\ProgramData\DRM' - Image|endswith: '\wmplayer.exe' - selection3: - ParentImage|endswith: '\Test.exe' - Image|endswith: '\wmplayer.exe' - selection4: - Image: 'C:\ProgramData\DRM\CLR\CLR.exe' - selection5: - ParentImage|startswith: 'C:\ProgramData\DRM\Windows' - Image|endswith: '\SearchFilterHost.exe' - condition: 1 of them + selection1: + ParentImage|contains: + - 'C:\Windows\Temp' + - '\hpqhvind.exe' + Image|startswith: 'C:\ProgramData\DRM' + selection2: + ParentImage|startswith: 'C:\ProgramData\DRM' + Image|endswith: '\wmplayer.exe' + selection3: + ParentImage|endswith: '\Test.exe' + Image|endswith: '\wmplayer.exe' + selection4: + Image: 'C:\ProgramData\DRM\CLR\CLR.exe' + selection5: + ParentImage|startswith: 'C:\ProgramData\DRM\Windows' + Image|endswith: '\SearchFilterHost.exe' + condition: 1 of them falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.t1073 # an old one + - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index fb055f88e..3dba59566 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -1,31 +1,32 @@ title: Winnti Pipemon Characteristics id: 73d70463-75c9-4258-92c6-17500fe972f2 -status: experimental +status: test description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET -references: - - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ -tags: - - attack.defense_evasion - - attack.t1574.002 - - attack.t1073 # an old one - - attack.g0044 author: Florian Roth, oscd.community +references: + - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ date: 2020/07/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: - - 'setup0.exe -p' - selection2: - CommandLine|contains|all: - - 'setup.exe' - CommandLine|endswith: - - '-x:0' - - '-x:1' - - '-x:2' - condition: 1 of them + selection1: + CommandLine|contains: + - 'setup0.exe -p' + selection2: + CommandLine|contains|all: + - 'setup.exe' + CommandLine|endswith: + - '-x:0' + - '-x:1' + - '-x:2' + condition: 1 of them falsepositives: - - Legitimate setups that use similar flags + - Legitimate setups that use similar flags level: critical +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.t1073 # an old one + - attack.g0044 diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 9aeb6d8c3..b28bdae32 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -1,35 +1,35 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc +status: test description: Detects a ZxShell start by the called and well-known function name -status: experimental author: Florian Roth, oscd.community, Jonhnathan Ribeiro -date: 2017/07/20 -modified: 2020/08/26 references: - - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 -tags: - - attack.execution - - attack.t1059.003 - - attack.t1059 # an old one - - attack.defense_evasion - - attack.t1218.011 - - attack.t1085 # an old one - - attack.s0412 - - attack.g0001 + - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 +date: 2017/07/20 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\rundll32.exe' - CommandLine|contains: - - 'zxFunction' - - 'RemoteDiskXXXXX' - condition: selection + selection: + Image|endswith: + - '\rundll32.exe' + CommandLine|contains: + - 'zxFunction' + - 'RemoteDiskXXXXX' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.execution + - attack.t1059.003 + - attack.t1059 # an old one + - attack.defense_evasion + - attack.t1218.011 + - attack.t1085 # an old one + - attack.s0412 + - attack.g0001 diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index ca50c3bc1..f25853f7e 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -1,33 +1,33 @@ title: Hiding Files with Attrib.exe id: 4281cb20-2994-4580-aa63-c8b86d019934 -status: experimental +status: test description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen date: 2019/01/16 -modified: 2020/08/27 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\attrib.exe' - CommandLine|contains: ' +h ' - ini: - CommandLine|contains: '\desktop.ini ' - intel: - ParentImage|endswith: '\cmd.exe' - CommandLine: +R +H +S +A \\*.cui - ParentCommandLine: C:\WINDOWS\system32\\*.bat - condition: selection and not (ini or intel) + selection: + Image|endswith: '\attrib.exe' + CommandLine|contains: ' +h ' + ini: + CommandLine|contains: '\desktop.ini ' + intel: + ParentImage|endswith: '\cmd.exe' + CommandLine: +R +H +S +A \\*.cui + ParentCommandLine: C:\WINDOWS\system32\\*.bat + condition: selection and not (ini or intel) fields: - - CommandLine - - ParentCommandLine - - User -tags: - - attack.defense_evasion - - attack.t1564.001 - - attack.t1158 # an old one + - CommandLine + - ParentCommandLine + - User falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini + - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - msiexec.exe hiding desktop.ini level: low +tags: + - attack.defense_evasion + - attack.t1564.001 + - attack.t1158 # an old one diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index 54238917e..92f3ef35d 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -1,36 +1,35 @@ title: Modification of Boot Configuration id: 1444443e-6757-43e4-9ea4-c8fc705f79a2 -description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive - technique. -status: experimental +status: test +description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md - - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html -tags: - - attack.impact - - attack.t1490 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: \bcdedit.exe - CommandLine|contains: set - selection2: - - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures - - CommandLine|contains|all: - - recoveryenabled - - 'no' - condition: selection1 and selection2 + selection1: + Image|endswith: \bcdedit.exe + CommandLine|contains: set + selection2: + - CommandLine|contains|all: + - bootstatuspolicy + - ignoreallfailures + - CommandLine|contains|all: + - recoveryenabled + - 'no' + condition: selection1 and selection2 fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.impact + - attack.t1490 diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index a5422e5f6..928f9aea7 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -1,41 +1,41 @@ title: SquiblyTwo id: 8d63dadf-b91b-4187-87b6-34a1114577ea -status: experimental +status: test description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 -tags: - - attack.defense_evasion - - attack.t1047 - - attack.t1220 - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1059 # an old one author: Markus Neis / Florian Roth +references: + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 date: 2019/01/16 -modified: 2020/08/27 -falsepositives: - - Unknown -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: - - '\wmic.exe' - CommandLine|contains|all: - - wmic - - format - - http - selection2: - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - CommandLine|contains|all: - - 'format:' - - 'http' - condition: 1 of them + selection1: + Image|endswith: + - '\wmic.exe' + CommandLine|contains|all: + - wmic + - format + - http + selection2: + Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + CommandLine|contains|all: + - 'format:' + - 'http' + condition: 1 of them +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1047 + - attack.t1220 + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index 06ca7b033..39ead0991 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -1,34 +1,34 @@ title: Change Default File Association id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 -status: experimental +status: test description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'cmd' - - '/c' - - 'assoc' - condition: selection -falsepositives: - - Admin activity + selection: + CommandLine|contains|all: + - 'cmd' + - '/c' + - 'assoc' + condition: selection fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Admin activity level: low tags: - - attack.persistence - - attack.t1546.001 - - attack.t1042 # an old one + - attack.persistence + - attack.t1546.001 + - attack.t1042 # an old one diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml index bb53e9173..8269020da 100644 --- a/rules/windows/process_creation/win_class_exec_xwizard.yml +++ b/rules/windows/process_creation/win_class_exec_xwizard.yml @@ -1,22 +1,23 @@ title: Custom Class Execution via Xwizard id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff -status: experimental +status: test description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' references: - - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ -author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' + - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ date: 2020/10/07 -tags: - - attack.defense_evasion - - attack.t1218 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\xwizard.exe' - CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' - condition: selection + selection: + Image|endswith: '\xwizard.exe' + CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' + condition: selection falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 589a2a18d..65790fd31 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -1,26 +1,27 @@ title: Cmd.exe CommandLine Path Traversal id: 087790e3-3287-436c-bccf-cbd0184a7db1 +status: test description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking -status: experimental -date: 2020/06/11 author: xknow @xknow_infosec references: - - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - - https://twitter.com/Oddvarmoe/status/1270633613449723905 -tags: - - attack.execution - - attack.t1059.003 - - attack.t1059 # an old one + - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ + - https://twitter.com/Oddvarmoe/status/1270633613449723905 +date: 2020/06/11 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentCommandLine|contains|all: - - 'cmd' - - '/c' - CommandLine|contains: '/../../' - condition: selection + selection: + ParentCommandLine|contains|all: + - 'cmd' + - '/c' + CommandLine|contains: '/../../' + condition: selection falsepositives: - - (not much) some benign Java tools may product false-positive commandlines for loading libraries + - (not much) some benign Java tools may product false-positive commandlines for loading libraries level: high +tags: + - attack.execution + - attack.t1059.003 + - attack.t1059 # an old one diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index 998999319..4df407744 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -1,43 +1,43 @@ title: Copying Sensitive Files with Credential Data id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f +status: test description: Files with well-known filenames (sensitive files with credential data) copying -status: experimental author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 -modified: 2019/11/13 references: - - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ -tags: - - attack.credential_access - - attack.t1003.002 - - attack.t1003.003 - - attack.t1003 # an old one - - car.2013-07-001 - - attack.s0404 + - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: '\esentutl.exe' - CommandLine|contains: - - 'vss' - - ' /m ' - - ' /y ' - - CommandLine|contains: - - '\windows\ntds\ntds.dit' - - '\config\sam' - - '\config\security' - - '\config\system ' # space needed to avoid false positives with \config\systemprofile\ - - '\repair\sam' - - '\repair\system' - - '\repair\security' - - '\config\RegBack\sam' - - '\config\RegBack\system' - - '\config\RegBack\security' - condition: selection + selection: + - Image|endswith: '\esentutl.exe' + CommandLine|contains: + - 'vss' + - ' /m ' + - ' /y ' + - CommandLine|contains: + - '\windows\ntds\ntds.dit' + - '\config\sam' + - '\config\security' + - '\config\system ' # space needed to avoid false positives with \config\systemprofile\ + - '\repair\sam' + - '\repair\system' + - '\repair\security' + - '\config\RegBack\sam' + - '\config\RegBack\system' + - '\config\RegBack\security' + condition: selection falsepositives: - - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator -level: high \ No newline at end of file + - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator +level: high +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.003 + - attack.t1003 # an old one + - car.2013-07-001 + - attack.s0404 diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 53977514b..1b4bfd5c4 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -1,30 +1,30 @@ title: Fireball Archer Install id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d -status: experimental +status: test description: Detects Archer malware invocation via rundll32 author: Florian Roth -date: 2017/06/03 -modified: 2020/08/29 references: - - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 -tags: - - attack.execution - - attack.defense_evasion - - attack.t1218.011 - - attack.t1085 # an old one + - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ + - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 +date: 2017/06/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'rundll32.exe' - - 'InstallArcherSvc' - condition: selection + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - 'InstallArcherSvc' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218.011 + - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_crime_snatch_ransomware.yml b/rules/windows/process_creation/win_crime_snatch_ransomware.yml index 4831c8582..5c8925184 100644 --- a/rules/windows/process_creation/win_crime_snatch_ransomware.yml +++ b/rules/windows/process_creation/win_crime_snatch_ransomware.yml @@ -1,28 +1,29 @@ title: Snatch Ransomware id: 5325945e-f1f0-406e-97b8-65104d393fff -status: experimental +status: test description: Detects specific process characteristics of Snatch ransomware word document droppers -references: - - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth +references: + - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ date: 2020/08/26 -tags: - - attack.execution - - attack.t1204 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: # Shutdown in safe mode immediately - selection: - CommandLine|contains: - - 'shutdown /r /f /t 00' - - 'net stop SuperBackupMan' - condition: selection + selection: + CommandLine|contains: + - 'shutdown /r /f /t 00' + - 'net stop SuperBackupMan' + condition: selection fields: - - ComputerName - - User - - Image + - ComputerName + - User + - Image falsepositives: - - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely + - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely level: critical +tags: + - attack.execution + - attack.t1204 diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 344b670c5..5f773d70e 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -1,34 +1,34 @@ title: Data Compressed - rar.exe id: 6f3e2987-db24-4c78-a860-b4f4095a7095 -status: experimental +status: test description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, E.M. Anhaus, oscd.community -date: 2019/10/21 -modified: 2020/08/29 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md - - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\rar.exe' - CommandLine|contains: ' a ' - condition: selection + selection: + Image|endswith: '\rar.exe' + CommandLine|contains: ' a ' + condition: selection fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine falsepositives: - - Highly likely if rar is a default archiver in the monitored environment. + - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - - attack.exfiltration # an old one - - attack.t1002 # an old one - - attack.collection - - attack.t1560.001 + - attack.exfiltration # an old one + - attack.t1002 # an old one + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 478b80d63..6d32387c5 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -1,27 +1,27 @@ title: DNS Exfiltration and Tunneling Tools Execution id: 98a96a5a-64a0-4c42-92c5-489da3866cb0 +status: test description: Well-known DNS Exfiltration tools execution -status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/29 -tags: - - attack.exfiltration - - attack.t1048.001 - - attack.t1048 # an old one - - attack.command_and_control - - attack.t1071.004 - - attack.t1071 # an old one - - attack.t1132.001 - - attack.t1132 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: '\iodine.exe' - - Image|contains: '\dnscat2' - condition: selection + selection: + - Image|endswith: '\iodine.exe' + - Image|contains: '\dnscat2' + condition: selection falsepositives: - - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) + - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) level: high +tags: + - attack.exfiltration + - attack.t1048.001 + - attack.t1048 # an old one + - attack.command_and_control + - attack.t1071.004 + - attack.t1071 # an old one + - attack.t1132.001 + - attack.t1132 # an old one diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml index b941e2f99..9c8bc98d7 100644 --- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml +++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml @@ -1,32 +1,33 @@ title: DNSCat2 Powershell Implementation Detection Via Process Creation id: b11d75d6-d7c1-11ea-87d0-0242ac130003 -status: experimental +status: test description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. author: Cian Heasley references: - - https://github.com/lukebaggett/dnscat2-powershell - - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html - - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html + - https://github.com/lukebaggett/dnscat2-powershell + - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html + - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html date: 2020/08/08 -tags: - - attack.command_and_control - - attack.t1071 - - attack.t1071.004 - - attack.t1001.003 - - attack.t1041 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\powershell.exe' - Image|endswith: '\nslookup.exe' - CommandLine|endswith: '\nslookup.exe' - condition: selection | count(Image) by ParentImage > 100 + selection: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\nslookup.exe' + CommandLine|endswith: '\nslookup.exe' + condition: selection | count(Image) by ParentImage > 100 fields: - - Image - - CommandLine - - ParentImage + - Image + - CommandLine + - ParentImage falsepositives: - - Other powershell scripts that call nslookup.exe + - Other powershell scripts that call nslookup.exe level: high +tags: + - attack.command_and_control + - attack.t1071 + - attack.t1071.004 + - attack.t1001.003 + - attack.t1041 diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index d031d9b16..cf8eab19a 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -1,25 +1,26 @@ title: Encoded FromBase64String id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c -status: experimental +status: test description: Detects a base64 encoded FromBase64String keyword in a process command line author: Florian Roth date: 2019/08/24 -tags: - - attack.defense_evasion - - attack.t1140 - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|base64offset|contains: '::FromBase64String' - condition: selection + selection: + CommandLine|base64offset|contains: '::FromBase64String' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: critical +tags: + - attack.defense_evasion + - attack.t1140 + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index 969bb661d..ce729589d 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -1,28 +1,28 @@ title: Encoded IEX id: 88f680b8-070e-402c-ae11-d2914f2257f1 -status: experimental +status: test description: Detects a base64 encoded IEX command string in a process command line author: Florian Roth date: 2019/08/23 -modified: 2020/08/29 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|base64offset|contains: - - 'IEX ([' - - 'iex ([' - - 'iex (New' - - 'IEX (New' - condition: selection + selection: + CommandLine|base64offset|contains: + - 'IEX ([' + - 'iex ([' + - 'iex (New' + - 'IEX (New' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: critical +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_etw_modification_cmdline.yml b/rules/windows/process_creation/win_etw_modification_cmdline.yml index 7a75421de..16252c8da 100644 --- a/rules/windows/process_creation/win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/win_etw_modification_cmdline.yml @@ -1,7 +1,8 @@ title: COMPlus_ETWEnabled Command Line Arguments id: 41421f44-58f9-455d-838a-c398859841d4 -status: experimental +status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,19 +13,18 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2020/08/29 -tags: - - attack.defense_evasion - - attack.t1562 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' - condition: selection + selection: + CommandLine|contains: 'COMPlus_ETWEnabled=0' + condition: selection falsepositives: - - unknown -level: critical \ No newline at end of file + - unknown +level: critical +tags: + - attack.defense_evasion + - attack.t1562 diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 6fef5224c..e33112a82 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -1,57 +1,58 @@ title: Disable of ETW Trace id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 +status: test description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. -status: experimental -references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - - https://abuse.io/lockergoga.txt - - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community' +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil + - https://abuse.io/lockergoga.txt + - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 date: 2019/03/22 -tags: - - attack.defense_evasion - - attack.t1070 - - attack.t1562.006 - - car.2016-04-002 -level: high +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_clear_1: - CommandLine|contains|all: - - 'cl' - - '/Trace' - selection_clear_2: - CommandLine|contains|all: - - 'clear-log' - - '/Trace' - selection_disable_1: - CommandLine|contains|all: - - 'sl' - - '/e:false' - selection_disable_2: - CommandLine|contains|all: - - 'set-log' - - '/e:false' - selection_disable_3: #Autologger provider removal - CommandLine|contains|all: - - 'Remove-EtwTraceProvider' - - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' - - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' - selection_disable_4: #Provider “Enable” property modification - CommandLine|contains|all: - - 'Set-EtwTraceProvider' - - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' - - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' - - '0x11' - selection_disable_5: #ETW provider removal from a trace session - CommandLine|contains|all: - - "logman" - - "update" - - "trace" - - "--p" - - "-ets" - condition: 1 of them + selection_clear_1: + CommandLine|contains|all: + - 'cl' + - '/Trace' + selection_clear_2: + CommandLine|contains|all: + - 'clear-log' + - '/Trace' + selection_disable_1: + CommandLine|contains|all: + - 'sl' + - '/e:false' + selection_disable_2: + CommandLine|contains|all: + - 'set-log' + - '/e:false' + selection_disable_3: #Autologger provider removal + CommandLine|contains|all: + - 'Remove-EtwTraceProvider' + - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' + - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' + selection_disable_4: #Provider “Enable” property modification + CommandLine|contains|all: + - 'Set-EtwTraceProvider' + - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' + - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' + - '0x11' + selection_disable_5: #ETW provider removal from a trace session + CommandLine|contains|all: + - "logman" + - "update" + - "trace" + - "--p" + - "-ets" + condition: 1 of them falsepositives: - - Unknown + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1070 + - attack.t1562.006 + - car.2016-04-002 diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index f33ab3dec..e8bdeabe3 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -1,28 +1,28 @@ title: Exfiltration and Tunneling Tools Execution id: c75309a3-59f8-4a8d-9c2c-4c927ad50555 +status: test description: Execution of well known tools for data exfiltration and tunneling -status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/29 -tags: - - attack.exfiltration - - attack.command_and_control - - attack.t1043 # an old one - - attack.t1041 - - attack.t1572 - - attack.t1071.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\plink.exe' - - '\socat.exe' - - '\stunnel.exe' - - '\httptunnel.exe' - condition: selection + selection: + Image|endswith: + - '\plink.exe' + - '\socat.exe' + - '\stunnel.exe' + - '\httptunnel.exe' + condition: selection falsepositives: - - Legitimate Administrator using tools + - Legitimate Administrator using tools level: medium +tags: + - attack.exfiltration + - attack.command_and_control + - attack.t1043 # an old one + - attack.t1041 + - attack.t1572 + - attack.t1071.001 diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 0a4f43d3b..058135789 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -1,24 +1,25 @@ title: Exploit for CVE-2015-1641 id: 7993792c-5ce2-4475-a3db-a3a5539827ef -status: experimental +status: test description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 -references: - - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 author: Florian Roth +references: + - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ + - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 date: 2018/02/22 -tags: - - attack.defense_evasion - - attack.t1036.005 - - attack.t1036 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\WINWORD.EXE' - Image|endswith: '\MicroScMgmt.exe' - condition: selection + selection: + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\MicroScMgmt.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1036.005 + - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index bdc45eabb..6f646ada8 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -1,12 +1,23 @@ title: Exploit for CVE-2017-0261 id: 864403a1-36c9-40a2-a982-4c9a45f7d833 -status: experimental +status: test description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -references: - - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth +references: + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html date: 2018/02/22 -modified: 2020/08/29 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\WINWORD.EXE' + Image|contains: '\FLTLDR.exe' + condition: selection +falsepositives: + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) +level: medium tags: - attack.execution - attack.t1203 @@ -15,14 +26,3 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 # an old one -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\WINWORD.EXE' - Image|contains: '\FLTLDR.exe' - condition: selection -falsepositives: - - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) -level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index a21fcfead..97816d3eb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -1,30 +1,30 @@ title: Droppers Exploiting CVE-2017-11882 id: 678eb5f4-8597-4be6-8be7-905e4234b53a -status: experimental +status: test description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -references: - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth +references: + - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 + - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw date: 2017/11/23 -modified: 2020/08/29 -tags: - - attack.execution - - attack.t1203 - - attack.t1204.002 - - attack.t1204 # an old one - - attack.initial_access - - attack.t1566.001 - - attack.t1193 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\EQNEDT32.EXE' - condition: selection + selection: + ParentImage|endswith: '\EQNEDT32.EXE' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - unknown + - unknown level: critical +tags: + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 7d6cd971e..9462de4c8 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,29 +1,29 @@ title: Exploit for CVE-2017-8759 id: fdd84c68-a1f6-47c9-9477-920584f94905 +status: test description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -status: experimental -references: - - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -tags: - - attack.execution - - attack.t1203 - - attack.t1204.002 - - attack.t1204 # an old one - - attack.initial_access - - attack.t1566.001 - - attack.t1193 # an old one author: Florian Roth +references: + - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 date: 2017/09/15 -modified: 2020/08/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\WINWORD.EXE' - Image|endswith: '\csc.exe' - condition: selection + selection: + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\csc.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index 43b249853..f3bf0b305 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -1,12 +1,34 @@ title: Exploiting SetupComplete.cmd CVE-2019-1378 id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5 -status: experimental -description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 -references: - - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua +status: test +description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 author: Florian Roth, oscd.community, Jonhnathan Ribeiro +references: + - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua date: 2019/11/15 -modified: 2020/08/29 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentCommandLine|contains|all: + - '\cmd.exe' + - '/c' + - 'C:\Windows\Setup\Scripts\' + ParentCommandLine|endswith: + - 'SetupComplete.cmd' + - 'PartnerSetupComplete.cmd' + filter: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\Setup\' + condition: selection and not filter +falsepositives: + - Unknown +level: high tags: - attack.privilege_escalation - attack.t1068 @@ -15,25 +37,3 @@ tags: - attack.t1059 # an old one - attack.t1574 - cve.2019.1378 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentCommandLine|contains|all: - - '\cmd.exe' - - '/c' - - 'C:\Windows\Setup\Scripts\' - ParentCommandLine|endswith: - - 'SetupComplete.cmd' - - 'PartnerSetupComplete.cmd' - filter: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - - 'C:\Windows\Setup\' - condition: selection and not filter -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index 0b591d74a..db2fbb2fd 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -1,33 +1,34 @@ title: Exploited CVE-2020-10189 Zoho ManageEngine id: 846b866e-2a57-46ee-8e16-85fa92759be7 -status: experimental +status: test description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 -references: - - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth +references: + - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html + - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 date: 2020/03/25 -tags: - - attack.initial_access - - attack.t1190 - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.t1059.003 - - attack.t1059 # an old one - - attack.s0190 - - cve.2020.10189 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe' - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\bitsadmin.exe' - condition: selection + selection: + ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\bitsadmin.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.initial_access + - attack.t1190 + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.t1059.003 + - attack.t1059 # an old one + - attack.s0190 + - cve.2020.10189 diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml index f9669fcb6..1cf672143 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml @@ -1,33 +1,33 @@ title: Suspicious PrinterPorts Creation (CVE-2020-1048) id: cc08d590-8b90-413a-aff6-31d1a99678d7 -status: experimental +status: test description: Detects new commands that add new printer port which point to suspicious file author: EagleEye Team, Florian Roth -date: 2020/05/13 -modified: 2020/05/23 references: - - https://windows-internals.com/printdemon-cve-2020-1048/ -tags: - - attack.persistence - - attack.execution - - attack.t1059.001 - - attack.t1086 #an old one + - https://windows-internals.com/printdemon-cve-2020-1048/ +date: 2020/05/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: - - 'Add-PrinterPort -Name' - selection2: - CommandLine|contains: - - '.exe' - - '.dll' - - '.bat' - selection3: - CommandLine|contains: - - 'Generic / Text Only' - condition: ( selection1 and selection2 ) or selection3 + selection1: + CommandLine|contains: + - 'Add-PrinterPort -Name' + selection2: + CommandLine|contains: + - '.exe' + - '.dll' + - '.bat' + selection3: + CommandLine|contains: + - 'Generic / Text Only' + condition: ( selection1 and selection2 ) or selection3 falsepositives: - - New printer port install on host + - New printer port install on host level: high +tags: + - attack.persistence + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml index ec82fbc6b..7c10fa245 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml @@ -1,29 +1,30 @@ title: DNS RCE CVE-2020-1350 id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 -status: experimental +status: test description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process -references: - - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html author: Florian Roth +references: + - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ + - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html date: 2020/07/15 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\System32\dns.exe' + filter: + Image|endswith: + - '\System32\werfault.exe' + - '\System32\conhost.exe' + - '\System32\dnscmd.exe' + condition: selection and not filter +falsepositives: + - Unknown but benign sub processes of the Windows DNS service dns.exe +level: critical tags: - attack.initial_access - attack.t1190 - attack.execution - attack.t1569.002 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\System32\dns.exe' - filter: - Image|endswith: - - '\System32\werfault.exe' - - '\System32\conhost.exe' - - '\System32\dnscmd.exe' - condition: selection and not filter -falsepositives: - - Unknown but benign sub processes of the Windows DNS service dns.exe -level: critical diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 345cb8d01..5b7841097 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -1,33 +1,33 @@ title: File or Folder Permissions Modifications id: 37ae075c-271b-459b-8d7b-55ad5f993dd8 -status: experimental +status: test description: Detects a file or folder's permissions being modified. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md author: Jakob Weinzettl, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md date: 2019/10/23 -modified: 2019/11/08 -tags: - - attack.defense_evasion - - attack.t1222.001 - - attack.t1222 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: - - '\takeown.exe' - - '\cacls.exe' - - '\icacls.exe' - CommandLine|contains: '/grant' - - Image|endswith: '\attrib.exe' - CommandLine|contains: '-r' - condition: selection + selection: + - Image|endswith: + - '\takeown.exe' + - '\cacls.exe' + - '\icacls.exe' + CommandLine|contains: '/grant' + - Image|endswith: '\attrib.exe' + CommandLine|contains: '-r' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Users interacting with the files on their own (unlikely unless privileged users). + - Users interacting with the files on their own (unlikely unless privileged users). level: medium +tags: + - attack.defense_evasion + - attack.t1222.001 + - attack.t1222 # an old one diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index 1a3788ee5..ea2d0dcd9 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -1,51 +1,52 @@ title: Grabbing Sensitive Hives via Reg Utility id: fd877b94-9bb5-4191-bb25-d79cbd93c167 +status: test description: Dump sam, system or security hives using REG.exe utility author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md - - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation -tags: - - attack.credential_access - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 - - attack.t1003 # an old one - - car.2013-07-001 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - Image|endswith: '\reg.exe' - CommandLine|contains: - - 'save' - - 'export' - - 'ˢave' - - 'eˣport' - selection_2: - CommandLine|contains: - - 'hklm' - - 'hk˪m' - - 'hkey_local_machine' - - 'hkey_˪ocal_machine' - - 'hkey_loca˪_machine' - - 'hkey_˪oca˪_machine' - selection_3: - CommandLine|endswith: - - '\system' - - '\sam' - - '\security' - - '\ˢystem' - - '\syˢtem' - - '\ˢyˢtem' - - '\ˢam' - - '\ˢecurity' - condition: selection_1 and selection_2 and selection_3 + selection_1: + Image|endswith: '\reg.exe' + CommandLine|contains: + - 'save' + - 'export' + - 'ˢave' + - 'eˣport' + selection_2: + CommandLine|contains: + - 'hklm' + - 'hk˪m' + - 'hkey_local_machine' + - 'hkey_˪ocal_machine' + - 'hkey_loca˪_machine' + - 'hkey_˪oca˪_machine' + selection_3: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + - '\ˢystem' + - '\syˢtem' + - '\ˢyˢtem' + - '\ˢam' + - '\ˢecurity' + condition: selection_1 and selection_2 and selection_3 falsepositives: - - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + - Dumping hives for legitimate purpouse i.e. backup or forensic investigation level: medium -status: experimental +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003 # an old one + - car.2013-07-001 diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 800a2ae7a..4902f643d 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -1,49 +1,48 @@ title: Bloodhound and Sharphound Hack Tool id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 +status: test description: Detects command line parameters used by Bloodhound and Sharphound hack tools -status: experimental author: Florian Roth references: - - https://github.com/BloodHoundAD/BloodHound - - https://github.com/BloodHoundAD/SharpHound + - https://github.com/BloodHoundAD/BloodHound + - https://github.com/BloodHoundAD/SharpHound date: 2019/12/20 -modified: 2019/12/21 -tags: - - attack.discovery - - attack.t1087.001 - - attack.t1087.002 - - attack.t1087 # an old one - - attack.t1482 - - attack.t1069.001 - - attack.t1069.002 - - attack.t1069 # an old one - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|contains: - - '\Bloodhound.exe' - - '\SharpHound.exe' - selection2: - CommandLine|contains: - - ' -CollectionMethod All ' - - '.exe -c All -d ' - - 'Invoke-Bloodhound' - - 'Get-BloodHoundData' - selection3: - CommandLine|contains|all: - - ' -JsonFolder ' - - ' -ZipFileName ' - selection4: - CommandLine|contains|all: - - ' DCOnly ' - - ' --NoSaveCache ' - condition: 1 of them + selection1: + Image|contains: + - '\Bloodhound.exe' + - '\SharpHound.exe' + selection2: + CommandLine|contains: + - ' -CollectionMethod All ' + - '.exe -c All -d ' + - 'Invoke-Bloodhound' + - 'Get-BloodHoundData' + selection3: + CommandLine|contains|all: + - ' -JsonFolder ' + - ' -ZipFileName ' + selection4: + CommandLine|contains|all: + - ' DCOnly ' + - ' --NoSaveCache ' + condition: 1 of them falsepositives: - - Other programs that use these command line option and accepts an 'All' parameter + - Other programs that use these command line option and accepts an 'All' parameter level: high - +tags: + - attack.discovery + - attack.t1087.001 + - attack.t1087.002 + - attack.t1087 # an old one + - attack.t1482 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 # an old one + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_hack_hydra.yml b/rules/windows/process_creation/win_hack_hydra.yml index 25cb0e2ad..02fcc28e0 100644 --- a/rules/windows/process_creation/win_hack_hydra.yml +++ b/rules/windows/process_creation/win_hack_hydra.yml @@ -1,28 +1,30 @@ title: Hydra Password Guessing Hack Tool id: aaafa146-074c-11eb-adc1-0242ac120002 +status: test description: Detects command line parameters used by Hydra password guessing hack tool author: Vasiliy Burov references: - - https://github.com/vanhauser-thc/thc-hydra - - https://attack.mitre.org/techniques/T1110/001/ + - https://github.com/vanhauser-thc/thc-hydra + - https://attack.mitre.org/techniques/T1110/001/ date: 2020/10/05 -tags: - - attack.credential_access - - attack.t1110 - - attack.t1110.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - '-u ' - - '-p ' - selection2: - CommandLine|contains: - - '^USER^' - - '^PASS^' - condition: selection1 and selection2 + selection1: + CommandLine|contains|all: + - '-u ' + - '-p ' + selection2: + CommandLine|contains: + - '^USER^' + - '^PASS^' + condition: selection1 and selection2 falsepositives: - - Software that uses the caret encased keywords PASS and USER in its command line + - Software that uses the caret encased keywords PASS and USER in its command line level: high +tags: + - attack.credential_access + - attack.t1110 + - attack.t1110.001 diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index b0f6bb699..0d2a8a8ea 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -1,38 +1,39 @@ title: Rubeus Hack Tool id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 +status: test description: Detects command line parameters used by Rubeus hack tool -status: experimental author: Florian Roth references: - - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ date: 2018/12/19 -tags: - - attack.credential_access - - attack.t1003 - - attack.t1558.003 - - attack.t1558 # an old one - - attack.lateral_movement - - attack.t1550.003 - - attack.t1097 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' asreproast ' - - ' dump /service:krbtgt ' - - ' kerberoast ' - - ' createnetonly /program:' - - ' ptt /ticket:' - - ' /impersonateuser:' - - ' renew /ticket:' - - ' asktgt /user:' - - ' harvest /interval:' - - ' s4u /user:' - - ' s4u /ticket:' - - ' hash /password:' - condition: selection + selection: + CommandLine|contains: + - ' asreproast ' + - ' dump /service:krbtgt ' + - ' kerberoast ' + - ' createnetonly /program:' + - ' ptt /ticket:' + - ' /impersonateuser:' + - ' renew /ticket:' + - ' asktgt /user:' + - ' harvest /interval:' + - ' s4u /user:' + - ' s4u /ticket:' + - ' hash /password:' + condition: selection falsepositives: - - unlikely + - unlikely level: critical +tags: + - attack.credential_access + - attack.t1003 + - attack.t1558.003 + - attack.t1558 # an old one + - attack.lateral_movement + - attack.t1550.003 + - attack.t1097 # an old one diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 90bb35a1a..21ee36e10 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -1,30 +1,30 @@ title: HH.exe Execution id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 +status: test description: Identifies usage of hh.exe executing recently modified .chm files. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md - - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 -modified: 2019/11/11 -tags: - - attack.defense_evasion - - attack.t1218.001 - - attack.execution # an old one - - attack.t1223 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\hh.exe' - CommandLine|contains: '.chm' - condition: selection + selection: + Image|endswith: '\hh.exe' + CommandLine|contains: '.chm' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - unlike + - unlike level: high +tags: + - attack.defense_evasion + - attack.t1218.001 + - attack.execution # an old one + - attack.t1223 # an old one diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index 589b4d9f6..971bfb366 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -1,42 +1,42 @@ title: HTML Help Shell Spawn id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4 -status: experimental +status: test description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) -references: - - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/ author: Maxim Pavlunin +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/ date: 2020/04/01 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1218.001 - - attack.t1218.010 - - attack.t1218.011 - - attack.execution - - attack.t1223 # an old one - - attack.t1059.001 - - attack.t1059.003 - - attack.t1059.005 - - attack.t1059.007 - - attack.t1047 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: 'C:\Windows\hh.exe' - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\regsvr32.exe' - - '\wmic.exe' - - '\rundll32.exe' - condition: selection + selection: + ParentImage: 'C:\Windows\hh.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\rundll32.exe' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: high +tags: + - attack.defense_evasion + - attack.t1218.001 + - attack.t1218.010 + - attack.t1218.011 + - attack.execution + - attack.t1223 # an old one + - attack.t1059.001 + - attack.t1059.003 + - attack.t1059.005 + - attack.t1059.007 + - attack.t1047 diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index e21047809..9a7d4c55f 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -1,33 +1,33 @@ title: Suspicious HWP Sub Processes id: 023394c4-29d5-46ab-92b8-6a534c6f447b +status: test description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -status: experimental -references: - - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ - - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 - - https://twitter.com/cyberwar_15/status/1187287262054076416 - - https://blog.alyac.co.kr/1901 - - https://en.wikipedia.org/wiki/Hangul_(word_processor) -tags: - - attack.initial_access - - attack.t1566.001 - - attack.t1193 # an old one - - attack.execution - - attack.t1203 - - attack.t1059.003 - - attack.t1059 # an old one - - attack.g0032 author: Florian Roth +references: + - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ + - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 + - https://twitter.com/cyberwar_15/status/1187287262054076416 + - https://blog.alyac.co.kr/1901 + - https://en.wikipedia.org/wiki/Hangul_(word_processor) date: 2019/10/24 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\Hwp.exe' - Image|endswith: '\gbb.exe' - condition: selection + selection: + ParentImage|endswith: '\Hwp.exe' + Image|endswith: '\gbb.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one + - attack.execution + - attack.t1203 + - attack.t1059.003 + - attack.t1059 # an old one + - attack.g0032 diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index a97030d7d..0d9c18037 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -1,20 +1,20 @@ title: Impacket Lateralization Detection id: 10c14723-61c7-4c75-92ca-9af245723ad2 -status: experimental +status: test description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -references: - - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py - - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py - - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py - - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro +references: + - https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py + - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py + - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py + - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py date: 2019/09/03 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_other: + selection_other: # *** wmiexec.py # parent is wmiprvse.exe # examples: @@ -32,38 +32,38 @@ detection: # parent is services.exe # example: # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat - ParentImage|endswith: - - '\wmiprvse.exe' # wmiexec - - '\mmc.exe' # dcomexec MMC - - '\explorer.exe' # dcomexec ShellBrowserWindow - - '\services.exe' # smbexec - CommandLine|contains|all: - - 'cmd.exe' - - '/Q' - - '/c' - - '\\\\127.0.0.1\' - - '&1' - selection_atexec: - ParentCommandLine|contains: - - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") + ParentImage|endswith: + - '\wmiprvse.exe' # wmiexec + - '\mmc.exe' # dcomexec MMC + - '\explorer.exe' # dcomexec ShellBrowserWindow + - '\services.exe' # smbexec + CommandLine|contains|all: + - 'cmd.exe' + - '/Q' + - '/c' + - '\\\\127.0.0.1\' + - '&1' + selection_atexec: + ParentCommandLine|contains: + - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") + - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 - CommandLine|contains|all: - - 'cmd.exe' - - '/C' - - 'Windows\Temp\' - - '&1' - condition: (1 of selection_*) + CommandLine|contains|all: + - 'cmd.exe' + - '/C' + - 'Windows\Temp\' + - '&1' + condition: (1 of selection_*) fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.t1047 - - attack.lateral_movement - - attack.t1175 # an old one - - attack.t1021.003 - - attack.t1021 # an old one + - CommandLine + - ParentCommandLine falsepositives: - - pentesters + - pentesters level: critical +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1175 # an old one + - attack.t1021.003 + - attack.t1021 # an old one diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 21fce0555..0bea3f3ed 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -1,31 +1,31 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 +status: test description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md - - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html date: 2019/10/24 -modified: 2019/11/11 -tags: - - attack.defense_evasion - - attack.t1202 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\pcalua.exe' - - '\forfiles.exe' - condition: selection + selection: + ParentImage|endswith: + - '\pcalua.exe' + - '\forfiles.exe' + condition: selection fields: - - ComputerName - - User - - ParentCommandLine - - CommandLine + - ComputerName + - User + - ParentCommandLine + - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. - - Legitimate usage of scripts. + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. + - Legitimate usage of scripts. level: low +tags: + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml index c560fbb4e..6229b8533 100644 --- a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml +++ b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml @@ -1,29 +1,30 @@ title: Indirect Command Execution By Program Compatibility Wizard id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc +status: test description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe -status: experimental author: A. Sungurov , oscd.community references: - - https://twitter.com/pabraeken/status/991335019833708544 - - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ + - https://twitter.com/pabraeken/status/991335019833708544 + - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ date: 2020/10/12 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\pcwrun.exe' - condition: selection + selection: + ParentImage|endswith: '\pcwrun.exe' + condition: selection fields: - - ComputerName - - User - - ParentCommandLine - - CommandLine + - ComputerName + - User + - ParentCommandLine + - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts - - Legit usage of scripts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts level: low +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index 166a4561b..2e1c00d3b 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -1,33 +1,33 @@ title: Suspicious Debugger Registration Cmdline id: ae215552-081e-44c7-805f-be16f975c8a2 -status: experimental +status: test description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -references: - - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.008 - - attack.t1015 # an old one author: Florian Roth, oscd.community, Jonhnathan Ribeiro +references: + - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ date: 2019/09/06 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - '\CurrentVersion\Image File Execution Options\' - CommandLine|contains: - - 'sethc.exe' - - 'utilman.exe' - - 'osk.exe' - - 'magnify.exe' - - 'narrator.exe' - - 'displayswitch.exe' - - 'atbroker.exe' - condition: selection + selection: + CommandLine|contains|all: + - '\CurrentVersion\Image File Execution Options\' + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'magnify.exe' + - 'narrator.exe' + - 'displayswitch.exe' + - 'atbroker.exe' + condition: selection falsepositives: - - Penetration Tests + - Penetration Tests level: high - +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.008 + - attack.t1015 # an old one diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 9dde4c688..b3f8beed9 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,29 +1,29 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc +status: test description: Detect an interactive AT job, which may be used as a form of privilege escalation. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md - - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md + - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html date: 2019/10/24 -modified: 2019/11/11 -tags: - - attack.privilege_escalation - - attack.t1053.002 - - attack.t1053 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\at.exe' - CommandLine|contains: 'interactive' - condition: selection + selection: + Image|endswith: '\at.exe' + CommandLine|contains: 'interactive' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unlikely (at.exe deprecated as of Windows 8) + - Unlikely (at.exe deprecated as of Windows 8) level: high +tags: + - attack.privilege_escalation + - attack.t1053.002 + - attack.t1053 # an old one diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip.yml index cc229f08e..423659d5d 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation CLIP+ Launcher id: b222df08-0e07-11eb-adc1-0242ac120002 +status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell -status: experimental author: Jonathan Cheong, oscd.community -date: 2020/10/13 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +date: 2020/10/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index 67ef5719a..6d645f479 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -1,29 +1,29 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 4bf943c6-5146-4273-98dd-e958fd1e3abf -description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -status: experimental +status: test +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 - - attack.t1086 #an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - CommandLine|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - - CommandLine|re: '\$VerbosePreference\.ToString\(' - - CommandLine|re: '\\\\String\]\s*\$VerbosePreference' - condition: selection + selection: + - CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - CommandLine|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - CommandLine|re: '\\\\*mdr\\\\*\W\s*\)\.Name' + - CommandLine|re: '\$VerbosePreference\.ToString\(' + - CommandLine|re: '\\\\String\]\s*\$VerbosePreference' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml index dbdb4cbaa..4ee9b34fa 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation STDIN+ Launcher id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 +status: test description: Detects Obfuscated use of stdin to execute PowerShell -status: experimental author: Jonathan Cheong, oscd.community -date: 2020/10/15 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +date: 2020/10/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var.yml b/rules/windows/process_creation/win_invoke_obfuscation_var.yml index 63ae15f8c..8627967d7 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_var.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation VAR+ Launcher id: 27aec9c9-dbb0-4939-8422-1742242471d0 +status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell -status: experimental author: Jonathan Cheong, oscd.community -date: 2020/10/15 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +date: 2020/10/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: selection + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml index 60a494a55..756bb5720 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 +status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -status: experimental author: Timur Zinniatullin, oscd.community -date: 2020/10/18 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection + selection: + CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml index d8b91c93c..f59b098e3 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 +status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -status: experimental author: Timur Zinniatullin, oscd.community -date: 2020/10/18 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection + selection: + CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml index 71f178496..c0c714dbb 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation Via Stdin id: 9c14c9fa-1a63-4a64-8e57-d19280559490 +status: test description: Detects Obfuscated Powershell via Stdin in Scripts -status: experimental author: Nikita Nazarov, oscd.community -date: 2020/10/12 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +date: 2020/10/12 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection + selection: + CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml index ce8d6bfc8..c1cbcc776 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation Via Use Clip id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 +status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts -status: experimental author: Nikita Nazarov, oscd.community -date: 2020/10/09 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection + selection: + CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index 95f4633a1..2e8ff0f8d 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation Via Use MSHTA id: ac20ae82-8758-4f38-958e-b44a3140ca88 +status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts -status: experimental author: Nikita Nazarov, oscd.community -date: 2020/10/08 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +date: 2020/10/08 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection + selection: + CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 169d86471..484a553d9 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation Via Use Rundll32 id: 36c5146c-d127-4f85-8e21-01bf62355d5a +status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts -status: experimental author: Nikita Nazarov, oscd.community -date: 2019/10/08 references: - - https://github.com/Neo23x0/sigma/issues/1009 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 +date: 2019/10/08 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection + selection: + CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var.yml index dd02c69ae..4b3b48828 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var.yml @@ -1,23 +1,24 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION id: e9f55347-2928-4c06-88e5-1a7f8169942e +status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER -status: experimental author: Timur Zinniatullin, oscd.community -date: 2020/10/13 references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +date: 2020/10/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection + selection: + CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index f3b83068d..c342fe36a 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -1,24 +1,25 @@ title: MSHTA Spwaned by SVCHOST id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 -status: experimental +status: test description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report -references: - - https://codewhitesec.blogspot.com/2018/07/lethalhta.html -tags: - - attack.defense_evasion - - attack.t1218.005 - - attack.execution # an old one - - attack.t1170 # an old one author: Markus Neis +references: + - https://codewhitesec.blogspot.com/2018/07/lethalhta.html date: 2018/06/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\svchost.exe' - Image|endswith: '\mshta.exe' - condition: selection + selection: + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mshta.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1218.005 + - attack.execution # an old one + - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 8fc72c85f..661fc2faa 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -1,65 +1,65 @@ title: Local Accounts Discovery id: 502b42de-4306-40b4-9596-6f590c81f073 -status: experimental +status: test description: Local accounts, System Owner/User discovery using operating systems utilities author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2020/09/01 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - - Image|endswith: '\whoami.exe' - - Image|endswith: '\wmic.exe' - CommandLine|contains|all: - - 'useraccount' - - 'get' - - Image|endswith: - - '\quser.exe' - - '\qwinsta.exe' - - Image|endswith: '\cmdkey.exe' - CommandLine|contains: '/list' - - Image|endswith: '\cmd.exe' - CommandLine|contains|all: - - '/c' - - 'dir ' - - '\Users\' - filter_1: - CommandLine|contains: - - ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" - selection_2: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains: 'user' - filter_2: - CommandLine|contains: - - '/domain' # local account discovery only - - '/add' # discovery only - - '/delete' # discovery only - - '/active' # discovery only - - '/expires' # discovery only - - '/passwordreq' # discovery only - - '/scriptpath' # discovery only - - '/times' # discovery only - - '/workstations' # discovery only - condition: (selection_1 and not filter_1) or (selection_2 and not filter_2) + selection_1: + - Image|endswith: '\whoami.exe' + - Image|endswith: '\wmic.exe' + CommandLine|contains|all: + - 'useraccount' + - 'get' + - Image|endswith: + - '\quser.exe' + - '\qwinsta.exe' + - Image|endswith: '\cmdkey.exe' + CommandLine|contains: '/list' + - Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/c' + - 'dir ' + - '\Users\' + filter_1: + CommandLine|contains: + - ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" + selection_2: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'user' + filter_2: + CommandLine|contains: + - '/domain' # local account discovery only + - '/add' # discovery only + - '/delete' # discovery only + - '/active' # discovery only + - '/expires' # discovery only + - '/passwordreq' # discovery only + - '/scriptpath' # discovery only + - '/times' # discovery only + - '/workstations' # discovery only + condition: (selection_1 and not filter_1) or (selection_2 and not filter_2) fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine falsepositives: - - Legitimate administrator or user enumerates local users for legitimate reason + - Legitimate administrator or user enumerates local users for legitimate reason level: low tags: - - attack.discovery - - attack.t1033 - - attack.t1087.001 - - attack.t1087 # an old one + - attack.discovery + - attack.t1033 + - attack.t1087.001 + - attack.t1087 # an old one diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index a564d536d..9860bfa66 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -1,37 +1,37 @@ title: LSASS Memory Dumping id: ffa6861c-4461-4f59-8a41-578c39f3f23e +status: test description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html - - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md -tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one + - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html + - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - 'lsass' - - '.dmp' - selection2: - Image|endswith: '\werfault.exe' - selection3: - Image|contains: '\procdump' - Image|endswith: '.exe' - CommandLine|contains: 'lsass' - condition: selection1 and not selection2 or selection3 + selection1: + CommandLine|contains|all: + - 'lsass' + - '.dmp' + selection2: + Image|endswith: '\werfault.exe' + selection3: + Image|contains: '\procdump' + Image|endswith: '.exe' + CommandLine|contains: 'lsass' + condition: selection1 and not selection2 or selection3 fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 7d90d5575..cd4ab8d1c 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -1,39 +1,39 @@ title: Dridex Process Pattern id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e -status: experimental +status: test description: Detects typical Dridex process patterns -references: - - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 author: Florian Roth, oscd.community +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 date: 2019/01/10 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 - - attack.discovery - - attack.t1135 - - attack.t1033 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\svchost.exe' - CommandLine|contains|all: - - 'C:\Users\' - - '\Desktop\' - selection2: - ParentImage|endswith: '\svchost.exe' - selection3: - Image|endswith: '\whoami.exe' - CommandLine|contains: 'all' - selection4: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains: 'view' - condition: selection1 or selection2 and (selection3 or selection4) + selection1: + Image|endswith: '\svchost.exe' + CommandLine|contains|all: + - 'C:\Users\' + - '\Desktop\' + selection2: + ParentImage|endswith: '\svchost.exe' + selection3: + Image|endswith: '\whoami.exe' + CommandLine|contains: 'all' + selection4: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' + condition: selection1 or selection2 and (selection3 or selection4) falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 + - attack.discovery + - attack.t1135 + - attack.t1033 diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index 3d44a0162..89a390566 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -1,26 +1,27 @@ title: DTRACK Process Creation id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 -status: experimental +status: test description: Detects specific process parameters as seen in DTRACK infections author: Florian Roth -date: 2019/10/30 references: - - https://securelist.com/my-name-is-dtrack/93338/ - - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ - - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ + - https://securelist.com/my-name-is-dtrack/93338/ + - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ + - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ +date: 2019/10/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: ' echo EEEE > ' - condition: selection + selection: + CommandLine|contains: ' echo EEEE > ' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: critical tags: - - attack.impact - - attack.t1490 \ No newline at end of file + - attack.impact + - attack.t1490 diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index aa1db398b..749186e08 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -1,39 +1,39 @@ title: Emotet Process Creation id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 -status: experimental +status: test description: Detects all Emotet like process executions that are not covered by the more generic rules author: Florian Roth -date: 2019/09/30 -modified: 2020/09/01 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.defense_evasion - - attack.t1027 references: - - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ - - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ - - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ - - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ + - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ + - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ + - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ + - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ +date: 2019/09/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' -e* PAA' - - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile - - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile - - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile - - 'IgAoACcAKgAnACkAOwAkA' # "('*');$ - - 'IAKAAnACoAJwApADsAJA' # "('*');$ - - 'iACgAJwAqACcAKQA7ACQA' # "('*');$ - - 'JABGAGwAeAByAGgAYwBmAGQ' - condition: selection + selection: + CommandLine|contains: + - ' -e* PAA' + - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile + - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile + - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile + - 'IgAoACcAKgAnACkAOwAkA' # "('*');$ + - 'IAKAAnACoAJwApADsAJA' # "('*');$ + - 'iACgAJwAqACcAKQA7ACQA' # "('*');$ + - 'JABGAGwAeAByAGgAYwBmAGQ' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index fd1207cad..7984ee402 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -1,54 +1,53 @@ title: Formbook Process Creation id: 032f5fb3-d959-41a5-9263-4173c802dc2b -status: experimental -description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to - delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. +status: test +description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth, oscd.community, Jonhnathan Ribeiro -date: 2019/09/30 -modified: 2019/10/31 references: - - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ + - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer + - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ + - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ + - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ +date: 2019/09/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: + selection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - ParentCommandLine|endswith: - - '.exe' - selection2: - - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\AppData\Local\Temp\' - - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\Desktop\' - - CommandLine|contains|all: - - '/C' - - 'type nul >' - - 'C:\Users\' - - '\Desktop\' - selection3: - CommandLine|endswith: '.exe' - condition: selection and selection2 and selection3 + ParentCommandLine|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + ParentCommandLine|endswith: + - '.exe' + selection2: + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\AppData\Local\Temp\' + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\Desktop\' + - CommandLine|contains|all: + - '/C' + - 'type nul >' + - 'C:\Users\' + - '\Desktop\' + selection3: + CommandLine|endswith: '.exe' + condition: selection and selection2 and selection3 fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.develop_capabilities - - attack.t1587.001 \ No newline at end of file + - attack.develop_capabilities + - attack.t1587.001 diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 6ef6b4163..d6bc28cda 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,42 +1,41 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 -status: experimental +status: test description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi -date: 2019/01/16 -modified: 2020/09/01 references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 -tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.execution # an old one - - attack.t1085 # an old one - - attack.t1070.001 - - attack.t1070 # an old one - - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one - - car.2016-04-002 + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +date: 2019/01/16 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\.\pipe\\' - rundll32_dash1: - Image|endswith: '\rundll32.exe' - CommandLine|endswith: '.dat,#1' - perfc_keyword: - - '\perfc.dat' - condition: 1 of them + pipe_com: + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\.\pipe\\' + rundll32_dash1: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '.dat,#1' + perfc_keyword: + - '\perfc.dat' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Admin activity + - Admin activity level: critical - +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.execution # an old one + - attack.t1085 # an old one + - attack.t1070.001 + - attack.t1070 # an old one + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one + - car.2016-04-002 diff --git a/rules/windows/process_creation/win_malware_ryuk.yml b/rules/windows/process_creation/win_malware_ryuk.yml index 9e9093561..d5a013d24 100644 --- a/rules/windows/process_creation/win_malware_ryuk.yml +++ b/rules/windows/process_creation/win_malware_ryuk.yml @@ -1,28 +1,28 @@ title: Ryuk Ransomware id: c37510b8-2107-4b78-aa32-72f251e7a844 -status: experimental +status: test description: Detects Ryuk ransomware activity author: Florian Roth -date: 2019/12/16 -modified: 2020/09/01 -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one references: - - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ + - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ +date: 2019/12/16 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'Microsoft\Windows\CurrentVersion\Run' - - 'C:\users\Public\' - condition: selection + selection: + CommandLine|contains|all: + - 'Microsoft\Windows\CurrentVersion\Run' + - 'C:\users\Public\' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.persistence + - attack.t1547.001 + - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 45961cad4..991f5f3a1 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -1,41 +1,41 @@ title: WScript or CScript Dropper id: cea72823-df4d-4567-950c-0b579eaf0846 -status: experimental +status: test description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community date: 2019/01/16 -modified: 2020/09/01 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.defense_evasion # an old one - - attack.t1064 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - CommandLine|contains: - - 'C:\Users\' - - 'C:\ProgramData\' - selection2: - CommandLine|contains: - - '.jse' - - '.vbe' - - '.js' - - '.vba' - - '.vbs' - falsepositive: - ParentImage|contains: '\winzip' - condition: selection1 and selection2 and not falsepositive + selection1: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + CommandLine|contains: + - 'C:\Users\' + - 'C:\ProgramData\' + selection2: + CommandLine|contains: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + - '.vbs' + falsepositive: + ParentImage|contains: '\winzip' + condition: selection1 and selection2 and not falsepositive fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Winzip - - Other self-extractors + - Winzip + - Other self-extractors level: high +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.defense_evasion # an old one + - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml index fc271bf22..ebba96eab 100644 --- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml @@ -1,28 +1,28 @@ title: Trickbot Malware Recon Activity id: 410ad193-a728-4107-bc79-4419789fcbf8 -status: experimental +status: test description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network. -references: - - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ - - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ author: David Burkett, Florian Roth +references: + - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ + - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ date: 2019/12/28 -modified: 2020/11/26 -tags: - - attack.discovery - - attack.t1482 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\cmd.exe' - Image|endswith: - - '\nltest.exe' - CommandLine|contains: - - '/domain_trusts /all_trusts' - condition: selection + selection: + ParentImage|endswith: + - '\cmd.exe' + Image|endswith: + - '\nltest.exe' + CommandLine|contains: + - '/domain_trusts /all_trusts' + condition: selection falsepositives: - - Rare System Admin Activity + - Rare System Admin Activity level: critical +tags: + - attack.discovery + - attack.t1482 diff --git a/rules/windows/process_creation/win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/win_malware_trickbot_wermgr.yml index 6ee77a5ca..e2feabe5b 100644 --- a/rules/windows/process_creation/win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/win_malware_trickbot_wermgr.yml @@ -1,27 +1,28 @@ title: Trickbot Malware Activity id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 -status: experimental -description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe -references: - - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ +status: test +description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe author: Florian Roth +references: + - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 + - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ date: 2020/11/26 -tags: - - attack.execution - - attack.t1559 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\wermgr.exe' - ParentImage|endswith: - - '\rundll32.exe' - ParentCommandLine|contains: - - 'DllRegisterServer' - condition: selection + selection: + Image|endswith: + - '\wermgr.exe' + ParentImage|endswith: + - '\rundll32.exe' + ParentCommandLine|contains: + - 'DllRegisterServer' + condition: selection falsepositives: - - Unknown -level: critical \ No newline at end of file + - Unknown +level: critical +tags: + - attack.execution + - attack.t1559 diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 815de36f2..aac188521 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -1,64 +1,64 @@ title: WannaCry Ransomware id: 41d40bff-377a-43e2-8e1b-2e543069e079 -status: experimental +status: test description: Detects WannaCry ransomware activity -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 date: 2019/01/16 -modified: 2020/09/01 -tags: - - attack.lateral_movement - - attack.t1210 - - attack.discovery - - attack.t1083 - - attack.defense_evasion - - attack.t1222.001 - - attack.t1222 # an old one - - attack.impact - - attack.t1486 - - attack.t1490 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - - Image|endswith: - - '\tasksche.exe' - - '\mssecsvc.exe' - - '\taskdl.exe' - - '\taskhsvc.exe' - - '\taskse.exe' - - '\111.exe' - - '\lhdfrgui.exe' - - '\diskpart.exe' - - '\linuxnew.exe' - - '\wannacry.exe' - - Image|contains: 'WanaDecryptor' - selection2: - - CommandLine|contains|all: - - 'icacls' - - '/grant' - - 'Everyone:F' - - '/T' - - '/C' - - '/Q' - - CommandLine|contains|all: - - 'bcdedit' - - '/set' - - '{default}' - - 'recoveryenabled' - - 'no' - - CommandLine|contains|all: - - 'wbadmin' - - 'delete' - - 'catalog' - - '-quiet' - - CommandLine|contains: '@Please_Read_Me@.txt' - condition: 1 of them + selection1: + - Image|endswith: + - '\tasksche.exe' + - '\mssecsvc.exe' + - '\taskdl.exe' + - '\taskhsvc.exe' + - '\taskse.exe' + - '\111.exe' + - '\lhdfrgui.exe' + - '\diskpart.exe' + - '\linuxnew.exe' + - '\wannacry.exe' + - Image|contains: 'WanaDecryptor' + selection2: + - CommandLine|contains|all: + - 'icacls' + - '/grant' + - 'Everyone:F' + - '/T' + - '/C' + - '/Q' + - CommandLine|contains|all: + - 'bcdedit' + - '/set' + - '{default}' + - 'recoveryenabled' + - 'no' + - CommandLine|contains|all: + - 'wbadmin' + - 'delete' + - 'catalog' + - '-quiet' + - CommandLine|contains: '@Please_Read_Me@.txt' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Diskpart.exe usage to manage partitions on the local hard drive + - Diskpart.exe usage to manage partitions on the local hard drive level: critical +tags: + - attack.lateral_movement + - attack.t1210 + - attack.discovery + - attack.t1083 + - attack.defense_evasion + - attack.t1222.001 + - attack.t1222 # an old one + - attack.impact + - attack.t1486 + - attack.t1490 diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index f99d8cfb9..a1ceeef7a 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -1,25 +1,25 @@ title: MavInject Process Injection id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 -status: experimental +status: test description: Detects process injection using the signed Windows tool Mavinject32.exe -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 author: Florian Roth +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 date: 2018/12/12 -modified: 2020/09/01 -tags: - - attack.t1055 # an old one - - attack.t1055.001 - - attack.t1218 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: ' /INJECTRUNNING ' - condition: selection + selection: + CommandLine|contains: ' /INJECTRUNNING ' + condition: selection falsepositives: - - unknown + - unknown level: critical +tags: + - attack.t1055 # an old one + - attack.t1055.001 + - attack.t1218 diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 45babd71e..6a3664a42 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -1,43 +1,43 @@ title: Mimikatz Command Line id: a642964e-bead-4bed-8910-1bb4d63e3b4d +status: test description: Detection well-known mimikatz command line arguments author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2020/09/01 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 - - attack.t1003.006 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - CommandLine|contains: - - DumpCreds - - invoke-mimikatz - selection_2: - CommandLine|contains: - - rpc - - token - - crypto - - dpapi - - sekurlsa - - kerberos - - lsadump - - privilege - - process - selection_3: - CommandLine|contains: - - '::' - condition: selection_1 or selection_2 and selection_3 + selection_1: + CommandLine|contains: + - DumpCreds + - invoke-mimikatz + selection_2: + CommandLine|contains: + - rpc + - token + - crypto + - dpapi + - sekurlsa + - kerberos + - lsadump + - privilege + - process + selection_3: + CommandLine|contains: + - '::' + condition: selection_1 or selection_2 and selection_3 falsepositives: - - Legitimate Administrator using tool for password recovery + - Legitimate Administrator using tool for password recovery level: medium -status: experimental +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index 70641647f..a5718cb6b 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -1,37 +1,37 @@ title: MMC Spawning Windows Shell id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d -status: experimental +status: test description: Detects a Windows command line executable started from MMC author: Karneades, Swisscom CSIRT -date: 2019/08/05 -modified: 2020/09/01 references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ -tags: - - attack.lateral_movement - - attack.t1175 # an old one - - attack.t1021.003 + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +date: 2019/08/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\mmc.exe' - selection2: - - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\reg.exe' - - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' - condition: selection and selection2 + selection: + ParentImage|endswith: '\mmc.exe' + selection2: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - - CommandLine - - Image - - ParentCommandLine + - CommandLine + - Image + - ParentCommandLine level: high +tags: + - attack.lateral_movement + - attack.t1175 # an old one + - attack.t1021.003 diff --git a/rules/windows/process_creation/win_mouse_lock.yml b/rules/windows/process_creation/win_mouse_lock.yml index f2ab5ec2a..ffee2ba8c 100644 --- a/rules/windows/process_creation/win_mouse_lock.yml +++ b/rules/windows/process_creation/win_mouse_lock.yml @@ -1,29 +1,30 @@ title: Mouse Lock Credential Gathering id: c9192ad9-75e5-43eb-8647-82a0a5b493e3 -status: experimental +status: test description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. author: Cian Heasley references: - - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf - - https://sourceforge.net/projects/mouselock/ + - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf + - https://sourceforge.net/projects/mouselock/ date: 2020/08/13 -tags: - - attack.credential_access - - attack.collection - - attack.t1056.002 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection: - - Product|contains: 'Mouse Lock' - - Company|contains: 'Misc314' - - CommandLine|contains: 'Mouse Lock_' - condition: selection + selection: + - Product|contains: 'Mouse Lock' + - Company|contains: 'Misc314' + - CommandLine|contains: 'Mouse Lock_' + condition: selection fields: - - Product - - Company - - CommandLine + - Product + - Company + - CommandLine falsepositives: - - Legitimate uses of Mouse Lock software + - Legitimate uses of Mouse Lock software level: medium +tags: + - attack.credential_access + - attack.collection + - attack.t1056.002 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 5f7818614..2c178ca7e 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -1,30 +1,29 @@ title: Mshta JavaScript Execution id: 67f113fa-e23d-4271-befa-30113b3e08b1 +status: test description: Identifies suspicious mshta.exe commands. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2020/09/01 references: - - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md -tags: - - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218.005 + - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\mshta.exe' - CommandLine|contains: 'javascript' - condition: selection + selection: + Image|endswith: '\mshta.exe' + CommandLine|contains: 'javascript' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - unknown + - unknown level: high -## todo — add sysmon eid 3 for this rule +tags: + - attack.defense_evasion + - attack.t1170 # an old one + - attack.t1218.005 diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index ad6835d1a..2bdbff9c6 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -1,42 +1,42 @@ title: MSHTA Spawning Windows Shell id: 03cc0c25-389f-4bf8-b48d-11878079f1ca -status: experimental +status: test description: Detects a Windows command line executable started from MSHTA -references: - - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag +references: + - https://www.trustedsec.com/july-2015/malicious-htas/ date: 2019/01/16 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\mshta.exe' - selection2: - - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\reg.exe' - - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' - condition: selection and selection2 + selection: + ParentImage|endswith: '\mshta.exe' + selection2: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.t1170 # an old one - - attack.t1218.005 - - car.2013-02-003 - - car.2013-03-001 - - car.2014-04-003 + - CommandLine + - ParentCommandLine falsepositives: - - Printer software / driver installations - - HP software + - Printer software / driver installations + - HP software level: high +tags: + - attack.defense_evasion + - attack.t1170 # an old one + - attack.t1218.005 + - car.2013-02-003 + - car.2013-03-001 + - car.2014-04-003 diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 66e14aefd..fe8e125f4 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -1,34 +1,34 @@ title: Net.exe User Account Creation id: cd219ff3-fa99-45d4-8380-a7d15116c6dc -status: experimental +status: test description: Identifies creation of local users via the net.exe command. -references: - - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) +references: + - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md date: 2018/10/30 -modified: 2020/09/01 -tags: - - attack.persistence - - attack.t1136 # an old one - - attack.t1136.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains|all: - - 'user' - - 'add' - condition: selection + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Legitimate user creation. - - Better use event IDs for user creation rather than command line rules. + - Legitimate user creation. + - Better use event IDs for user creation rather than command line rules. level: medium +tags: + - attack.persistence + - attack.t1136 # an old one + - attack.t1136.001 diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index 669d07e3a..fc112e749 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -1,33 +1,33 @@ title: Netsh RDP Port Opening id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 +status: test description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware -references: - - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ -date: 2020/05/23 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.004 -status: experimental author: Sander Wiebing +references: + - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ +date: 2020/05/23 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 - selection2: - CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 - condition: 1 of them + selection1: + CommandLine|contains|all: + - netsh + - firewall add portopening + - tcp 3389 + selection2: + CommandLine|contains|all: + - netsh + - advfirewall firewall add rule + - action=allow + - protocol=TCP + - localport=3389 + condition: 1 of them falsepositives: - - Legitimate administration + - Legitimate administration level: high +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index 9fe41f4c9..82a419946 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -1,28 +1,28 @@ title: Netsh Port or Application Allowed id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c +status: test description: Allow Incoming Connections by Port or Application on Windows Firewall -references: - - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) - - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -date: 2019/01/29 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.004 -status: experimental author: Markus Neis, Sander Wiebing +references: + - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) + - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +date: 2019/01/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\netsh.exe' - selection2: - CommandLine|contains|all: - - 'firewall' - - 'add' - condition: selection1 and selection2 + selection1: + Image|endswith: '\netsh.exe' + selection2: + CommandLine|contains|all: + - 'firewall' + - 'add' + condition: selection1 and selection2 falsepositives: - - Legitimate administration + - Legitimate administration level: medium +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.004 diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml index a765c8aa4..9407b568d 100644 --- a/rules/windows/process_creation/win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -1,26 +1,26 @@ title: Capture a Network Trace with netsh.exe id: d3c3861d-c504-4c77-ba55-224ba82d0118 -status: experimental +status: test description: Detects capture a network trace via netsh.exe trace functionality -references: - - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ author: Kutepov Anton, oscd.community +references: + - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ date: 2019/10/24 -modified: 2020/09/01 -tags: - - attack.discovery - - attack.credential_access - - attack.t1040 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - netsh - - trace - - start - condition: selection -falsepositives: - - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason + selection: + CommandLine|contains|all: + - netsh + - trace + - start + condition: selection +falsepositives: + - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason level: medium +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index b4f7ebce4..2e7652bfa 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -1,34 +1,33 @@ title: Network Sniffing id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5 -status: experimental -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary - may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +status: test +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: '\tshark.exe' - CommandLine|contains: '-i' - - Image|endswith: '\windump.exe' - condition: selection -falsepositives: - - Admin activity + selection: + - Image|endswith: '\tshark.exe' + CommandLine|contains: '-i' + - Image|endswith: '\windump.exe' + condition: selection fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Admin activity level: low tags: - - attack.credential_access - - attack.discovery - - attack.t1040 + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index aeb35f836..f9f519e60 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -1,29 +1,29 @@ title: New Service Creation id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab -status: experimental +status: test description: Detects creation of a new service. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2019/11/04 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1050 # an old one - - attack.t1543.003 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: '\sc.exe' - CommandLine|contains|all: - - 'create' - - 'binpath' - - Image|endswith: '\powershell.exe' - CommandLine|contains: 'new-service' - condition: selection + selection: + - Image|endswith: '\sc.exe' + CommandLine|contains|all: + - 'create' + - 'binpath' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'new-service' + condition: selection falsepositives: - - Legitimate administrator or user creates a service for legitimate reasons. + - Legitimate administrator or user creates a service for legitimate reasons. level: low +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1050 # an old one + - attack.t1543.003 diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml index 8ff4bf024..05a1a7959 100644 --- a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -1,45 +1,46 @@ title: Non-privileged Usage of Reg or Powershell id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d +status: test description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry -status: experimental author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg date: 2020/10/05 -references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg -tags: - - attack.defense_evasion - - attack.t1112 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - integrity_level: - IntegrityLevel: 'Medium' - reg: - CommandLine|contains|all: - - 'reg' - - 'add' - powershell_1: - CommandLine|contains: 'powershell' - powershell_2: - CommandLine|contains: - - 'set-itemproperty' - - ' sp ' - - 'new-itemproperty' - registry_folder: - CommandLine|contains|all: - - 'ControlSet' - - 'Services' - registry_key: - CommandLine|contains: - - 'ImagePath' - - 'FailureCommand' - - 'ServiceDLL' - condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key + integrity_level: + IntegrityLevel: 'Medium' + reg: + CommandLine|contains|all: + - 'reg' + - 'add' + powershell_1: + CommandLine|contains: 'powershell' + powershell_2: + CommandLine|contains: + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' + registry_folder: + CommandLine|contains|all: + - 'ControlSet' + - 'Services' + registry_key: + CommandLine|contains: + - 'ImagePath' + - 'FailureCommand' + - 'ServiceDLL' + condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key fields: - - EventID - - IntegrityLevel - - CommandLine + - EventID + - IntegrityLevel + - CommandLine falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index e1f5ea7c3..e06da5ede 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -1,56 +1,56 @@ title: Microsoft Office Product Spawning Windows Shell id: 438025f9-5856-4663-83f7-52f878a70a50 -status: experimental +status: test description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -tags: - - attack.execution - - attack.t1204 # an old one - - attack.t1204.002 author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html date: 2018/04/06 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\WINWORD.EXE' - - '\EXCEL.EXE' - - '\POWERPNT.exe' - - '\MSPUB.exe' - - '\VISIO.exe' - - '\OUTLOOK.EXE' - - '\MSACCESS.EXE' - - '\EQNEDT32.EXE' - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\scrcons.exe' - - '\schtasks.exe' - - '\regsvr32.exe' - - '\hh.exe' - - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '\mshta.exe' - - '\rundll32.exe' - - '\msiexec.exe' - - '\forfiles.exe' - - '\scriptrunner.exe' - - '\mftrace.exe' - - '\AppVLP.exe' - - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - condition: selection + selection: + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + - '\OUTLOOK.EXE' + - '\MSACCESS.EXE' + - '\EQNEDT32.EXE' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\scrcons.exe' + - '\schtasks.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: high +tags: + - attack.execution + - attack.t1204 # an old one + - attack.t1204.002 diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 6ebbdd452..604cf1171 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -1,42 +1,42 @@ title: Possible Applocker Bypass id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 +status: test description: Detects execution of executables that can be used to bypass Applocker whitelisting -status: experimental -references: - - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 +references: + - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt + - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md date: 2019/01/16 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1118 # an old one - - attack.t1218.004 - - attack.t1121 # an old one - - attack.t1218.009 - - attack.t1127 # an old one - - attack.t1127.001 - - attack.t1170 # an old one - - attack.t1218.005 - - attack.t1218 # no way to map 1:1, so the technique level is required +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - '\msdt.exe' - - '\installutil.exe' - - '\regsvcs.exe' - - '\regasm.exe' + selection: + CommandLine|contains: + - '\msdt.exe' + - '\installutil.exe' + - '\regsvcs.exe' + - '\regasm.exe' # - '\regsvr32.exe' # too many FPs, very noisy - - '\msbuild.exe' - - '\ieexec.exe' + - '\msbuild.exe' + - '\ieexec.exe' #- '\mshta.exe' #- '\csc.exe' - condition: selection + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment - - Using installutil to add features for .NET applications (primarily would occur in developer environments) + - False positives depend on scripts and administrative tools used in the monitored environment + - Using installutil to add features for .NET applications (primarily would occur in developer environments) level: low +tags: + - attack.defense_evasion + - attack.t1118 # an old one + - attack.t1218.004 + - attack.t1121 # an old one + - attack.t1218.009 + - attack.t1127 # an old one + - attack.t1127.001 + - attack.t1170 # an old one + - attack.t1218.005 + - attack.t1218 # no way to map 1:1, so the technique level is required diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 23f128415..09998eae9 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -1,28 +1,28 @@ title: Powershell AMSI Bypass via .NET Reflection id: 30edb182-aa75-42c0-b0a9-e998bb29067c -status: experimental +status: test description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning -references: - - https://twitter.com/mattifestation/status/735261176745988096 - - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 author: Markus Neis +references: + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 date: 2018/08/17 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: - - 'System.Management.Automation.AmsiUtils' - selection2: - CommandLine|contains: - - 'amsiInitFailed' - condition: selection1 and selection2 + selection1: + CommandLine|contains: + - 'System.Management.Automation.AmsiUtils' + selection2: + CommandLine|contains: + - 'amsiInitFailed' + condition: selection1 and selection2 falsepositives: - - Potential Admin Activity + - Potential Admin Activity level: high +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index 4d5a7beba..1704c176f 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -1,23 +1,23 @@ title: Audio Capture via PowerShell id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6 +status: test description: Detects audio capture via PowerShell Cmdlet. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html -tags: - - attack.collection - - attack.t1123 -detection: - selection: - CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' - condition: selection -falsepositives: - - Legitimate audio capture by legitimate user. -level: medium + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md + - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' + condition: selection +falsepositives: + - Legitimate audio capture by legitimate user. +level: medium +tags: + - attack.collection + - attack.t1123 diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml index 48b87eab2..501329f24 100644 --- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -1,26 +1,26 @@ title: PowerShell Base64 Encoded Shellcode id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8 +status: test description: Detects Base64 encoded Shellcode -status: experimental -references: - - https://twitter.com/cyb3rops/status/1063072865992523776 author: Florian Roth +references: + - https://twitter.com/cyb3rops/status/1063072865992523776 date: 2018/11/17 -modified: 2020/09/01 -tags: - - attack.defense_evasion - - attack.t1027 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: 'AAAAYInlM' - selection2: - CommandLine|contains: - - 'OiCAAAAYInlM' - - 'OiJAAAAYInlM' - condition: selection1 and selection2 + selection1: + CommandLine|contains: 'AAAAYInlM' + selection2: + CommandLine|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' + condition: selection1 and selection2 falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yml b/rules/windows/process_creation/win_powershell_bitsjob.yml index 75b022b37..3e7d95137 100644 --- a/rules/windows/process_creation/win_powershell_bitsjob.yml +++ b/rules/windows/process_creation/win_powershell_bitsjob.yml @@ -1,29 +1,29 @@ title: Suspicious Bitsadmin Job via PowerShell id: f67dbfce-93bc-440d-86ad-a95ae8858c90 -status: experimental +status: test description: Detect download by BITS jobs via PowerShell -references: - - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md author: Endgame, JHasenbusch (ported to sigma for oscd.community) +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md date: 2018/10/30 -modified: 2019/11/11 -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\powershell.exe' - CommandLine|contains: 'Start-BitsTransfer' - condition: selection + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Start-BitsTransfer' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 diff --git a/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml index a652304e2..1a7f97594 100644 --- a/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml @@ -1,51 +1,52 @@ title: Suspicious PowerShell Cmdline id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 +status: test description: Detects the PowerShell command lines with reversed strings -status: experimental -references: - - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +references: + - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 date: 2020/10/11 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'hctac' - - 'kearb' - - 'dnammoc' - - 'ekovn' - - 'eliFd' - - 'rahc' - - 'etirw' - - 'golon' - - 'tninon' - - 'eddih' - - 'tpircS' - - 'ssecorp' - - 'llehsrewop' - - 'esnopser' - - 'daolnwod' - - 'tneilCbeW' - - 'tneilc' - - 'ptth' - - 'elifotevas' - - '46esab' - - 'htaPpmeTteG' - - 'tcejbO' - - 'maerts' - - 'hcaerof' - - 'ekovni' - - 'retupmoc' - condition: selection + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'hctac' + - 'kearb' + - 'dnammoc' + - 'ekovn' + - 'eliFd' + - 'rahc' + - 'etirw' + - 'golon' + - 'tninon' + - 'eddih' + - 'tpircS' + - 'ssecorp' + - 'llehsrewop' + - 'esnopser' + - 'daolnwod' + - 'tneilCbeW' + - 'tneilc' + - 'ptth' + - 'elifotevas' + - '46esab' + - 'htaPpmeTteG' + - 'tcejbO' + - 'maerts' + - 'hcaerof' + - 'ekovni' + - 'retupmoc' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml index d4c131fb2..f739a789d 100644 --- a/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml @@ -1,36 +1,37 @@ title: Suspicious PowerShell Command Line id: d7bcd677-645d-4691-a8d4-7a5602b780d1 +status: test description: Detects the PowerShell command lines with special characters -status: experimental -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 date: 2020/10/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\powershell.exe' - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - selection2: - Image|endswith: '\powershell.exe' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - selection3: - Image|endswith: '\powershell.exe' - CommandLine|re: '.*{.*{.*{.*{.*{.*' - selection4: - Image|endswith: '\powershell.exe' - CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' - selection5: - Image|endswith: '\powershell.exe' - CommandLine|re: '.*`.*`.*`.*`.*`.*' - condition: selection1 or selection2 or selection3 or selection4 or selection5 + selection1: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + selection2: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + selection3: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*{.*{.*{.*{.*{.*' + selection4: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' + selection5: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*`.*`.*`.*`.*`.*' + condition: selection1 or selection2 or selection3 or selection4 or selection5 falsepositives: - - Unlikely + - Unlikely level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml index 6bfa956ee..9448e1ec9 100644 --- a/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml @@ -1,55 +1,56 @@ title: Encoded PowerShell Command Line id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f +status: test description: Detects specific combinations of encoding methods in the PowerShell command lines -status: experimental -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 date: 2020/10/11 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'char' - - 'join' - selection2: - Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'ToInt' - - 'ToDecimal' - - 'ToByte' - - 'ToUint' - - 'ToSingle' - - 'ToSByte' - selection3: - Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'ToChar' - - 'ToString' - - 'String' - selection4: - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'split' - - 'join' - selection5: - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'ForEach' - - 'Xor' - selection6: - Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'cOnvErTTO-SECUreStRIng' - condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 + selection1: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'char' + - 'join' + selection2: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'ToInt' + - 'ToDecimal' + - 'ToByte' + - 'ToUint' + - 'ToSingle' + - 'ToSByte' + selection3: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'ToChar' + - 'ToString' + - 'String' + selection4: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'split' + - 'join' + selection5: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'ForEach' + - 'Xor' + selection6: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'cOnvErTTO-SECUreStRIng' + condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - - Unlikely + - Unlikely level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4478fccdf..4fc137225 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -1,31 +1,31 @@ title: Detection of PowerShell Execution via DLL id: 6812a10b-60ea-420c-832f-dfcc33b646ba -status: experimental +status: test description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll -references: - - https://github.com/p3nt4/PowerShdll/blob/master/README.md -tags: - - attack.defense_evasion - - attack.t1085 # an old one - - attack.t1218.011 author: Markus Neis +references: + - https://github.com/p3nt4/PowerShdll/blob/master/README.md date: 2018/08/25 -modified: 2020/09/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: - - '\rundll32.exe' - selection2: - Description|contains: - - 'Windows-Hostprozess (Rundll32)' - selection3: - CommandLine|contains: - - 'Default.GetString' - - 'FromBase64String' - condition: (selection1 or selection2) and selection3 + selection1: + Image|endswith: + - '\rundll32.exe' + selection2: + Description|contains: + - 'Windows-Hostprozess (Rundll32)' + selection3: + CommandLine|contains: + - 'Default.GetString' + - 'FromBase64String' + condition: (selection1 or selection2) and selection3 falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1085 # an old one + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index ad2e78877..547b6d119 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -1,34 +1,35 @@ title: PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - - id: 6331d09b-4785-4c13-980f-f96661356249 - type: derived -status: experimental + - id: 6331d09b-4785-4c13-980f-f96661356249 + type: derived +status: test description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -references: - - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ -tags: - - attack.defense_evasion - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 author: Harish Segar (rule) +references: + - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ date: 2020/03/20 -falsepositives: - - Penetration Test - - Unknown -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' -version 2 ' - - ' -versio 2 ' - - ' -versi 2 ' - - ' -vers 2 ' - - ' -ver 2 ' - - ' -ve 2 ' - Image|endswith: '\powershell.exe' - condition: selection + selection: + CommandLine|contains: + - ' -version 2 ' + - ' -versio 2 ' + - ' -versi 2 ' + - ' -vers 2 ' + - ' -ver 2 ' + - ' -ve 2 ' + Image|endswith: '\powershell.exe' + condition: selection +falsepositives: + - Penetration Test + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.execution + - attack.t1086 # an old one + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 3db56ae97..37b1e3235 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -1,30 +1,31 @@ title: PowerShell Download from URL id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 -status: experimental +status: test description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/01/16 -tags: - - attack.t1086 # an old one - - attack.execution - - attack.t1059.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'new-object' - - 'net.webclient).' - - 'download' - CommandLine|contains: - - 'string(' - - 'file(' - condition: selection + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'new-object' + - 'net.webclient).' + - 'download' + CommandLine|contains: + - 'string(' + - 'file(' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium +tags: + - attack.t1086 # an old one + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_frombase64string.yml b/rules/windows/process_creation/win_powershell_frombase64string.yml index d0abc07e5..236403920 100644 --- a/rules/windows/process_creation/win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/win_powershell_frombase64string.yml @@ -1,24 +1,24 @@ title: FromBase64String Command Line id: e32d4572-9826-4738-b651-95fa63747e8a -status: experimental +status: test description: Detects suspicious FromBase64String expressions in command line arguments -references: - - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth +references: + - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 date: 2020/01/29 -modified: 2020/09/06 -tags: - - attack.t1027 - - attack.defense_evasion - - attack.t1140 - - attack.t1059.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: '::FromBase64String(' - condition: selection + selection: + CommandLine|contains: '::FromBase64String(' + condition: selection falsepositives: - - Administrative script libraries + - Administrative script libraries level: high +tags: + - attack.t1027 + - attack.defense_evasion + - attack.t1140 + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index b422d6159..cdbf19a7c 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -1,65 +1,65 @@ title: Suspicious PowerShell Parameter Substring id: 36210e0d-5b19-485d-a087-c096088885f0 -status: experimental +status: test description: Detects suspicious PowerShell invocation with a parameter substring -references: - - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +references: + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier date: 2019/01/16 -modified: 2020/07/14 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\Powershell.exe' - CommandLine|contains: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: selection + selection: + Image|endswith: + - '\Powershell.exe' + CommandLine|contains: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection falsepositives: - - Penetration tests + - Penetration tests level: high +tags: + - attack.execution + - attack.t1086 # an old one + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 28bfaebbf..a218ecf5e 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -1,29 +1,29 @@ title: Suspicious XOR Encoded PowerShell Command Line id: bb780e0c-16cf-4383-8383-1e5471db6cf9 +status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -status: experimental author: Sami Ruohonen, Harish Segar (improvement) date: 2018/09/05 -modified: 2020/09/06 -tags: - - attack.defense_evasion - - attack.t1086 # an old one - - attack.t1059.001 - - attack.t1140 - - attack.t1027 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Description: "Windows PowerShell" - - Product: "PowerShell Core 6" - filter: - CommandLine|contains: - - "bxor" - - "join" - - "char" - condition: selection and filter + selection: + - Description: "Windows PowerShell" + - Product: "PowerShell Core 6" + filter: + CommandLine|contains: + - "bxor" + - "join" + - "char" + condition: selection and filter falsepositives: - - unknown + - unknown level: medium +tags: + - attack.defense_evasion + - attack.t1086 # an old one + - attack.t1059.001 + - attack.t1140 + - attack.t1027 diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 4f722ef26..32304fcde 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -1,47 +1,48 @@ title: Default PowerSploit and Empire Schtasks Persistence id: 56c217c3-2de2-479b-990f-5c109ba8458f -status: experimental +status: test description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. -references: - - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 - - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py - - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py author: Markus Neis, @Karneades +references: + - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 + - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py + - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py date: 2018/03/06 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection1: - ParentImage|endswith: '\powershell.exe' - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/Create' - - '/SC' - selection2: - CommandLine|contains: - - 'ONLOGON' - - 'DAILY' - - 'ONIDLE' - - 'Updater' - CommandLine|contains|all: - - '/TN' - - 'Updater' - - '/TR' - - 'powershell' - condition: selection1 and selection2 -tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053 # an old one - - attack.t1086 # an old one - - attack.s0111 - - attack.g0022 - - attack.g0060 - - car.2013-08-001 - - attack.t1053.005 - - attack.t1059.001 + selection1: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + selection2: + CommandLine|contains: + - 'ONLOGON' + - 'DAILY' + - 'ONIDLE' + - 'Updater' + CommandLine|contains|all: + - '/TN' + - 'Updater' + - '/TR' + - 'powershell' + condition: selection1 and selection2 falsepositives: - - False positives are possible, depends on organisation and processes + - False positives are possible, depends on organisation and processes level: high +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053 # an old one + - attack.t1086 # an old one + - attack.s0111 + - attack.g0022 + - attack.g0060 + - car.2013-08-001 + - attack.t1053.005 + - attack.t1059.001 diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index 2594a7efc..c854fac36 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -1,22 +1,22 @@ title: PsExec Service Start id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 +status: test description: Detects a PsExec service start -status: experimental author: Florian Roth date: 2018/03/13 -modified: 2012/12/11 -tags: - - attack.execution - - attack.t1035 # an old one - - attack.s0029 - - attack.t1569.002 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: C:\Windows\PSEXESVC.exe - condition: selection + selection: + CommandLine: C:\Windows\PSEXESVC.exe + condition: selection falsepositives: - - Administrative activity + - Administrative activity level: low +tags: + - attack.execution + - attack.t1035 # an old one + - attack.s0029 + - attack.t1569.002 diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 937c4dbc2..23ff4c3d5 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -1,45 +1,45 @@ title: Query Registry id: 970007b7-ce32-49d0-a4a4-fbef016950bd -status: experimental +status: test description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - Image|endswith: '\reg.exe' - CommandLine|contains: - - 'query' - - 'save' - - 'export' - selection_2: - CommandLine|contains: - - 'currentVersion\windows' - - 'currentVersion\runServicesOnce' - - 'currentVersion\runServices' - - 'winlogon\' - - 'currentVersion\shellServiceObjectDelayLoad' - - 'currentVersion\runOnce' - - 'currentVersion\runOnceEx' - - 'currentVersion\run' - - 'currentVersion\policies\explorer\run' - - 'currentcontrolset\services' - condition: selection_1 and selection_2 + selection_1: + Image|endswith: '\reg.exe' + CommandLine|contains: + - 'query' + - 'save' + - 'export' + selection_2: + CommandLine|contains: + - 'currentVersion\windows' + - 'currentVersion\runServicesOnce' + - 'currentVersion\runServices' + - 'winlogon\' + - 'currentVersion\shellServiceObjectDelayLoad' + - 'currentVersion\runOnce' + - 'currentVersion\runOnceEx' + - 'currentVersion\run' + - 'currentVersion\policies\explorer\run' + - 'currentcontrolset\services' + condition: selection_1 and selection_2 fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine level: low tags: - - attack.discovery - - attack.t1012 - - attack.t1007 + - attack.discovery + - attack.t1012 + - attack.t1007 diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml index fef616b20..3dc9e1ad2 100644 --- a/rules/windows/process_creation/win_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml @@ -1,30 +1,31 @@ title: DLL Execution via Rasautou.exe id: cd3d1298-eb3b-476c-ac67-12847de55813 -description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - - https://github.com/fireeye/DueDLLigence - - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +status: test +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. author: Julia Fomina, oscd.community +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ + - https://github.com/fireeye/DueDLLigence + - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html date: 2020/10/09 -tags: - - attack.defense_evasion - - attack.t1218 +modified: 2021/11/27 logsource: - product: windows - category: process_creation - definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) + product: windows + category: process_creation + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) detection: - use_rasautou: - Image|endswith: '\rasautou.exe' - remaned_rasautou: - OriginalFileName: 'rasdlui.exe' - special_keys: - CommandLine|contains|all: - - '-d' - - '-p' - condition: (use_rasautou or remaned_rasautou) and special_keys -level: medium + use_rasautou: + Image|endswith: '\rasautou.exe' + remaned_rasautou: + OriginalFileName: 'rasdlui.exe' + special_keys: + CommandLine|contains|all: + - '-d' + - '-p' + condition: (use_rasautou or remaned_rasautou) and special_keys falsepositives: - - Unlikely + - Unlikely +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml index 9cf11c050..0eb38e8a5 100644 --- a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml +++ b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml @@ -1,25 +1,25 @@ title: MSTSC Shadowing id: 6ba5a05f-b095-4f0a-8654-b825f4f16334 +status: test description: Detects RDP session hijacking by using MSTSC shadowing -status: experimental author: Florian Roth -date: 2020/01/24 -modified: 2020/09/06 references: - - https://twitter.com/kmkz_security/status/1220694202301976576 - - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet -tags: - - attack.lateral_movement - - attack.t1563.002 + - https://twitter.com/kmkz_security/status/1220694202301976576 + - https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet +date: 2020/01/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'noconsentprompt' - - 'shadow:' - condition: selection + selection: + CommandLine|contains|all: + - 'noconsentprompt' + - 'shadow:' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.lateral_movement + - attack.t1563.002 diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index a9ca7e3e8..27e8145f1 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -1,32 +1,32 @@ title: RedMimicry Winnti Playbook Execute id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b +status: test description: Detects actions caused by the RedMimicry Winnti playbook -status: experimental -references: - - https://redmimicry.com author: Alexander Rausch +references: + - https://redmimicry.com date: 2020/06/24 -modified: 2020/09/06 -tags: - - attack.execution - - attack.defense_evasion - - attack.t1059 # an old one - - attack.t1106 - - attack.t1059.003 - - attack.t1218.011 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection: - Image|contains: - - rundll32.exe - - cmd.exe - CommandLine|contains: - - gthread-3.6.dll - - \Windows\Temp\tmp.bat - - sigcmm-2.4.dll - condition: selection + selection: + Image|contains: + - rundll32.exe + - cmd.exe + CommandLine|contains: + - gthread-3.6.dll + - \Windows\Temp\tmp.bat + - sigcmm-2.4.dll + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059 # an old one + - attack.t1106 + - attack.t1059.003 + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml index 472265a7c..190c93309 100644 --- a/rules/windows/process_creation/win_regedit_export_critical_keys.yml +++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml @@ -1,35 +1,36 @@ title: Exports Critical Registry Keys To a File id: 82880171-b475-4201-b811-e9c826cd5eaa -status: experimental +status: test description: Detects the export of a crital Registry key to a file. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.exfiltration - - attack.t1012 author: Oddvar Moe, Sander Wiebing, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/12 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\regedit.exe' - CommandLine|contains: ' /E ' - selection_2: - CommandLine|contains: - - 'hklm' - - 'hkey_local_machine' - selection_3: - CommandLine|endswith: - - '\system' - - '\sam' - - '\security' - condition: selection and selection_2 and selection_3 + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: ' /E ' + selection_2: + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + selection_3: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and selection_2 and selection_3 fields: - - ParentImage - - CommandLine + - ParentImage + - CommandLine falsepositives: - - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + - Dumping hives for legitimate purpouse i.e. backup or forensic investigation level: high +tags: + - attack.exfiltration + - attack.t1012 diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml index e3454faf4..234a98384 100644 --- a/rules/windows/process_creation/win_regedit_export_keys.yml +++ b/rules/windows/process_creation/win_regedit_export_keys.yml @@ -1,35 +1,36 @@ title: Exports Registry Key To a File id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a -status: experimental +status: test description: Detects the export of the target Registry key to a file. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.exfiltration - - attack.t1012 author: Oddvar Moe, Sander Wiebing, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\regedit.exe' - CommandLine|contains: ' /E ' - filter_1: # filters to avoid intersection with critical keys rule - CommandLine|contains: - - 'hklm' - - 'hkey_local_machine' - filter_2: - CommandLine|endswith: - - '\system' - - '\sam' - - '\security' - condition: selection and not (filter_1 and filter_2) + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: ' /E ' + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + filter_2: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and not (filter_1 and filter_2) fields: - - ParentImage - - CommandLine + - ParentImage + - CommandLine falsepositives: - - Legitimate export of keys + - Legitimate export of keys level: low +tags: + - attack.exfiltration + - attack.t1012 diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml index ff27028ab..e2891d042 100644 --- a/rules/windows/process_creation/win_regedit_import_keys.yml +++ b/rules/windows/process_creation/win_regedit_import_keys.yml @@ -1,35 +1,36 @@ title: Imports Registry Key From a File id: 73bba97f-a82d-42ce-b315-9182e76c57b1 -status: experimental +status: test description: Detects the import of the specified file to the registry with regedit.exe. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.t1112 - - attack.defense_evasion author: Oddvar Moe, Sander Wiebing, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\regedit.exe' - CommandLine|contains: - - ' /i ' - - '.reg' - filter: - CommandLine|contains: - - ' /e ' - - ' /a ' - - ' /c ' - filter_2: - CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule - condition: selection and not filter and not filter_2 + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + filter_2: + CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule + condition: selection and not filter and not filter_2 fields: - - ParentImage - - CommandLine + - ParentImage + - CommandLine falsepositives: - - Legitimate import of keys + - Legitimate import of keys level: medium +tags: + - attack.t1112 + - attack.defense_evasion diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml index 30fac38cd..8a77ab4f9 100644 --- a/rules/windows/process_creation/win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml @@ -1,35 +1,36 @@ title: Imports Registry Key From an ADS id: 0b80ade5-6997-4b1d-99a1-71701778ea61 -status: experimental +status: test description: Detects the import of a alternate datastream to the registry with regedit.exe. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.t1112 - - attack.defense_evasion author: Oddvar Moe, Sander Wiebing, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/12 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\regedit.exe' - CommandLine|contains: - - ' /i ' - - '.reg' - selection_2: - CommandLine|re: ':[^ \\\\]' - filter: - CommandLine|contains: - - ' /e ' - - ' /a ' - - ' /c ' - condition: selection and selection_2 and not filter + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + selection_2: + CommandLine|re: ':[^ \\\\]' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + condition: selection and selection_2 and not filter fields: - - ParentImage - - CommandLine + - ParentImage + - CommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.t1112 + - attack.defense_evasion diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml index a679a6829..bfd45abd4 100644 --- a/rules/windows/process_creation/win_remote_time_discovery.yml +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -1,30 +1,30 @@ title: Discovery of a System Time id: b243b280-65fe-48df-ba07-6ddea7646427 +status: test description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system." -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md -tags: - - attack.discovery - - attack.t1124 + - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains: 'time' - - Image|endswith: '\w32tm.exe' - CommandLine|contains: 'tz' - - Image|endswith: '\powershell.exe' - CommandLine|contains: 'Get-Date' - condition: selection + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'time' + - Image|endswith: '\w32tm.exe' + CommandLine|contains: 'tz' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'Get-Date' + condition: selection falsepositives: - - Legitimate use of the system utilities to discover system time for legitimate reason + - Legitimate use of the system utilities to discover system time for legitimate reason level: low +tags: + - attack.discovery + - attack.t1124 diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 155b10d05..84dbbbf99 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -1,67 +1,67 @@ title: Renamed Binary id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 -status: experimental +status: test description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) -date: 2019/06/15 -modified: 2020/09/06 references: - - https://attack.mitre.org/techniques/T1036/ - - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html -tags: - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 + - https://attack.mitre.org/techniques/T1036/ + - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html + - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html +date: 2019/06/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - OriginalFileName: - - 'cmd.exe' - - 'powershell.exe' - - 'powershell_ise.exe' - - 'psexec.exe' - - 'psexec.c' # old versions of psexec (2016 seen) - - 'cscript.exe' - - 'wscript.exe' - - 'mshta.exe' - - 'regsvr32.exe' - - 'wmic.exe' - - 'certutil.exe' - - 'rundll32.exe' - - 'cmstp.exe' - - 'msiexec.exe' - - '7z.exe' - - 'winrar.exe' - - 'wevtutil.exe' - - 'net.exe' - - 'net1.exe' - - 'netsh.exe' - filter: - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\powershell_ise.exe' - - '\psexec.exe' - - '\psexec64.exe' - - '\cscript.exe' - - '\wscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\wmic.exe' - - '\certutil.exe' - - '\rundll32.exe' - - '\cmstp.exe' - - '\msiexec.exe' - - '\7z.exe' - - '\winrar.exe' - - '\wevtutil.exe' - - '\net.exe' - - '\net1.exe' - - '\netsh.exe' - condition: selection and not filter + selection: + OriginalFileName: + - 'cmd.exe' + - 'powershell.exe' + - 'powershell_ise.exe' + - 'psexec.exe' + - 'psexec.c' # old versions of psexec (2016 seen) + - 'cscript.exe' + - 'wscript.exe' + - 'mshta.exe' + - 'regsvr32.exe' + - 'wmic.exe' + - 'certutil.exe' + - 'rundll32.exe' + - 'cmstp.exe' + - 'msiexec.exe' + - '7z.exe' + - 'winrar.exe' + - 'wevtutil.exe' + - 'net.exe' + - 'net1.exe' + - 'netsh.exe' + filter: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' + - '\7z.exe' + - '\winrar.exe' + - '\wevtutil.exe' + - '\net.exe' + - '\net1.exe' + - '\netsh.exe' + condition: selection and not filter falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium +tags: + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index ec8c67dc1..283ab860d 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -1,53 +1,53 @@ title: Highly Relevant Renamed Binary id: 0ba1da6d-b6ce-4366-828c-18826c9de23e -status: experimental +status: test description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. author: Matthew Green - @mgreen27, Florian Roth -date: 2019/06/15 -modified: 2020/09/06 references: - - https://attack.mitre.org/techniques/T1036/ - - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html -tags: - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 + - https://attack.mitre.org/techniques/T1036/ + - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html + - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html +date: 2019/06/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - OriginalFileName: - - "powershell.exe" - - "powershell_ise.exe" - - "psexec.exe" - - "psexec.c" # old versions of psexec (2016 seen) - - "cscript.exe" - - "wscript.exe" - - "mshta.exe" - - "regsvr32.exe" - - "wmic.exe" - - "certutil.exe" - - "rundll32.exe" - - "cmstp.exe" - - "msiexec.exe" - filter: - Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' - - '\psexec.exe' - - '\psexec64.exe' - - '\cscript.exe' - - '\wscript.exe' - - '\mshta.exe' - - '\regsvr32.exe' - - '\wmic.exe' - - '\certutil.exe' - - '\rundll32.exe' - - '\cmstp.exe' - - '\msiexec.exe' - condition: selection and not filter + selection: + OriginalFileName: + - "powershell.exe" + - "powershell_ise.exe" + - "psexec.exe" + - "psexec.c" # old versions of psexec (2016 seen) + - "cscript.exe" + - "wscript.exe" + - "mshta.exe" + - "regsvr32.exe" + - "wmic.exe" + - "certutil.exe" + - "rundll32.exe" + - "cmstp.exe" + - "msiexec.exe" + filter: + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' + condition: selection and not filter falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: high +tags: + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml index d176b8391..6c207f7ba 100644 --- a/rules/windows/process_creation/win_renamed_jusched.yml +++ b/rules/windows/process_creation/win_renamed_jusched.yml @@ -1,29 +1,29 @@ -title: Renamed jusched.exe -status: experimental +title: Renamed jusched.exe id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb -description: Detects renamed jusched.exe used by cobalt group -references: - - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf -tags: - - attack.execution - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 +status: test +description: Detects renamed jusched.exe used by cobalt group author: Markus Neis, Swisscom +references: + - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf date: 2019/06/04 -modified: 2020/09/06 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Description: Java Update Scheduler - selection2: - Description: Java(TM) Update Scheduler - filter: - Image|endswith: - - '\jusched.exe' - condition: (selection1 or selection2) and not filter + selection1: + Description: Java Update Scheduler + selection2: + Description: Java(TM) Update Scheduler + filter: + Image|endswith: + - '\jusched.exe' + condition: (selection1 or selection2) and not filter falsepositives: - - penetration tests, red teaming + - penetration tests, red teaming level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 50de18b03..8213ed3fe 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -1,35 +1,35 @@ title: Execution of Renamed PaExec id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b -status: experimental +status: test description: Detects execution of renamed paexec via imphash and executable product string +author: Jason Lynch references: - - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc - - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf -tags: - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 - - attack.g0046 - - car.2013-05-009 + - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc + - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf date: 2019/04/17 -modified: 2020/09/06 -author: Jason Lynch -falsepositives: - - Unknown imphashes -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Product|contains: - - 'PAExec' - selection2: - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - filter1: - Image|contains: 'paexec' - condition: (selection1 and selection2) and not filter1 + selection1: + Product|contains: + - 'PAExec' + selection2: + Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + filter1: + Image|contains: 'paexec' + condition: (selection1 and selection2) and not filter1 +falsepositives: + - Unknown imphashes +level: medium +tags: + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.003 + - attack.g0046 + - car.2013-05-009 diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index d599d6e0e..9301e549c 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -1,30 +1,30 @@ title: Renamed PsExec id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 -status: experimental +status: test description: Detects the execution of a renamed PsExec often used by attackers or malware -references: - - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks author: Florian Roth +references: + - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks date: 2019/05/21 -modified: 2020/09/06 -tags: - - car.2013-05-009 - - attack.defense_evasion - - attack.t1036 # an old one - - attack.t1036.003 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection: - Description: 'Execute processes remotely' - Product: 'Sysinternals PsExec' - filter: - Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - condition: selection and not filter + selection: + Description: 'Execute processes remotely' + Product: 'Sysinternals PsExec' + filter: + Image|endswith: + - '\PsExec.exe' + - '\PsExec64.exe' + condition: selection and not filter falsepositives: - - Software that illegaly integrates PsExec in a renamed form - - Administrators that have renamed PsExec and no one knows why + - Software that illegaly integrates PsExec in a renamed form + - Administrators that have renamed PsExec and no one knows why level: high +tags: + - car.2013-05-009 + - attack.defense_evasion + - attack.t1036 # an old one + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index 03adb95e5..236e6441a 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -1,26 +1,27 @@ title: Run PowerShell Script from ADS id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8 -status: experimental +status: test description: Detects PowerShell script execution from Alternate Data Stream (ADS) -references: - - https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1 author: Sergey Soldatov, Kaspersky Lab, oscd.community +references: + - https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1 date: 2019/10/30 -tags: - - attack.defense_evasion - - attack.t1096 # an old one - - attack.t1564.004 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\powershell.exe' - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'Get-Content' - - '-Stream' - condition: selection + selection: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'Get-Content' + - '-Stream' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1096 # an old one + - attack.t1564.004 diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml index e8bda9dfc..32db1a97e 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml @@ -1,25 +1,26 @@ title: Run PowerShell Script from Redirected Input Stream id: c83bf4b5-cdf0-437c-90fa-43d734f7c476 -status: experimental +status: test description: Detects PowerShell script execution via input stream redirect -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml - - https://twitter.com/Moriarty_Meng/status/984380793383370752 author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml + - https://twitter.com/Moriarty_Meng/status/984380793383370752 date: 2020/10/17 -tags: - - attack.defense_evasion - - attack.execution - - attack.t1059 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - powershell_started: - Image|endswith: '\powershell.exe' - redirect_to_input_stream: - CommandLine|re: '\s-\s*<' - condition: powershell_started and redirect_to_input_stream + powershell_started: + Image|endswith: '\powershell.exe' + redirect_to_input_stream: + CommandLine|re: '\s-\s*<' + condition: powershell_started and redirect_to_input_stream falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.execution + - attack.t1059 diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index f83b64bdd..5fc3a2a35 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,26 +1,26 @@ title: Service Execution id: 2a072a96-a086-49fa-bcb5-15cc5a619093 -status: experimental +status: test description: Detects manual service execution (start) via system utilities. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\net.exe' - - '\net1.exe' - CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression - condition: selection + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression + condition: selection falsepositives: - - Legitimate administrator or user executes a service for legitimate reasons. + - Legitimate administrator or user executes a service for legitimate reasons. level: low tags: - - attack.execution - - attack.t1035 # an old one - - attack.t1569.002 + - attack.execution + - attack.t1035 # an old one + - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index e627298ca..bfff03645 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -1,25 +1,26 @@ title: Shadow Copies Access via Symlink id: 40b19fa6-d835-400c-b301-41f3a2baacaf +status: test description: Shadow Copies storage symbolic link creation using operating systems utilities author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.002 - - attack.t1003.003 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - mklink - - HarddiskVolumeShadowCopy - condition: selection + selection: + CommandLine|contains|all: + - mklink + - HarddiskVolumeShadowCopy + condition: selection falsepositives: - - Legitimate administrator working with shadow copies, access for backup purposes -status: experimental + - Legitimate administrator working with shadow copies, access for backup purposes level: medium +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.002 + - attack.t1003.003 diff --git a/rules/windows/process_creation/win_shadow_copies_creation.yml b/rules/windows/process_creation/win_shadow_copies_creation.yml index 578c1ba11..f658e0d0f 100644 --- a/rules/windows/process_creation/win_shadow_copies_creation.yml +++ b/rules/windows/process_creation/win_shadow_copies_creation.yml @@ -1,30 +1,31 @@ title: Shadow Copies Creation Using Operating Systems Utilities id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce +status: test description: Shadow Copies creation using operating systems utilities, possible credential access author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ -tags: - - attack.credential_access - - attack.t1003 - - attack.t1003.002 - - attack.t1003.003 + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ +date: 2019/10/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\powershell.exe' - - '\wmic.exe' - - '\vssadmin.exe' - CommandLine|contains|all: - - shadow - - create - condition: selection + selection: + Image|endswith: + - '\powershell.exe' + - '\wmic.exe' + - '\vssadmin.exe' + CommandLine|contains|all: + - shadow + - create + condition: selection falsepositives: - - Legitimate administrator working with shadow copies, access for backup purposes -status: experimental + - Legitimate administrator working with shadow copies, access for backup purposes level: medium +tags: + - attack.credential_access + - attack.t1003 + - attack.t1003.002 + - attack.t1003.003 diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 0463c67c6..b215a6ab5 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -1,45 +1,45 @@ title: Windows Shell Spawning Suspicious Program id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde -status: experimental +status: test description: Detects a suspicious child process of a Windows shell -references: - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth +references: + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html date: 2018/04/06 -modified: 2020/09/06 -tags: - - attack.execution - - attack.defense_evasion - - attack.t1064 # an old one - - attack.t1059.005 - - attack.t1059.001 - - attack.t1218 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\mshta.exe' - - '\powershell.exe' + selection: + ParentImage|endswith: + - '\mshta.exe' + - '\powershell.exe' # - '*\cmd.exe' # too many false positives - - '\rundll32.exe' - - '\cscript.exe' - - '\wscript.exe' - - '\wmiprvse.exe' - Image|endswith: - - '\schtasks.exe' - - '\nslookup.exe' - - '\certutil.exe' - - '\bitsadmin.exe' - - '\mshta.exe' - falsepositives: - CurrentDirectory|contains: '\ccmcache\' - condition: selection and not falsepositives + - '\rundll32.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\wmiprvse.exe' + Image|endswith: + - '\schtasks.exe' + - '\nslookup.exe' + - '\certutil.exe' + - '\bitsadmin.exe' + - '\mshta.exe' + falsepositives: + CurrentDirectory|contains: '\ccmcache\' + condition: selection and not falsepositives fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Administrative scripts - - Microsoft SCCM + - Administrative scripts + - Microsoft SCCM level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1064 # an old one + - attack.t1059.005 + - attack.t1059.001 + - attack.t1218 diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index bf6f35df8..a946bfdb1 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -1,24 +1,24 @@ title: Audio Capture via SoundRecorder id: 83865853-59aa-449e-9600-74b9d89a6d6e +status: test description: Detect attacker collecting audio via SoundRecorder application. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html -tags: - - attack.collection - - attack.t1123 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md + - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\SoundRecorder.exe' - CommandLine|contains: '/FILE' - condition: selection + selection: + Image|endswith: '\SoundRecorder.exe' + CommandLine|contains: '/FILE' + condition: selection falsepositives: - - Legitimate audio capture by legitimate user. + - Legitimate audio capture by legitimate user. level: medium +tags: + - attack.collection + - attack.t1123 diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index c71eae33f..e88cda05d 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -1,28 +1,29 @@ title: Possible SPN Enumeration id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599 +status: test description: Detects Service Principal Name Enumeration used for Kerberoasting -status: experimental -references: - - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation author: Markus Neis, keepwatch +references: + - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation date: 2018/11/14 -tags: - - attack.credential_access - - attack.t1558.003 - - attack.t1208 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_image: - Image|endswith: '\setspn.exe' - selection_desc: - Description|contains|all: - - 'Query or reset the computer' - - 'SPN attribute' - cmd: - CommandLine|contains: '-q' - condition: (selection_image or selection_desc) and cmd + selection_image: + Image|endswith: '\setspn.exe' + selection_desc: + Description|contains|all: + - 'Query or reset the computer' + - 'SPN attribute' + cmd: + CommandLine|contains: '-q' + condition: (selection_image or selection_desc) and cmd falsepositives: - - Administrator Activity + - Administrator Activity level: medium +tags: + - attack.credential_access + - attack.t1558.003 + - attack.t1208 # an old one diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 885676c0d..2a3d77f36 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -1,29 +1,29 @@ title: Application Whitelisting Bypass via Bginfo id: aaf46cdc-934e-4284-b329-34aa701e3771 -status: experimental +status: test description: Execute VBscript code that is referenced within the *.bgi file. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml - - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml + - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ date: 2019/10/26 -modified: 2020/09/05 -tags: - - attack.execution - - attack.t1059.005 - - attack.defense_evasion - - attack.t1218 - - attack.t1202 -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: selection: Image|endswith: '\bginfo.exe' CommandLine|contains|all: - - '/popup' - - '/nolicprompt' + - '/popup' + - '/nolicprompt' condition: selection falsepositives: - - Unknown + - Unknown +level: medium +tags: + - attack.execution + - attack.t1059.005 + - attack.defense_evasion + - attack.t1218 + - attack.t1202 diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml index b0e6ec94b..b4111fdbd 100644 --- a/rules/windows/process_creation/win_susp_calc.yml +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -1,25 +1,26 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 +status: test description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion -status: experimental -references: - - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth +references: + - https://twitter.com/ItsReallyNick/status/1094080242686312448 date: 2019/02/09 -tags: - - attack.defense_evasion - - attack.t1036 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: '\calc.exe ' - selection2: - Image|endswith: '\calc.exe' - filter2: - Image|contains: '\Windows\Sys' - condition: selection1 or ( selection2 and not filter2 ) + selection1: + CommandLine|contains: '\calc.exe ' + selection2: + Image|endswith: '\calc.exe' + filter2: + Image|contains: '\Windows\Sys' + condition: selection1 or ( selection2 and not filter2 ) falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1036 diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index f04df3bc6..270070bc0 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -1,27 +1,27 @@ title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 -status: experimental +status: test description: Launch 64-bit shellcode from a debugger script file using cdb.exe. -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml - - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml + - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html date: 2019/10/26 -modified: 2020/09/05 -tags: - - attack.execution - - attack.t1106 - - attack.defense_evasion - - attack.t1218 - - attack.t1127 -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cdb.exe' - CommandLine|contains: '-cf' - condition: selection + selection: + Image|endswith: '\cdb.exe' + CommandLine|contains: '-cf' + condition: selection falsepositives: - - Legitimate use of debugging tools + - Legitimate use of debugging tools +level: medium +tags: + - attack.execution + - attack.t1106 + - attack.defense_evasion + - attack.t1218 + - attack.t1127 diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml index 0039d597d..79e852bb6 100644 --- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml @@ -1,37 +1,37 @@ title: Suspicious Child Process Created as System id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d +status: test description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - - https://github.com/antonioCoco/RogueWinRM - - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 -tags: - - attack.privilege_escalation - - attack.t1134 # an old one - - attack.t1134.002 -status: experimental author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ + - https://github.com/antonioCoco/RogueWinRM + - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 date: 2019/10/26 -modified: 2020/10/26 +modified: 2021/11/27 logsource: - category: process_creation - product: windows - definition: ParentUser field needs sysmon >= 13.30 + category: process_creation + product: windows + definition: ParentUser field needs sysmon >= 13.30 detection: - selection: - ParentUser: - - 'NT AUTHORITY\NETWORK SERVICE' - - 'NT AUTHORITY\LOCAL SERVICE' - - 'AUTORITE NT\' # French language settings - User: - - 'NT AUTHORITY\SYSTEM' - - 'AUTORITE NT\Sys' # French language settings - IntegrityLevel: 'System' - rundllexception: - Image|endswith: '\rundll32.exe' - CommandLine|contains: 'DavSetCookie' - condition: selection and not rundllexception + selection: + ParentUser: + - 'NT AUTHORITY\NETWORK SERVICE' + - 'NT AUTHORITY\LOCAL SERVICE' + - 'AUTORITE NT\' # French language settings + User: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings + IntegrityLevel: 'System' + rundllexception: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'DavSetCookie' + condition: selection and not rundllexception falsepositives: - - Unknown -level: high \ No newline at end of file + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1134 # an old one + - attack.t1134.002 diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index d0efa1072..caf962000 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -1,29 +1,29 @@ title: Suspicious Commandline Escape id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd +status: test description: Detects suspicious process that use escape characters -status: experimental -references: - - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 - - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 +references: + - https://twitter.com/vysecurity/status/885545634958385153 + - https://twitter.com/Hexacorn/status/885553465417756673 + - https://twitter.com/Hexacorn/status/885570278637678592 + - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html + - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ date: 2018/12/11 -modified: 2020/03/14 -tags: - - attack.defense_evasion - - attack.t1140 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: + selection: + CommandLine|contains: # - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries) - - 'h^t^t^p' - - 'h"t"t"p' - condition: selection + - 'h^t^t^p' + - 'h"t"t"p' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: low +tags: + - attack.defense_evasion + - attack.t1140 diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 93c3f436f..5e705d09e 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,33 +1,33 @@ title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 -status: experimental +status: test description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -references: - - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth, Jonhnathan Ribeiro, oscd.community +references: + - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 + - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 date: 2019/01/16 -modified: 2020/11/20 -tags: - - attack.execution - - attack.t1059.003 - - attack.t1059.001 - - attack.command_and_control - - attack.t1105 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cmd.exe' - CommandLine|contains|all: - - 'http' # captures both http and https - - '://' - - '%AppData%' - condition: selection + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - 'http' # captures both http and https + - '://' + - '%AppData%' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - High + - High level: medium +tags: + - attack.execution + - attack.t1059.003 + - attack.t1059.001 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index 32655a9b0..ceb84518a 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -1,37 +1,37 @@ title: Suspicious Compression Tool Parameters id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd -status: experimental +status: test description: Detects suspicious command line arguments of common data compression tools -references: - - https://twitter.com/SBousseaden/status/1184067445612535811 -tags: - - attack.collection - - attack.t1560.001 - - attack.exfiltration # an old one - - attack.t1020 # an old one - - attack.t1002 # an old one author: Florian Roth, Samir Bousseaden +references: + - https://twitter.com/SBousseaden/status/1184067445612535811 date: 2019/10/15 -modified: 2020/09/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - OriginalFileName: - - '7z*.exe' - - '*rar.exe' - - '*Command*Line*RAR*' - CommandLine|contains: - - ' -p' - - ' -ta' - - ' -tb' - - ' -sdel' - - ' -dw' - - ' -hp' - falsepositive: - ParentImage|startswith: 'C:\Program' - condition: selection and not falsepositive + selection: + OriginalFileName: + - '7z*.exe' + - '*rar.exe' + - '*Command*Line*RAR*' + CommandLine|contains: + - ' -p' + - ' -ta' + - ' -tb' + - ' -sdel' + - ' -dw' + - ' -hp' + falsepositive: + ParentImage|startswith: 'C:\Program' + condition: selection and not falsepositive falsepositives: - - unknown + - unknown level: high +tags: + - attack.collection + - attack.t1560.001 + - attack.exfiltration # an old one + - attack.t1020 # an old one + - attack.t1002 # an old one diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index 2879adff8..c25161a86 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -1,36 +1,36 @@ title: Process Dump via Comsvcs DLL id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c -status: experimental +status: test description: Detects process memory dump via comsvcs.dll and rundll32 -references: - - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ - - https://twitter.com/SBousseaden/status/1167417096374050817 author: Modexp (idea) +references: + - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + - https://twitter.com/SBousseaden/status/1167417096374050817 date: 2019/09/02 -modified: 2020/09/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - rundll_image: - Image|endswith: '\rundll32.exe' - rundll_ofn: - OriginalFileName: 'RUNDLL32.EXE' - selection: - CommandLine|contains|all: - - 'comsvcs' - - 'MiniDump' #Matches MiniDump and MinidumpW - - 'full' - condition: (rundll_image or rundll_ofn) and selection + rundll_image: + Image|endswith: '\rundll32.exe' + rundll_ofn: + OriginalFileName: 'RUNDLL32.EXE' + selection: + CommandLine|contains|all: + - 'comsvcs' + - 'MiniDump' #Matches MiniDump and MinidumpW + - 'full' + condition: (rundll_image or rundll_ofn) and selection fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.credential_access - - attack.t1003.001 - - attack.t1003 # an old one + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 726bb7ce1..a435db36c 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -1,29 +1,29 @@ title: Suspicious Control Panel DLL Load id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 -status: experimental +status: test description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits author: Florian Roth -date: 2017/04/15 -modified: 2020/09/05 references: - - https://twitter.com/rikvduijn/status/853251879320662017 -tags: - - attack.defense_evasion - - attack.t1085 # an old one - - attack.t1218.011 + - https://twitter.com/rikvduijn/status/853251879320662017 +date: 2017/04/15 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\System32\control.exe' - Image|endswith: '\rundll32.exe ' - filter: - CommandLine|contains: 'Shell32.dll' - condition: selection and not filter + selection: + ParentImage|endswith: '\System32\control.exe' + Image|endswith: '\rundll32.exe ' + filter: + CommandLine|contains: 'Shell32.dll' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1085 # an old one + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index 5a3535453..2fe048583 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -1,30 +1,30 @@ title: Suspicious Copy From or To System32 id: fff9d2b7-e11c-4a69-93d3-40ef66189767 -status: experimental +status: test description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name author: Florian Roth, Markus Neis -date: 2020/07/03 -modified: 2020/09/05 references: - - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 + - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 +date: 2020/07/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -tags: - - attack.defense_evasion - - attack.t1036.003 + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' /c copy' - - 'xcopy' - CommandLine|contains|all: - - '\System32\' - condition: selection + selection: + CommandLine|contains: + - ' /c copy' + - 'xcopy' + CommandLine|contains|all: + - '\System32\' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment - - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/ + - False positives depend on scripts and administrative tools used in the monitored environment + - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/ level: medium +tags: + - attack.defense_evasion + - attack.t1036.003 diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index 0c323f1e7..a7900d6a3 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -1,35 +1,36 @@ title: Covenant Launcher Indicators id: c260b6db-48ba-4b4a-a76f-2f67644e99d2 +status: test description: Detects suspicious command lines used in Covenant luanchers -status: experimental -references: - - https://posts.specterops.io/covenant-v0-5-eee0507b85ba author: Florian Roth, Jonhnathan Ribeiro, oscd.community +references: + - https://posts.specterops.io/covenant-v0-5-eee0507b85ba date: 2020/06/04 -tags: - - attack.execution - - attack.defense_evasion - - attack.t1059.001 - - attack.t1564.003 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - '-Sta' - - '-Nop' - - '-Window' - - 'Hidden' - CommandLine|contains: - - '-Command' - - '-EncodedCommand' - selection2: - CommandLine|contains: - - 'sv o (New-Object IO.MemorySteam);sv d ' - - 'mshta file.hta' - - 'GruntHTTP' - - '-EncodedCommand cwB2ACAAbwAgA' - condition: selection or selection2 + selection: + CommandLine|contains|all: + - '-Sta' + - '-Nop' + - '-Window' + - 'Hidden' + CommandLine|contains: + - '-Command' + - '-EncodedCommand' + selection2: + CommandLine|contains: + - 'sv o (New-Object IO.MemorySteam);sv d ' + - 'mshta file.hta' + - 'GruntHTTP' + - '-EncodedCommand cwB2ACAAbwAgA' + condition: selection or selection2 level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059.001 + - attack.t1564.003 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 4620e0b8d..1a3cdca0b 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -1,39 +1,40 @@ title: CrackMapExec PowerShell Obfuscation id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf -status: experimental +status: test description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -references: - - https://github.com/byt3bl33d3r/CrackMapExec - - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 -tags: - - attack.execution - - attack.t1059.001 - - attack.defense_evasion - - attack.t1027.005 - - attack.t1027 # an old one - - attack.t1086 # an old one author: Thomas Patzke +references: + - https://github.com/byt3bl33d3r/CrackMapExec + - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 date: 2020/05/22 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - powershell_execution: - CommandLine|contains: 'powershell.exe' - snippets: - CommandLine|contains: - - 'join*split' + powershell_execution: + CommandLine|contains: 'powershell.exe' + snippets: + CommandLine|contains: + - 'join*split' # Line 343ff - - "( $ShellId[1]+$ShellId[13]+'x')" - - '( $PSHome[*]+$PSHOME[*]+' - - "( $env:Public[13]+$env:Public[5]+'x')" - - "( $env:ComSpec[4,*,25]-Join'')" - - "[1,3]+'x'-Join'')" - condition: powershell_execution and snippets + - "( $ShellId[1]+$ShellId[13]+'x')" + - '( $PSHome[*]+$PSHOME[*]+' + - "( $env:Public[13]+$env:Public[5]+'x')" + - "( $env:ComSpec[4,*,25]-Join'')" + - "[1,3]+'x'-Join'')" + condition: powershell_execution and snippets fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1027.005 + - attack.t1027 # an old one + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_curl_download.yml b/rules/windows/process_creation/win_susp_curl_download.yml index 197fc6aef..648b0b836 100644 --- a/rules/windows/process_creation/win_susp_curl_download.yml +++ b/rules/windows/process_creation/win_susp_curl_download.yml @@ -1,30 +1,30 @@ title: Suspicious Curl Usage on Windows id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 -status: experimental +status: test description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file author: Florian Roth -date: 2020/07/03 -modified: 2020/09/05 references: - - https://twitter.com/reegun21/status/1222093798009790464 + - https://twitter.com/reegun21/status/1222093798009790464 +date: 2020/07/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -tags: - - attack.command_and_control - - attack.t1105 + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\curl.exe' - selection2: - Product: 'The curl executable' - selection3: - CommandLine|contains: ' -O ' - condition: ( selection1 or selection2 ) and selection3 + selection1: + Image|endswith: '\curl.exe' + selection2: + Product: 'The curl executable' + selection3: + CommandLine|contains: ' -O ' + condition: ( selection1 or selection2 ) and selection3 fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Scripts created by developers and admins - - Administrative activity + - Scripts created by developers and admins + - Administrative activity level: medium +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_curl_fileupload.yml b/rules/windows/process_creation/win_susp_curl_fileupload.yml index 8284d9406..c76ac44c5 100644 --- a/rules/windows/process_creation/win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/win_susp_curl_fileupload.yml @@ -1,27 +1,27 @@ title: Suspicious Curl File Upload id: 00bca14a-df4e-4649-9054-3f2aa676bc04 -status: experimental +status: test description: Detects a suspicious curl process start the adds a file to a web request author: Florian Roth -date: 2020/07/03 -modified: 2020/09/05 references: - - https://twitter.com/d1r4c/status/1279042657508081664 - - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://twitter.com/d1r4c/status/1279042657508081664 + - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 +date: 2020/07/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -tags: - - attack.exfiltration - - attack.t1567 + category: process_creation + product: windows detection: - selection: - Image|endswith: '\curl.exe' - CommandLine|contains: ' -F ' - condition: selection + selection: + Image|endswith: '\curl.exe' + CommandLine|contains: ' -F ' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Scripts created by developers and admins + - Scripts created by developers and admins level: medium +tags: + - attack.exfiltration + - attack.t1567 diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml index 94584f795..e310e71ec 100644 --- a/rules/windows/process_creation/win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml @@ -1,29 +1,29 @@ title: Curl Start Combination id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 -status: experimental +status: test description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -references: - - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 author: Sreeman +references: + - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 date: 2020/01/13 -modified: 2020/09/05 -tags: - - attack.execution - - attack.t1218 - - attack.command_and_control - - attack.t1105 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: condition: selection selection: - CommandLine|contains|all: - - 'curl' - - ' start ' -falsepositives: - - Administrative scripts (installers) + CommandLine|contains|all: + - 'curl' + - ' start ' fields: - - ParentImage - - CommandLine + - ParentImage + - CommandLine +falsepositives: + - Administrative scripts (installers) level: medium +tags: + - attack.execution + - attack.t1218 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml index e0b7941ea..e758f6315 100644 --- a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -1,33 +1,33 @@ title: ZOHO Dctask64 Process Injection id: 6345b048-8441-43a7-9bed-541133633d7a -status: experimental +status: test description: Detects suspicious process injection using ZOHO's dctask64.exe -references: - - https://twitter.com/gN3mes1s/status/1222088214581825540 - - https://twitter.com/gN3mes1s/status/1222095963789111296 - - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth +references: + - https://twitter.com/gN3mes1s/status/1222088214581825540 + - https://twitter.com/gN3mes1s/status/1222095963789111296 + - https://twitter.com/gN3mes1s/status/1222095371175911424 date: 2020/01/28 -modified: 2020/08/30 -tags: - - attack.defense_evasion - - attack.t1055.001 - - attack.t1055 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\dctask64.exe' - filter: - CommandLine|contains: - - 'DesktopCentral_Agent\agent' - condition: selection and not filter + selection: + Image|endswith: + - '\dctask64.exe' + filter: + CommandLine|contains: + - 'DesktopCentral_Agent\agent' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine - - ParentImage + - CommandLine + - ParentCommandLine + - ParentImage falsepositives: - - Unknown yet + - Unknown yet level: high +tags: + - attack.defense_evasion + - attack.t1055.001 + - attack.t1055 # an old one diff --git a/rules/windows/process_creation/win_susp_desktopimgdownldr.yml b/rules/windows/process_creation/win_susp_desktopimgdownldr.yml index de373c9fb..93b21422d 100644 --- a/rules/windows/process_creation/win_susp_desktopimgdownldr.yml +++ b/rules/windows/process_creation/win_susp_desktopimgdownldr.yml @@ -1,35 +1,35 @@ title: Suspicious Desktopimgdownldr Command id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009 -status: experimental +status: test description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet author: Florian Roth -date: 2020/07/03 -modified: 2020/08/30 references: - - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - - https://twitter.com/SBousseaden/status/1278977301745741825 + - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + - https://twitter.com/SBousseaden/status/1278977301745741825 +date: 2020/07/03 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -tags: - - attack.command_and_control - - attack.t1105 + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: ' /lockscreenurl:' - selection1_filter: - CommandLine|contains: - - '.jpg' - - '.jpeg' - - '.png' - selection_reg: - CommandLine|contains|all: - - 'reg delete' - - '\PersonalizationCSP' - condition: ( selection1 and not selection1_filter ) or selection_reg + selection1: + CommandLine|contains: ' /lockscreenurl:' + selection1_filter: + CommandLine|contains: + - '.jpg' + - '.jpeg' + - '.png' + selection_reg: + CommandLine|contains|all: + - 'reg delete' + - '\PersonalizationCSP' + condition: ( selection1 and not selection1_filter ) or selection_reg fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index 8d98f97b0..f8d0c8f9f 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -1,25 +1,25 @@ title: Devtoolslauncher.exe Executes Specified Binary id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 -status: experimental +status: test description: The Devtoolslauncher.exe executes other binary -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml - - https://twitter.com/_felamos/status/1179811992841797632 author: Beyu Denis, oscd.community (rule), @_felamos (idea) +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml + - https://twitter.com/_felamos/status/1179811992841797632 date: 2019/10/12 -modified: 2019/11/04 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one -level: critical +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\devtoolslauncher.exe' - CommandLine|contains: 'LaunchForDeploy' - condition: selection + selection: + Image|endswith: '\devtoolslauncher.exe' + CommandLine|contains: 'LaunchForDeploy' + condition: selection falsepositives: - - Legitimate use of devtoolslauncher.exe by legitimate user + - Legitimate use of devtoolslauncher.exe by legitimate user +level: critical +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 16aa181f8..1333585a3 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -1,40 +1,40 @@ title: Direct Autorun Keys Modification id: 24357373-078f-44ed-9ac4-6d334a668a11 +status: test description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one -date: 2019/10/25 -modified: 2019/11/10 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md +date: 2019/10/25 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - Image|endswith: '\reg.exe' - CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules - selection_2: - CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys - - '\software\Microsoft\Windows\CurrentVersion\Run' - - '\software\Microsoft\Windows\CurrentVersion\RunOnce' - - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\software\Microsoft\Windows\CurrentVersion\RunServices' - - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' - - '\software\Microsoft\Windows NT\CurrentVersion\Windows' - - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' - - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell' - condition: selection_1 and selection_2 + selection_1: + Image|endswith: '\reg.exe' + CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules + selection_2: + CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys + - '\software\Microsoft\Windows\CurrentVersion\Run' + - '\software\Microsoft\Windows\CurrentVersion\RunOnce' + - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\software\Microsoft\Windows\CurrentVersion\RunServices' + - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\software\Microsoft\Windows NT\CurrentVersion\Windows' + - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell' + condition: selection_1 and selection_2 fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - - Legitimate administrator sets up autorun keys for legitimate reasons. + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. level: medium +tags: + - attack.persistence + - attack.t1547.001 + - attack.t1060 # an old one diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index 5cfe75d8c..df82ef723 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -1,32 +1,33 @@ title: Disabled IE Security Features id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424 -status: experimental +status: test description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features +author: Florian Roth references: - - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ -tags: - - attack.defense_evasion - - attack.t1562.001 - - attack.t1089 # an old one -author: Florian Roth + - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ date: 2020/06/19 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - ' -name IEHarden ' - - ' -value 0 ' - selection2: - CommandLine|contains|all: - - ' -name DEPOff ' - - ' -value 1 ' - selection3: - CommandLine|contains|all: - - ' -name DisableFirstRunCustomize ' - - ' -value 2 ' - condition: 1 of them + selection1: + CommandLine|contains|all: + - ' -name IEHarden ' + - ' -value 0 ' + selection2: + CommandLine|contains|all: + - ' -name DEPOff ' + - ' -value 1 ' + selection3: + CommandLine|contains|all: + - ' -name DisableFirstRunCustomize ' + - ' -value 2 ' + condition: 1 of them falsepositives: - - Unknown, maybe some security software installer disables these features temporarily + - Unknown, maybe some security software installer disables these features temporarily level: high +tags: + - attack.defense_evasion + - attack.t1562.001 + - attack.t1089 # an old one diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml index e7f857ac0..20728b844 100644 --- a/rules/windows/process_creation/win_susp_diskshadow.yml +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -1,27 +1,28 @@ -title: Execution via Diskshadow.exe +title: Execution via Diskshadow.exe id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 -status: experimental +status: test description: Detects using Diskshadow.exe to execute arbitrary code in text file -references: - - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ -tags: - - attack.execution - - attack.t1218 author: Ivan Dyachkov, oscd.community -date: 2020/10/07 +references: + - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events' + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events' detection: - selection: - Image|endswith: '\diskshadow.exe' - CommandLine|contains: - - '/s' - - '-s' - condition: selection + selection: + Image|endswith: '\diskshadow.exe' + CommandLine|contains: + - '/s' + - '-s' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. + - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. level: high +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml index ac593c297..d5ed9858c 100644 --- a/rules/windows/process_creation/win_susp_ditsnap.yml +++ b/rules/windows/process_creation/win_susp_ditsnap.yml @@ -1,27 +1,28 @@ title: DIT Snapshot Viewer Use id: d3b70aad-097e-409c-9df2-450f80dc476b -status: experimental +status: test description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. -references: - - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - https://github.com/yosqueoy/ditsnap author: 'Furkan Caliskan (@caliskanfurkan_)' +references: + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap date: 2020/07/04 -tags: - - attack.credential_access - - attack.t1003.003 - - attack.t1003 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\ditsnap.exe' - selection2: - CommandLine|contains: - - 'ditsnap.exe' - condition: selection or selection2 + selection: + Image|endswith: + - '\ditsnap.exe' + selection2: + CommandLine|contains: + - 'ditsnap.exe' + condition: selection or selection2 falsepositives: - - Legitimate admin usage + - Legitimate admin usage level: high +tags: + - attack.credential_access + - attack.t1003.003 + - attack.t1003 # an old one diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 92ac6a662..24ae43496 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,25 +1,25 @@ title: Application Whitelisting Bypass via Dnx.exe id: 81ebd28b-9607-4478-bf06-974ed9d53ed7 -status: experimental +status: test description: Execute C# code located in the consoleapp folder -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml + - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ date: 2019/10/26 -modified: 2020/08/30 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.t1027.004 - - attack.execution # an old one -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\dnx.exe' - condition: selection + selection: + Image|endswith: '\dnx.exe' + condition: selection falsepositives: - - Legitimate use of dnx.exe by legitimate user + - Legitimate use of dnx.exe by legitimate user +level: medium +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1027.004 + - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index cdc88f34e..d14cf33a6 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,34 +1,35 @@ title: Suspicious Double Extension id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 +status: test description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -status: experimental -references: - - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - - https://twitter.com/blackorbird/status/1140519090961825792 author: Florian Roth (rule), @blu3_team (idea) +references: + - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html + - https://twitter.com/blackorbird/status/1140519090961825792 date: 2019/06/26 -tags: - - attack.initial_access - - attack.t1566.001 - - attack.t1193 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '.doc.exe' - - '.docx.exe' - - '.xls.exe' - - '.xlsx.exe' - - '.ppt.exe' - - '.pptx.exe' - - '.rtf.exe' - - '.pdf.exe' - - '.txt.exe' - - ' .exe' - - '______.exe' - condition: selection + selection: + Image|endswith: + - '.doc.exe' + - '.docx.exe' + - '.xls.exe' + - '.xlsx.exe' + - '.ppt.exe' + - '.pptx.exe' + - '.rtf.exe' + - '.pdf.exe' + - '.txt.exe' + - ' .exe' + - '______.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 6634bc3c1..1fe56e4ed 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -1,27 +1,27 @@ title: Application Whitelisting Bypass via Dxcap.exe id: 60f16a96-db70-42eb-8f76-16763e333590 -status: experimental +status: test description: Detects execution of of Dxcap.exe -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml - - https://twitter.com/harr0ey/status/992008180904419328 author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml + - https://twitter.com/harr0ey/status/992008180904419328 date: 2019/10/26 -modified: 2019/11/04 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\dxcap.exe' - CommandLine|contains|all: - - '-c' - - '.exe' - condition: selection + selection: + Image|endswith: '\dxcap.exe' + CommandLine|contains|all: + - '-c' + - '.exe' + condition: selection falsepositives: - - Legitimate execution of dxcap.exe by legitimate user + - Legitimate execution of dxcap.exe by legitimate user +level: medium +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 92f50bd32..b2d6bc67a 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,41 +1,41 @@ title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 +status: test description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). -status: experimental author: Ecco, Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md - - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 -modified: 2019/11/11 -tags: - - attack.defense_evasion - - attack.t1070.001 - - attack.t1070 # an old one - - car.2016-04-002 -level: high +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_wevtutil_binary: - Image|endswith: '\wevtutil.exe' - selection_wevtutil_command: - CommandLine|contains: - - 'clear-log' # clears specified log - - ' cl ' # short version of 'clear-log' - - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - ' sl ' # short version of 'set-log' - selection_other_ps: - Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'Clear-EventLog' - - 'Remove-EventLog' - - 'Limit-EventLog' - selection_other_wmic: - Image|endswith: '\wmic.exe' - CommandLine|contains: ' ClearEventLog ' - condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command) + selection_wevtutil_binary: + Image|endswith: '\wevtutil.exe' + selection_wevtutil_command: + CommandLine|contains: + - 'clear-log' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' + selection_other_ps: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'Clear-EventLog' + - 'Remove-EventLog' + - 'Limit-EventLog' + selection_other_wmic: + Image|endswith: '\wmic.exe' + CommandLine|contains: ' ClearEventLog ' + condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command) falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment + - Admin activity + - Scripts and administrative tools used in the monitored environment +level: high +tags: + - attack.defense_evasion + - attack.t1070.001 + - attack.t1070 # an old one + - car.2016-04-002 diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index f1ab6a6e3..9e1ad907d 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -1,34 +1,35 @@ title: Execution in Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d -status: experimental +status: test description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth date: 2019/01/16 -tags: - - attack.persistence - - attack.t1505.003 - - attack.t1100 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|contains: - - '\wwwroot\' - - '\wmpub\' - - '\htdocs\' - filter: - Image|contains: - - 'bin\' - - '\Tools\' - - '\SMSComponent\' - ParentImage|endswith: - - '\services.exe' - condition: selection and not filter + selection: + Image|contains: + - '\wwwroot\' + - '\wmpub\' + - '\htdocs\' + filter: + Image|contains: + - 'bin\' + - '\Tools\' + - '\SMSComponent\' + ParentImage|endswith: + - '\services.exe' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Various applications - - Tools that include ping or nslookup command invocations + - Various applications + - Tools that include ping or nslookup command invocations level: medium +tags: + - attack.persistence + - attack.t1505.003 + - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml index 6d6d85388..8b8c71f02 100644 --- a/rules/windows/process_creation/win_susp_explorer.yml +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -1,26 +1,27 @@ title: Proxy Execution Via Explorer.exe id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e +status: test description: Attackers can use explorer.exe for evading defense mechanisms author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -status: experimental -date: 2020/10/05 references: - - https://twitter.com/CyberRaiju/status/1273597319322058752 -tags: - - attack.defense_evasion - - attack.t1218 + - https://twitter.com/CyberRaiju/status/1273597319322058752 +date: 2020/10/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - \explorer.exe - ParentImage|endswith: - - \cmd.exe - CommandLine|contains: - - explorer.exe - condition: selection + selection: + Image|endswith: + - \explorer.exe + ParentImage|endswith: + - \cmd.exe + CommandLine|contains: + - explorer.exe + condition: selection falsepositives: - - Legitimate explorer.exe run from cmd.exe + - Legitimate explorer.exe run from cmd.exe level: low +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml index 00a4de8bc..895fcd7f7 100644 --- a/rules/windows/process_creation/win_susp_explorer_break_proctree.yml +++ b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml @@ -1,25 +1,25 @@ title: Explorer Root Flag Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 +status: test description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer -status: experimental -references: - - https://twitter.com/CyberRaiju/status/1273597319322058752 - - https://twitter.com/bohops/status/1276357235954909188?s=12 author: Florian Roth +references: + - https://twitter.com/CyberRaiju/status/1273597319322058752 + - https://twitter.com/bohops/status/1276357235954909188?s=12 date: 2019/06/29 -modified: 2020/08/30 -tags: - - attack.defense_evasion - - attack.t1036 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'explorer.exe' - - ' /root,' - condition: selection + selection: + CommandLine|contains|all: + - 'explorer.exe' + - ' /root,' + condition: selection falsepositives: - - Unknown how many legitimate software products use that method + - Unknown how many legitimate software products use that method level: medium +tags: + - attack.defense_evasion + - attack.t1036 diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index 63ffa1398..91e72963f 100644 --- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -1,27 +1,28 @@ title: GfxDownloadWrapper.exe Downloads File from Suspicious URL id: eee00933-a761-4cd0-be70-c42fe91731e7 -status: experimental +status: test description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml author: Victor Sergeev, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - image_path: - Image|endswith: '\GfxDownloadWrapper.exe' - cmd_known_url: - CommandLine|contains: 'gameplayapi.intel.com' - same_parent: - ParentImage|endswith: '\GfxDownloadWrapper.exe' - condition: image_path and not cmd_known_url and not same_parent + image_path: + Image|endswith: '\GfxDownloadWrapper.exe' + cmd_known_url: + CommandLine|contains: 'gameplayapi.intel.com' + same_parent: + ParentImage|endswith: '\GfxDownloadWrapper.exe' + condition: image_path and not cmd_known_url and not same_parent fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.command_and_control - - attack.t1105 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml index 1a5a58037..204e9b0e0 100644 --- a/rules/windows/process_creation/win_susp_findstr.yml +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -1,32 +1,33 @@ -title: Abusing Findstr for Defense Evasion +title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +status: test description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -status: experimental -date: 2020/10/05 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -tags: - - attack.defense_evasion - - attack.t1218 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +date: 2020/10/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selectionFindstr: - CommandLine|contains: - - findstr - selection_V_L: - CommandLine|contains|all: - - /V - - /L - selection_S_I: - CommandLine|contains|all: - - /S - - /I - condition: selectionFindstr and (selection_V_L or selection_S_I) + selectionFindstr: + CommandLine|contains: + - findstr + selection_V_L: + CommandLine|contains|all: + - /V + - /L + selection_S_I: + CommandLine|contains|all: + - /S + - /I + condition: selectionFindstr and (selection_V_L or selection_S_I) falsepositives: - - Administrative findstr usage + - Administrative findstr usage level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml index 2c9f39874..27e7abff3 100644 --- a/rules/windows/process_creation/win_susp_findstr_lnk.yml +++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml @@ -1,29 +1,29 @@ title: Findstr Launching .lnk File id: 33339be3-148b-4e16-af56-ad16ec6c7e7b +status: test description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack -status: experimental -references: - - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1202 - - attack.t1027.003 author: Trent Liffick +references: + - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ date: 2020/05/01 -modified: 2020/08/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\findstr.exe' - CommandLine|endswith: '.lnk' - condition: selection + selection: + Image|endswith: '\findstr.exe' + CommandLine|endswith: '.lnk' + condition: selection fields: - - Image - - CommandLine - - ParentCommandLine + - Image + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1202 + - attack.t1027.003 diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml index f1b91d50a..59eefccbb 100644 --- a/rules/windows/process_creation/win_susp_firewall_disable.yml +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -1,26 +1,26 @@ title: Firewall Disabled via Netsh id: 57c4bf16-227f-4394-8ec7-1b745ee061c3 +status: test description: Detects netsh commands that turns off the Windows firewall -references: - - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ - - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ -date: 2019/11/01 -modified: 2020/08/30 -status: experimental author: Fatih Sirin -tags: - - attack.defense_evasion - - attack.t1562.004 - - attack.s0108 +references: + - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ + - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ +date: 2019/11/01 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - netsh firewall set opmode mode=disable - - netsh advfirewall set * state off - condition: selection + selection: + CommandLine: + - netsh firewall set opmode mode=disable + - netsh advfirewall set * state off + condition: selection falsepositives: - - Legitimate administration + - Legitimate administration level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 + - attack.s0108 diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index ba4774fa5..d24a1006e 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,31 +1,31 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e +status: test description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). -status: experimental author: Ecco, E.M. Anhaus, oscd.community -date: 2019/09/26 -modified: 2019/11/11 -level: high references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md - - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html -tags: - - attack.defense_evasion - - attack.t1070 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md + - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html +date: 2019/09/26 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - binary_1: - Image|endswith: '\fsutil.exe' - binary_2: - OriginalFileName: 'fsutil.exe' - selection: - CommandLine|contains: - - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker - - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size - condition: (1 of binary_*) and selection + binary_1: + Image|endswith: '\fsutil.exe' + binary_2: + OriginalFileName: 'fsutil.exe' + selection: + CommandLine|contains: + - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker + - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size + condition: (1 of binary_*) and selection falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment + - Admin activity + - Scripts and administrative tools used in the monitored environment +level: high +tags: + - attack.defense_evasion + - attack.t1070 diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml index 7572cf22b..4cdecc4be 100644 --- a/rules/windows/process_creation/win_susp_ftp.yml +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -1,32 +1,33 @@ -title: Suspicious ftp.exe +title: Suspicious ftp.exe id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e -status: experimental +status: test description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml author: Victor Sergeev, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - ftp_path: - Image|endswith: 'ftp.exe' - ftp_metadata: - OriginalFileName|contains: 'ftp.exe' - cmd_with_script_modifier: - CommandLine|contains: '-s:' - parent_path: - ParentImage|endswith: 'ftp.exe' - condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path + ftp_path: + Image|endswith: 'ftp.exe' + ftp_metadata: + OriginalFileName|contains: 'ftp.exe' + cmd_with_script_modifier: + CommandLine|contains: '-s:' + parent_path: + ParentImage|endswith: 'ftp.exe' + condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path fields: - - CommandLine - - ParentImage -tags: - - attack.execution - - attack.t1059 - - attack.defense_evasion - - attack.t1202 + - CommandLine + - ParentImage falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index a6d7d8e3f..5751fdad8 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -1,29 +1,29 @@ title: Suspicious GUP Usage id: 0a4f6091-223b-41f6-8743-f322ec84930b +status: test description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -status: experimental -references: - - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html -tags: - - attack.defense_evasion - - attack.t1574.002 - - attack.t1073 # an old one author: Florian Roth +references: + - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html date: 2019/02/06 -modified: 2020/11/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\GUP.exe' - filter: - Image|endswith: - - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - - '\Program Files\Notepad++\updater\GUP.exe' - - '\Program Files (x86)\Notepad++\updater\GUP.exe' - condition: selection and not filter + selection: + Image|endswith: '\GUP.exe' + filter: + Image|endswith: + - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' + - '\Program Files\Notepad++\updater\GUP.exe' + - '\Program Files (x86)\Notepad++\updater\GUP.exe' + condition: selection and not filter falsepositives: - - Execution of tools named GUP.exe and located in folders different than Notepad++\updater + - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.t1073 # an old one diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index e609f086e..9e014371d 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -1,25 +1,26 @@ title: Mounted Share Deleted id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 -status: experimental +status: test description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md date: 2020/10/08 -tags: - - attack.defense_evasion - - attack.t1070.005 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\net.exe' - Image|endswith: '\net1.exe' - CommandLine|contains|all: - - 'share' - - '/delete' - condition: selection + selection: + ParentImage|endswith: '\net.exe' + Image|endswith: '\net1.exe' + CommandLine|contains|all: + - 'share' + - '/delete' + condition: selection falsepositives: - - Administrators or Power users may remove their shares via cmd line + - Administrators or Power users may remove their shares via cmd line level: low +tags: + - attack.defense_evasion + - attack.t1070.005 diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml index 5265dd136..f5a0eb93f 100644 --- a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml @@ -1,31 +1,32 @@ title: Windows Defender Download Activity id: 46123129-1024-423e-9fae-43af4a0fa9a5 -status: experimental -description: Detect the use of Windows Defender to download payloads +status: test +description: Detect the use of Windows Defender to download payloads author: Matthew Matchen -date: 2020/09/04 references: - - https://twitter.com/djmtshepana/status/1301608169496612866 - - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ -tags: - - attack.defense_evasion - - attack.t1218 - - attack.command_and_control - - attack.t1105 + - https://twitter.com/djmtshepana/status/1301608169496612866 + - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ +date: 2020/09/04 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - - CommandLine|contains: 'MpCmdRun.exe' - - Description: 'Microsoft Malware Protection Command Line Utility' - selection2: - CommandLine|contains|all: - - 'DownloadFile' - - 'url' - condition: selection1 and selection2 + selection1: + - CommandLine|contains: 'MpCmdRun.exe' + - Description: 'Microsoft Malware Protection Command Line Utility' + selection2: + CommandLine|contains|all: + - 'DownloadFile' + - 'url' + condition: selection1 and selection2 fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1218 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index a22a717cd..9d22cc0af 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -1,27 +1,28 @@ title: Suspicious MsiExec Directory id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 -status: experimental +status: test description: Detects suspicious msiexec process starts in an uncommon directory -references: - - https://twitter.com/200_okay_/status/1194765831911215104 -tags: - - attack.defense_evasion - - attack.t1036.005 - - attack.t1036 # an old one author: Florian Roth +references: + - https://twitter.com/200_okay_/status/1194765831911215104 date: 2019/11/14 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\msiexec.exe' - filter: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - condition: selection and not filter + selection: + Image|endswith: '\msiexec.exe' + filter: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1036.005 + - attack.t1036 # an old one diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 857f51c59..1f13d8357 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -1,28 +1,28 @@ title: Malicious Payload Download via Office Binaries id: 0c79148b-118e-472b-bdb7-9b57b444cc19 -status: experimental +status: test description: Downloads payload from remote server -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml - - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 - - Reegun J (OCBC Bank) author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml + - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 + - Reegun J (OCBC Bank) date: 2019/10/26 -modified: 2019/11/04 -tags: - - attack.command_and_control - - attack.t1105 -level: high +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\powerpnt.exe' - - '\winword.exe' - - '\excel.exe' - CommandLine|contains: 'http' - condition: selection + selection: + Image|endswith: + - '\powerpnt.exe' + - '\winword.exe' + - '\excel.exe' + CommandLine|contains: 'http' + condition: selection falsepositives: - - Unknown + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 3ee753935..c82d9c58b 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -1,32 +1,32 @@ title: Suspicious Netsh DLL Persistence id: 56321594-9087-49d9-bf10-524fe8479452 +status: stable description: Detects persitence via netsh helper -status: test -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md - - https://attack.mitre.org/software/S0108/ -tags: - - attack.privilege_escalation - - attack.t1546.007 - - attack.s0108 -date: 2019/10/25 -modified: 2020/08/30 author: Victor Sergeev, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md + - https://attack.mitre.org/software/S0108/ +date: 2019/10/25 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'add' - - 'helper' - condition: selection + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'add' + - 'helper' + condition: selection fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + - ComputerName + - User + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.t1546.007 + - attack.s0108 diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 51d64b32e..1bb004701 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -1,31 +1,31 @@ title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe id: 65d2be45-8600-4042-b4c0-577a1ff8a60e +status: test description: Detects defence evasion attempt via odbcconf.exe execution to load DLL -status: experimental -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml - - https://twitter.com/Hexacorn/status/1187143326673330176 author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml + - https://twitter.com/Hexacorn/status/1187143326673330176 date: 2019/10/25 -modified: 2019/11/07 -tags: - - attack.defense_evasion - - attack.t1218.008 - - attack.execution # an old one - - attack.t1218 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - Image|endswith: '\odbcconf.exe' - CommandLine|contains: - - '-f' - - 'regsvr' - selection_2: - ParentImage|endswith: '\odbcconf.exe' - Image|endswith: '\rundll32.exe' - condition: selection_1 or selection_2 -level: medium + selection_1: + Image|endswith: '\odbcconf.exe' + CommandLine|contains: + - '-f' + - 'regsvr' + selection_2: + ParentImage|endswith: '\odbcconf.exe' + Image|endswith: '\rundll32.exe' + condition: selection_1 or selection_2 falsepositives: - - Legitimate use of odbcconf.exe by legitimate user + - Legitimate use of odbcconf.exe by legitimate user +level: medium +tags: + - attack.defense_evasion + - attack.t1218.008 + - attack.execution # an old one + - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index 29bb61ec9..bff1cf575 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -1,25 +1,25 @@ title: OpenWith.exe Executes Specified Binary id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f -status: experimental +status: test description: The OpenWith.exe executes other binary -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml - - https://twitter.com/harr0ey/status/991670870384021504 author: Beyu Denis, oscd.community (rule), @harr0ey (idea) +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml + - https://twitter.com/harr0ey/status/991670870384021504 date: 2019/10/12 -modified: 2019/11/04 -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution # an old one -level: high +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\OpenWith.exe' - CommandLine|contains: '/c' - condition: selection + selection: + Image|endswith: '\OpenWith.exe' + CommandLine|contains: '/c' + condition: selection falsepositives: - - Legitimate use of OpenWith.exe by legitimate user + - Legitimate use of OpenWith.exe by legitimate user +level: high +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution # an old one diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml index a3f3ddd23..38ebf22eb 100644 --- a/rules/windows/process_creation/win_susp_pcwutl.yml +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -1,27 +1,28 @@ title: Code Execution via Pcwutl.dll id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 +status: test description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. -status: experimental -references: - - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md - - https://twitter.com/harr0ey/status/989617817849876488 author: Julia Fomina, oscd.community +references: + - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md + - https://twitter.com/harr0ey/status/989617817849876488 date: 2020/10/05 -tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.execution # an old one - - attack.t1218 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\rundll32.exe' - CommandLine|contains|all: - - 'pcwutl' - - 'LaunchApplication' - condition: selection -level: medium + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'pcwutl' + - 'LaunchApplication' + condition: selection falsepositives: - - Use of Program Compatibility Troubleshooter Helper + - Use of Program Compatibility Troubleshooter Helper +level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.execution # an old one + - attack.t1218 # an old one diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml index a549111f6..542deb50f 100644 --- a/rules/windows/process_creation/win_susp_pester.yml +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -1,35 +1,36 @@ title: Execute Code with Pester.bat id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e -description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -status: experimental -references: - - https://twitter.com/Oddvarmoe/status/993383596244258816 +status: test +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) author: Julia Fomina, oscd.community +references: + - https://twitter.com/Oddvarmoe/status/993383596244258816 date: 2020/10/08 -tags: - - attack.execution - - attack.t1059.001 - - attack.defense_evasion - - attack.t1216 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - powershell_module: - Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'Pester' - - 'Get-Help' - cmd_execution: - Image|endswith: '\cmd.exe' - CommandLine|contains|all: - - 'pester' - - ';' - get_help: - CommandLine|contains: - - 'help' - - '?' - condition: powershell_module or (cmd_execution and get_help) -level: medium + powershell_module: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'Pester' + - 'Get-Help' + cmd_execution: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - 'pester' + - ';' + get_help: + CommandLine|contains: + - 'help' + - '?' + condition: powershell_module or (cmd_execution and get_help) falsepositives: - - Legitimate use of Pester for writing tests for Powershell scripts and modules + - Legitimate use of Pester for writing tests for Powershell scripts and modules +level: medium +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1216 diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index 7b63469b4..9d4a166a7 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -1,32 +1,32 @@ title: Empire PowerShell Launch Parameters id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581 +status: test description: Detects suspicious powershell command line parameters used in Empire -status: experimental -references: - - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth +references: + - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 date: 2019/04/20 -modified: 2020/07/20 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' -NoP -sta -NonI -W Hidden -Enc ' - - ' -noP -sta -w 1 -enc ' - - ' -NoP -NonI -W Hidden -enc ' - - ' -noP -sta -w 1 -enc' - - ' -enc SQB' - - ' -nop -exec bypass -EncodedCommand ' - condition: selection + selection: + CommandLine|contains: + - ' -NoP -sta -NonI -W Hidden -Enc ' + - ' -noP -sta -w 1 -enc ' + - ' -NoP -NonI -W Hidden -enc ' + - ' -noP -sta -w 1 -enc' + - ' -enc SQB' + - ' -nop -exec bypass -EncodedCommand ' + condition: selection falsepositives: - - Other tools that incidentally use the same command line parameters + - Other tools that incidentally use the same command line parameters level: critical +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index f54f9fc6d..194fb3f6d 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -1,30 +1,31 @@ title: Empire PowerShell UAC Bypass id: 3268b746-88d8-4cd3-bffc-30077d02c787 -status: experimental +status: test description: Detects some Empire PowerShell UAC bypass methods -references: - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 author: Ecco +references: + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 date: 2019/08/30 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' - - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' - condition: selection + selection: + CommandLine|contains: + - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' + - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' + condition: selection fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 - - attack.t1088 # an old one - - car.2019-04-001 + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: critical +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - attack.t1088 # an old one + - car.2019-04-001 diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml index d6c51267f..8a47cb294 100644 --- a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml @@ -1,24 +1,25 @@ title: PowerShell Encoded Character Syntax id: e312efd0-35a1-407f-8439-b8d434b438a6 -status: experimental +status: test description: Detects suspicious encoded character syntax often used for defense evasion -references: - - https://twitter.com/0gtweet/status/1281103918693482496 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.defense_evasion - - attack.t1027 author: Florian Roth +references: + - https://twitter.com/0gtweet/status/1281103918693482496 date: 2020/07/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: '(WCHAR)0x' - condition: selection + selection: + CommandLine|contains: '(WCHAR)0x' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 68771de9d..7d449f116 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -1,73 +1,74 @@ title: Malicious Base64 Encoded PowerShell Keywords in Command Lines id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0 -status: experimental +status: test description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -references: - - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one author: John Lambert (rule) +references: + - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ date: 2019/01/16 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - encoded: - Image|endswith: '\powershell.exe' - CommandLine|contains: ' hidden ' - selection: - CommandLine|contains: - - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA' - - 'aXRzYWRtaW4gL3RyYW5zZmVy' - - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA' - - 'JpdHNhZG1pbiAvdHJhbnNmZX' - - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg' - - 'Yml0c2FkbWluIC90cmFuc2Zlc' - - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA' - - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA' - - 'JGNodW5rX3Npem' - - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ' - - 'RjaHVua19zaXpl' - - 'Y2h1bmtfc2l6Z' - - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A' - - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg' - - 'lPLkNvbXByZXNzaW9u' - - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA' - - 'SU8uQ29tcHJlc3Npb2' - - 'Ty5Db21wcmVzc2lvb' - - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ' - - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA' - - 'lPLk1lbW9yeVN0cmVhb' - - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A' - - 'SU8uTWVtb3J5U3RyZWFt' - - 'Ty5NZW1vcnlTdHJlYW' - - '4ARwBlAHQAQwBoAHUAbgBrA' - - '5HZXRDaHVua' - - 'AEcAZQB0AEMAaAB1AG4Aaw' - - 'LgBHAGUAdABDAGgAdQBuAGsA' - - 'LkdldENodW5r' - - 'R2V0Q2h1bm' - - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A' - - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA' - - 'RIUkVBRF9JTkZPNj' - - 'SFJFQURfSU5GTzY0' - - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA' - - 'VEhSRUFEX0lORk82N' - - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA' - - 'cmVhdGVSZW1vdGVUaHJlYW' - - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA' - - 'NyZWF0ZVJlbW90ZVRocmVhZ' - - 'Q3JlYXRlUmVtb3RlVGhyZWFk' - - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA' - - '0AZQBtAG0AbwB2AGUA' - - '1lbW1vdm' - - 'AGUAbQBtAG8AdgBlA' - - 'bQBlAG0AbQBvAHYAZQ' - - 'bWVtbW92Z' - - 'ZW1tb3Zl' - condition: encoded and selection + encoded: + Image|endswith: '\powershell.exe' + CommandLine|contains: ' hidden ' + selection: + CommandLine|contains: + - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA' + - 'aXRzYWRtaW4gL3RyYW5zZmVy' + - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA' + - 'JpdHNhZG1pbiAvdHJhbnNmZX' + - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg' + - 'Yml0c2FkbWluIC90cmFuc2Zlc' + - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA' + - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA' + - 'JGNodW5rX3Npem' + - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ' + - 'RjaHVua19zaXpl' + - 'Y2h1bmtfc2l6Z' + - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A' + - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg' + - 'lPLkNvbXByZXNzaW9u' + - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA' + - 'SU8uQ29tcHJlc3Npb2' + - 'Ty5Db21wcmVzc2lvb' + - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ' + - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA' + - 'lPLk1lbW9yeVN0cmVhb' + - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A' + - 'SU8uTWVtb3J5U3RyZWFt' + - 'Ty5NZW1vcnlTdHJlYW' + - '4ARwBlAHQAQwBoAHUAbgBrA' + - '5HZXRDaHVua' + - 'AEcAZQB0AEMAaAB1AG4Aaw' + - 'LgBHAGUAdABDAGgAdQBuAGsA' + - 'LkdldENodW5r' + - 'R2V0Q2h1bm' + - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A' + - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA' + - 'RIUkVBRF9JTkZPNj' + - 'SFJFQURfSU5GTzY0' + - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA' + - 'VEhSRUFEX0lORk82N' + - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA' + - 'cmVhdGVSZW1vdGVUaHJlYW' + - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA' + - 'NyZWF0ZVJlbW90ZVRocmVhZ' + - 'Q3JlYXRlUmVtb3RlVGhyZWFk' + - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA' + - '0AZQBtAG0AbwB2AGUA' + - '1lbW1vdm' + - 'AGUAbQBtAG8AdgBlA' + - 'bQBlAG0AbQBvAHYAZQ' + - 'bWVtbW92Z' + - 'ZW1tb3Zl' + condition: encoded and selection falsepositives: - - Penetration tests + - Penetration tests level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 70b6b93f1..020307ac0 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -1,59 +1,60 @@ title: Suspicious PowerShell Parent Process id: 754ed792-634f-40ae-b3bc-e0448d33f695 +status: test description: Detects a suspicious parents of powershell.exe -status: experimental -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 author: Teymur Kheirkhabarov, Harish Segar (rule) +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 date: 2020/03/20 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_image1: - - ParentImage|endswith: - - '\mshta.exe' - - '\rundll32.exe' - - '\regsvr32.exe' - - '\services.exe' - - '\winword.exe' - - '\wmiprvse.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\msaccess.exe' - - '\mspub.exe' - - '\visio.exe' - - '\outlook.exe' - - '\amigo.exe' - - '\chrome.exe' - - '\firefox.exe' - - '\iexplore.exe' - - '\microsoftedgecp.exe' - - '\microsoftedge.exe' - - '\browser.exe' - - '\vivaldi.exe' - - '\safari.exe' - - '\sqlagent.exe' - - '\sqlserver.exe' - - '\sqlservr.exe' - - '\w3wp.exe' - - '\httpd.exe' - - '\nginx.exe' - - '\php-cgi.exe' - - '\jbosssvc.exe' - - "MicrosoftEdgeSH.exe" - - ParentImage|contains: "tomcat" - selection_powershell: - - CommandLine|contains: - - "powershell" - - "pwsh" - - Description: "Windows PowerShell" - - Product: "PowerShell Core 6" - condition: all of them + selection_image1: + - ParentImage|endswith: + - '\mshta.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\services.exe' + - '\winword.exe' + - '\wmiprvse.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\msaccess.exe' + - '\mspub.exe' + - '\visio.exe' + - '\outlook.exe' + - '\amigo.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\iexplore.exe' + - '\microsoftedgecp.exe' + - '\microsoftedge.exe' + - '\browser.exe' + - '\vivaldi.exe' + - '\safari.exe' + - '\sqlagent.exe' + - '\sqlserver.exe' + - '\sqlservr.exe' + - '\w3wp.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\jbosssvc.exe' + - "MicrosoftEdgeSH.exe" + - ParentImage|contains: "tomcat" + selection_powershell: + - CommandLine|contains: + - "powershell" + - "pwsh" + - Description: "Windows PowerShell" + - Product: "PowerShell Core 6" + condition: all of them falsepositives: - - Other scripts + - Other scripts level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml index bc3ddc59e..85f863d3c 100644 --- a/rules/windows/process_creation/win_susp_print.yml +++ b/rules/windows/process_creation/win_susp_print.yml @@ -1,34 +1,35 @@ title: Abusing Print Executable id: bafac3d6-7de9-4dd9-8874-4a1194b493ed -description: Attackers can use print.exe for remote file copy +status: test +description: Attackers can use print.exe for remote file copy author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -status: experimental -date: 2020/10/05 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml - - https://twitter.com/Oddvarmoe/status/985518877076541440 -tags: - - attack.defense_evasion - - attack.t1218 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml + - https://twitter.com/Oddvarmoe/status/985518877076541440 +date: 2020/10/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: - - \print.exe - CommandLine|startswith: - - print - selection2: - CommandLine|contains: - - /D - exeCondition: - CommandLine|contains: - - .exe - cmdExclude: - CommandLine|contains: - - print.exe - condition: selection1 and selection2 and exeCondition and not cmdExclude + selection1: + Image|endswith: + - \print.exe + CommandLine|startswith: + - print + selection2: + CommandLine|contains: + - /D + exeCondition: + CommandLine|contains: + - .exe + cmdExclude: + CommandLine|contains: + - print.exe + condition: selection1 and selection2 and exeCondition and not cmdExclude falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index 088ae8e47..b6b71035f 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -1,28 +1,29 @@ title: PowerShell DownloadFile id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5 -status: experimental +status: test description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line -references: - - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth +references: + - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html date: 2020/08/28 -tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.command_and_control - - attack.t1104 - - attack.t1105 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'powershell' - - '.DownloadFile' - - 'System.Net.WebClient' - condition: selection + selection: + CommandLine|contains|all: + - 'powershell' + - '.DownloadFile' + - 'System.Net.WebClient' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 # an old one + - attack.command_and_control + - attack.t1104 + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_psexec_eula.yml b/rules/windows/process_creation/win_susp_psexec_eula.yml index 40688d99f..e38dc3c4e 100644 --- a/rules/windows/process_creation/win_susp_psexec_eula.yml +++ b/rules/windows/process_creation/win_susp_psexec_eula.yml @@ -1,26 +1,26 @@ title: Psexec Accepteula Condition id: 730fc21b-eaff-474b-ad23-90fd265d4988 +status: test description: Detect ed user accept agreement execution in psexec commandline -status: experimental -author: omkar72 - - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: omkar72 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html date: 2020/10/30 -tags: - - attack.execution - - attack.t1569 - - attack.t1021 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\psexec.exe' - CommandLine|contains: 'accepteula' - condition: selection + selection: + Image|endswith: '\psexec.exe' + CommandLine|contains: 'accepteula' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Administrative scripts. + - Administrative scripts. level: medium +tags: + - attack.execution + - attack.t1569 + - attack.t1021 diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index aa550b3e2..27aac94f1 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -1,25 +1,25 @@ title: Psr.exe Capture Screenshots id: 2158f96f-43c2-43cb-952a-ab4580f32382 -status: experimental +status: test description: The psr.exe captures desktop screenshots and saves them on the local machine -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml - - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md author: Beyu Denis, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml + - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md date: 2019/10/12 -modified: 2020/08/28 -tags: - - attack.collection - - attack.t1113 -level: medium +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\Psr.exe' - CommandLine|contains: '/start' - condition: selection + selection: + Image|endswith: '\Psr.exe' + CommandLine|contains: '/start' + condition: selection falsepositives: - - Unknown + - Unknown +level: medium +tags: + - attack.collection + - attack.t1113 diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index f3aadc493..86a20dd25 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -1,24 +1,25 @@ title: Suspicious RASdial Activity id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e +status: test description: Detects suspicious process related to rasdial.exe -status: experimental -references: - - https://twitter.com/subTee/status/891298217907830785 author: juju4 +references: + - https://twitter.com/subTee/status/891298217907830785 date: 2019/01/16 -tags: - - attack.defense_evasion - - attack.execution - - attack.t1059 - - attack.t1064 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - rasdial.exe - condition: selection + selection: + Image|endswith: + - rasdial.exe + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium +tags: + - attack.defense_evasion + - attack.execution + - attack.t1059 + - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_susp_register_cimprovider.yml b/rules/windows/process_creation/win_susp_register_cimprovider.yml index 5244e22ff..d28366647 100644 --- a/rules/windows/process_creation/win_susp_register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_register_cimprovider.yml @@ -1,28 +1,29 @@ title: DLL Execution Via Register-cimprovider.exe id: a2910908-e86f-4687-aeba-76a5f996e652 -status: experimental +status: test description: Detects using register-cimprovider.exe to execute arbitrary dll file. -references: - - https://twitter.com/PhilipTsukerman/status/992021361106268161 - - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md -tags: - - attack.defense_evasion - - attack.t1574 author: Ivan Dyachkov, Yulia Fomina, oscd.community +references: + - https://twitter.com/PhilipTsukerman/status/992021361106268161 + - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: - selection: - Image|endswith: '\register-cimprovider.exe' - CommandLine|contains|all: - - '-path' - - 'dll' - condition: selection + selection: + Image|endswith: '\register-cimprovider.exe' + CommandLine|contains|all: + - '-path' + - 'dll' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1574 diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml index 4af3cb4d3..fea242d3d 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -1,28 +1,29 @@ title: Regsvr32 Flags Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 -status: experimental +status: test description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time author: Florian Roth -date: 2019/07/13 references: - - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 -tags: - - attack.defense_evasion - - attack.t1218.010 - - attack.t1117 # an old one + - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 +date: 2019/07/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\regsvr32.exe' - CommandLine|contains: ' /i:' - filter: - CommandLine|contains: ' /n ' - condition: selection and not filter + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: ' /i:' + filter: + CommandLine|contains: ' /n ' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1218.010 + - attack.t1117 # an old one diff --git a/rules/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/windows/process_creation/win_susp_renamed_dctask64.yml index b1c1adffc..7472aa553 100644 --- a/rules/windows/process_creation/win_susp_renamed_dctask64.yml +++ b/rules/windows/process_creation/win_susp_renamed_dctask64.yml @@ -1,33 +1,33 @@ title: Renamed ZOHO Dctask64 id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b -status: experimental +status: test description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation -references: - - https://twitter.com/gN3mes1s/status/1222088214581825540 - - https://twitter.com/gN3mes1s/status/1222095963789111296 - - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth +references: + - https://twitter.com/gN3mes1s/status/1222088214581825540 + - https://twitter.com/gN3mes1s/status/1222095963789111296 + - https://twitter.com/gN3mes1s/status/1222095371175911424 date: 2020/01/28 -modified: 2020/08/28 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1055.001 - - attack.t1202 - - attack.t1218 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Imphash: '6834B1B94E49701D77CCB3C0895E1AFD' - filter: - Image|endswith: '\dctask64.exe' - condition: selection and not filter + selection: + Imphash: '6834B1B94E49701D77CCB3C0895E1AFD' + filter: + Image|endswith: '\dctask64.exe' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine - - ParentImage + - CommandLine + - ParentCommandLine + - ParentImage falsepositives: - - Unknown yet + - Unknown yet level: high +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1055.001 + - attack.t1202 + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index b4d3ceb3b..bb2b80e7b 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -1,26 +1,27 @@ title: Renamed SysInternals Debug View id: cd764533-2e07-40d6-a718-cfeec7f2da7f -status: experimental +status: test description: Detects suspicious renamed SysInternals DebugView execution -references: - - https://www.epicturla.com/blog/sysinturla author: Florian Roth +references: + - https://www.epicturla.com/blog/sysinturla date: 2020/05/28 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Product: - - 'Sysinternals DebugView' - - 'Sysinternals Debugview' - filter: - OriginalFileName: 'Dbgview.exe' - Image|endswith: '\Dbgview.exe' - condition: selection and not filter + selection: + Product: + - 'Sysinternals DebugView' + - 'Sysinternals Debugview' + filter: + OriginalFileName: 'Dbgview.exe' + Image|endswith: '\Dbgview.exe' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high tags: - - attack.resource_development - - attack.t1588.002 \ No newline at end of file + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml index f8656ab4e..56d44255c 100644 --- a/rules/windows/process_creation/win_susp_rpcping.yml +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -1,41 +1,42 @@ title: Capture Credentials with Rpcping.exe id: 93671f99-04eb-4ab4-a161-70d446a84003 +status: test description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. -status: experimental -references: - - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ - - https://twitter.com/vysecurity/status/974806438316072960 - - https://twitter.com/vysecurity/status/873181705024266241 - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) author: Julia Fomina, oscd.community +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ + - https://twitter.com/vysecurity/status/974806438316072960 + - https://twitter.com/vysecurity/status/873181705024266241 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) date: 2020/10/09 -tags: - - attack.credential_access - - attack.t1003 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - use_rpcping: - Image|endswith: '\rpcping.exe' - remote_server: - CommandLine|contains: - - '-s' - - '/s' - ntlm_auth: - - CommandLine|contains|all: - - '-u' - - 'NTLM' - - CommandLine|contains|all: - - '/u' - - 'NTLM' - - CommandLine|contains|all: - - '-t' - - 'ncacn_np' - - CommandLine|contains|all: - - '/t' - - 'ncacn_np' - condition: use_rpcping and remote_server and ntlm_auth -level: medium + use_rpcping: + Image|endswith: '\rpcping.exe' + remote_server: + CommandLine|contains: + - '-s' + - '/s' + ntlm_auth: + - CommandLine|contains|all: + - '-u' + - 'NTLM' + - CommandLine|contains|all: + - '/u' + - 'NTLM' + - CommandLine|contains|all: + - '-t' + - 'ncacn_np' + - CommandLine|contains|all: + - '/t' + - 'ncacn_np' + condition: use_rpcping and remote_server and ntlm_auth falsepositives: - - Unlikely + - Unlikely +level: medium +tags: + - attack.credential_access + - attack.t1003 diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index f04faf4d7..f7237274e 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -1,78 +1,79 @@ title: Suspicious Rundll32 Activity id: e593cf51-88db-4ee1-b920-37e89012a3c9 +status: test description: Detects suspicious process related to rundll32 based on arguments -status: experimental -references: - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - - https://twitter.com/Hexacorn/status/885258886428725250 - - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 -tags: - - attack.defense_evasion - - attack.execution # an old one - - attack.t1218.011 - - attack.t1085 # an old one author: juju4, Jonhnathan Ribeiro, oscd.community +references: + - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ + - https://twitter.com/Hexacorn/status/885258886428725250 + - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 date: 2019/01/16 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains: - - 'javascript:' - - '.RegisterXLL' - - CommandLine|contains|all: - - 'url.dll' - - 'OpenURL' - - CommandLine|contains|all: - - 'url.dll' - - 'OpenURLA' - - CommandLine|contains|all: - - 'url.dll' - - 'FileProtocolHandler' - - CommandLine|contains|all: - - 'zipfldr.dll' - - 'RouteTheCall' - - CommandLine|contains|all: - - 'shell32.dll' - - 'Control_RunDLL' - - CommandLine|contains|all: - - 'shell32.dll' - - 'ShellExec_RunDLL' - - CommandLine|contains|all: - - 'mshtml.dll' - - 'PrintHTML' - - CommandLine|contains|all: - - 'advpack.dll' - - 'LaunchINFSection' - - CommandLine|contains|all: - - 'advpack.dll' - - 'RegisterOCX' - - CommandLine|contains|all: - - 'ieadvpack.dll' - - 'LaunchINFSection' - - CommandLine|contains|all: - - 'ieadvpack.dll' - - 'RegisterOCX' - - CommandLine|contains|all: - - 'ieframe.dll' - - 'OpenURL' - - CommandLine|contains|all: - - 'shdocvw.dll' - - 'OpenURL' - - CommandLine|contains|all: - - 'syssetup.dll' - - SetupInfObjectInstallAction' - - CommandLine|contains|all: - - 'setupapi.dll' - - 'InstallHinfSection' - - CommandLine|contains|all: - - 'pcwutl.dll' - - 'LaunchApplication' - - CommandLine|contains|all: - - 'dfshim.dll' - - 'ShOpenVerbApplication' - condition: selection + selection: + - CommandLine|contains: + - 'javascript:' + - '.RegisterXLL' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURLA' + - CommandLine|contains|all: + - 'url.dll' + - 'FileProtocolHandler' + - CommandLine|contains|all: + - 'zipfldr.dll' + - 'RouteTheCall' + - CommandLine|contains|all: + - 'shell32.dll' + - 'Control_RunDLL' + - CommandLine|contains|all: + - 'shell32.dll' + - 'ShellExec_RunDLL' + - CommandLine|contains|all: + - 'mshtml.dll' + - 'PrintHTML' + - CommandLine|contains|all: + - 'advpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'advpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieframe.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'shdocvw.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'syssetup.dll' + - SetupInfObjectInstallAction' + - CommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' + - CommandLine|contains|all: + - 'pcwutl.dll' + - 'LaunchApplication' + - CommandLine|contains|all: + - 'dfshim.dll' + - 'ShOpenVerbApplication' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium +tags: + - attack.defense_evasion + - attack.execution # an old one + - attack.t1218.011 + - attack.t1085 # an old one diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml index f1f6dafe9..b48967405 100644 --- a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -1,35 +1,34 @@ title: Suspicious Rundll32 Setupapi.dll Activity id: 285b85b1-a555-4095-8652-a8a4106af63f -description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. - This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) - InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. -status: experimental +status: test +description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. author: Konstantin Grishchenko, oscd.community -date: 2020/10/07 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml - - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf - - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 -tags: - - attack.defense_evasion - - attack.t1218.011 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf + - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 +date: 2020/10/07 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\runonce.exe' - ParentImage|endswith: '\rundll32.exe' - ParentCommandLine|contains|all: - - 'setupapi.dll' - - 'InstallHinfSection' - condition: selection + selection: + Image|endswith: '\runonce.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' + condition: selection fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + - ComputerName + - User + - CommandLine + - ParentCommandLine falsepositives: - - Scripts and administrative tools that use INF files for driver installation with setupapi.dll + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml index f36b66f6f..119acb1a7 100644 --- a/rules/windows/process_creation/win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/win_susp_runonce_execution.yml @@ -1,29 +1,30 @@ title: Run Once Task Execution as Configured in Registry id: 198effb6-6c98-4d0c-9ea3-451fa143c45c +status: test description: This rule detects the execution of Run Once task as configured in the registry author: 'Avneet Singh @v3t0_, oscd.community' -status: experimental -date: 2020/10/18 references: - - https://twitter.com/pabraeken/status/990717080805789697 - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml -tags: - - attack.defense_evasion - - attack.t1112 + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +date: 2020/10/18 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - process_name: - Image|endswith: - - '\runonce.exe' - process_description: - Description: - - 'Run Once Wrapper' - command_line: - CommandLine|contains: - - ' /AlternateShellStartup' - condition: (process_name or process_description) and command_line + process_name: + Image|endswith: + - '\runonce.exe' + process_description: + Description: + - 'Run Once Wrapper' + command_line: + CommandLine|contains: + - ' /AlternateShellStartup' + condition: (process_name or process_description) and command_line falsepositives: - - Unknown + - Unknown level: low +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml index 3bea7fb7e..7e576c645 100644 --- a/rules/windows/process_creation/win_susp_runscripthelper.yml +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -1,27 +1,28 @@ title: Suspicious Runscripthelper.exe id: eca49c87-8a75-4f13-9c73-a5a29e845f03 -status: experimental +status: test description: Detects execution of powershell scripts via Runscripthelper.exe -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml author: Victor Sergeev, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - image_path: - Image|endswith: '\Runscripthelper.exe' - cmd: - CommandLine|contains: 'surfacecheck' - condition: image_path and cmd + image_path: + Image|endswith: '\Runscripthelper.exe' + cmd: + CommandLine|contains: 'surfacecheck' + condition: image_path and cmd fields: - - CommandLine -tags: - - attack.execution - - attack.t1059 - - attack.defense_evasion - - attack.t1202 + - CommandLine falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index d16346b10..4b52d2493 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -1,32 +1,32 @@ title: WSF/JSE/JS/VBA/VBE File Execution id: 1e33157c-53b1-41ad-bbcc-780b80b58288 -status: experimental +status: test description: Detects suspicious file execution by wscript and cscript author: Michael Haag date: 2019/01/16 -modified: 2020/08/28 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1064 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - CommandLine|contains: - - '.jse' - - '.vbe' - - '.js' - - '.vba' - condition: selection + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + CommandLine|contains: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. + - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. level: medium +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1064 # an old one diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml index 82f5e0f35..0943f410e 100644 --- a/rules/windows/process_creation/win_susp_service_dacl_modification.yml +++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml @@ -1,33 +1,34 @@ title: Suspicious Service DACL Modification id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 +status: test description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable author: Jonhnathan Ribeiro, oscd.community -status: experimental -date: 2020/10/16 references: - - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -tags: - - attack.persistence - - attack.t1543.003 + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +date: 2020/10/16 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\sc.exe' - CommandLine|contains|all: - - 'sdset' - - 'D;;' - sids: - CommandLine|contains: - - ';;;IU' - - ';;;SU' - - ';;;BA' - - ';;;SY' - - ';;;WD' - condition: selection and sids + selection: + Image|endswith: + - '\sc.exe' + CommandLine|contains|all: + - 'sdset' + - 'D;;' + sids: + CommandLine|contains: + - ';;;IU' + - ';;;SU' + - ';;;BA' + - ';;;SY' + - ';;;WD' + condition: selection and sids falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.t1543.003 diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index c2a766bc1..116b6c54a 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -1,34 +1,34 @@ title: Suspicious Service Path Modification id: 138d3531-8793-4f50-a2cd-f291b2863d78 +status: test description: Detects service path modification to PowerShell or cmd. -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1543.003 - - attack.t1031 # an old one -date: 2019/10/21 -modified: 2020/08/28 author: Victor Sergeev, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_1: - Image|endswith: '\sc.exe' - CommandLine|contains|all: - - 'config' - - 'binpath' - selection_2: - CommandLine|contains: - - 'powershell' - - 'cmd' - condition: selection_1 and selection_2 + selection_1: + Image|endswith: '\sc.exe' + CommandLine|contains|all: + - 'config' + - 'binpath' + selection_2: + CommandLine|contains: + - 'powershell' + - 'cmd' + condition: selection_1 and selection_2 fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 + - attack.t1031 # an old one diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml index 41b2a3c2e..f092c8280 100644 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -1,28 +1,28 @@ title: Dumping Process via Sqldumper.exe id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 +status: test description: Detects process dump via legitimate sqldumper.exe binary -status: experimental -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml - - https://twitter.com/countuponsec/status/910977826853068800 - - https://twitter.com/countuponsec/status/910969424215232518 - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ author: Kirill Kiryanov, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml + - https://twitter.com/countuponsec/status/910977826853068800 + - https://twitter.com/countuponsec/status/910969424215232518 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ date: 2020/10/08 -tags: - - attack.credential_access - - attack.t1003.001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\sqldumper.exe' - CommandLine|contains: - - '0x0110' - - '0x01100:40' - condition: selection + selection: + Image|endswith: '\sqldumper.exe' + CommandLine|contains: + - '0x0110' + - '0x01100:40' + condition: selection falsepositives: - - Legitimate MSSQL Server actions + - Legitimate MSSQL Server actions level: medium - +tags: + - attack.credential_access + - attack.t1003.001 diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index de2b10c09..7ae1b13a7 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -1,26 +1,26 @@ title: Sysprep on AppData Folder id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e -status: experimental +status: test description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -references: - - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b -tags: - - attack.execution - - attack.t1059 author: Florian Roth +references: + - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets + - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b date: 2018/06/22 -modified: 2018/12/11 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\sysprep.exe' - CommandLine|contains: - - '\AppData\' - condition: selection + selection: + Image|endswith: + - '\sysprep.exe' + CommandLine|contains: + - '\AppData\' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium +tags: + - attack.execution + - attack.t1059 diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml index f58197239..a265b2858 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -1,28 +1,29 @@ title: Taskmgr as Parent id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 -status: experimental +status: test description: Detects the creation of a process from Windows task manager -tags: - - attack.defense_evasion - - attack.t1036 author: Florian Roth date: 2018/03/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\taskmgr.exe' - filter: - Image|endswith: - - '\resmon.exe' - - '\mmc.exe' - - '\taskmgr.exe' - condition: selection and not filter + selection: + ParentImage|endswith: '\taskmgr.exe' + filter: + Image|endswith: + - '\resmon.exe' + - '\mmc.exe' + - '\taskmgr.exe' + condition: selection and not filter fields: - - Image - - CommandLine - - ParentCommandLine + - Image + - CommandLine + - ParentCommandLine falsepositives: - - Administrative activity + - Administrative activity level: low +tags: + - attack.defense_evasion + - attack.t1036 diff --git a/rules/windows/process_creation/win_susp_tracker_execution.yml b/rules/windows/process_creation/win_susp_tracker_execution.yml index 08ef303cc..4f44f47df 100644 --- a/rules/windows/process_creation/win_susp_tracker_execution.yml +++ b/rules/windows/process_creation/win_susp_tracker_execution.yml @@ -1,31 +1,32 @@ title: DLL Injection with Tracker.exe id: 148431ce-4b70-403d-8525-fcc2993f29ea +status: test description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe author: 'Avneet Singh @v3t0_, oscd.community' -status: experimental -date: 2020/10/18 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml -tags: - - attack.defense_evasion - - attack.t1055.001 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml +date: 2020/10/18 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - process_name: - Image|endswith: - - '\tracker.exe' - process_description: - Description: - - 'Tracker' - commandline_param1: - CommandLine|contains: - - ' /d ' - commandline_param2: - CommandLine|contains: - - ' /c ' - condition: (process_name or process_description) and commandline_param1 and commandline_param2 + process_name: + Image|endswith: + - '\tracker.exe' + process_description: + Description: + - 'Tracker' + commandline_param1: + CommandLine|contains: + - ' /d ' + commandline_param2: + CommandLine|contains: + - ' /c ' + condition: (process_name or process_description) and commandline_param1 and commandline_param2 falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1055.001 diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index 15b5dfc31..c7e82c10a 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -1,26 +1,26 @@ title: Suspicious RDP Redirect Using TSCON id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb -status: experimental +status: test description: Detects a suspicious RDP session redirect using tscon.exe -references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -tags: - - attack.lateral_movement - - attack.t1563.002 - - attack.t1076 # an old one - - attack.t1021.001 - - car.2013-07-002 author: Florian Roth +references: + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 date: 2018/03/17 -modified: 2020/08/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: ' /dest:rdp-tcp:' - condition: selection + selection: + CommandLine|contains: ' /dest:rdp-tcp:' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.lateral_movement + - attack.t1563.002 + - attack.t1076 # an old one + - attack.t1021.001 + - car.2013-07-002 diff --git a/rules/windows/process_creation/win_susp_use_of_csharp_console.yml b/rules/windows/process_creation/win_susp_use_of_csharp_console.yml index 906cec3e8..e475c05cc 100644 --- a/rules/windows/process_creation/win_susp_use_of_csharp_console.yml +++ b/rules/windows/process_creation/win_susp_use_of_csharp_console.yml @@ -1,23 +1,24 @@ title: Suspicious Use of CSharp Interactive Console id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61 -status: experimental +status: test description: Detects the execution of CSharp interactive console by PowerShell -references: - - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ author: Michael R. (@nahamike01) +references: + - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ date: 2020/03/08 -tags: - - attack.execution - - attack.t1127 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\csi.exe' - ParentImage|endswith: '\powershell.exe' - OriginalFileName: 'csi.exe' - condition: selection + selection: + Image|endswith: '\csi.exe' + ParentImage|endswith: '\powershell.exe' + OriginalFileName: 'csi.exe' + condition: selection falsepositives: - - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. + - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. level: high +tags: + - attack.execution + - attack.t1127 diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 28b3928a0..f1ac530cb 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -1,31 +1,32 @@ title: Detection of PowerShell Execution via Sqlps.exe id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 -status: experimental +status: test description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +author: 'Agro (@agro_sev) oscd.community' references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 -tags: - - attack.execution - - attack.t1059.001 - - attack.defense_evasion - - attack.t1127 -author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\sqlps.exe' - selection2: - ParentImage|endswith: '\sqlps.exe' - selection3: - OriginalFileName: '\sqlps.exe' - reduction: - ParentImage|endswith: '\sqlagent.exe' - condition: selection1 or selection2 or selection3 and not reduction + selection1: + Image|endswith: '\sqlps.exe' + selection2: + ParentImage|endswith: '\sqlps.exe' + selection3: + OriginalFileName: '\sqlps.exe' + reduction: + ParentImage|endswith: '\sqlagent.exe' + condition: selection1 or selection2 or selection3 and not reduction falsepositives: - - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. + - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index 0e74bea2b..ef0cb72bd 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -1,31 +1,31 @@ title: SQL Client Tools PowerShell Session Detection id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 -status: experimental +status: test description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +author: 'Agro (@agro_sev) oscd.communitly' references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 -tags: - - attack.execution - - attack.t1059.001 - - attack.defense_evasion - - attack.t1127 -author: 'Agro (@agro_sev) oscd.communitly' date: 2020/10/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\sqltoolsps.exe' - selection2: - ParentImage|endswith: '\sqltoolsps.exe' - selection3: - OriginalFileName: '\sqltoolsps.exe' - reduction: - ParentImage|endswith: '\smss.exe' - condition: selection1 or selection2 or selection3 and not reduction + selection1: + Image|endswith: '\sqltoolsps.exe' + selection2: + ParentImage|endswith: '\sqltoolsps.exe' + selection3: + OriginalFileName: '\sqltoolsps.exe' + reduction: + ParentImage|endswith: '\smss.exe' + condition: selection1 or selection2 or selection3 and not reduction falsepositives: - - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium - +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index d74b74b0b..bf38e104e 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -1,27 +1,27 @@ title: Malicious Windows Script Components File Execution by TAEF Detection id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b -status: experimental +status: test description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +author: 'Agro (@agro_sev) oscd.community' references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml - https://twitter.com/pabraeken/status/993298228840992768 - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ -tags: - - attack.t1218 -author: 'Agro (@agro_sev) oscd.community' date: 2020/10/13 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\te.exe' - selection2: - ParentImage|endswith: '\te.exe' - selection3: - OriginalFileName: '\te.exe' - condition: selection1 or selection2 or selection3 + selection1: + Image|endswith: '\te.exe' + selection2: + ParentImage|endswith: '\te.exe' + selection3: + OriginalFileName: '\te.exe' + condition: selection1 or selection2 or selection3 falsepositives: - - It's not an uncommon to use te.exe directly to execute legal TAEF tests + - It's not an uncommon to use te.exe directly to execute legal TAEF tests level: low - +tags: + - attack.t1218 diff --git a/rules/windows/process_creation/win_susp_vboxdrvinst.yml b/rules/windows/process_creation/win_susp_vboxdrvinst.yml index 9b1eacabf..39243114c 100644 --- a/rules/windows/process_creation/win_susp_vboxdrvinst.yml +++ b/rules/windows/process_creation/win_susp_vboxdrvinst.yml @@ -1,31 +1,31 @@ title: Suspicious VBoxDrvInst.exe Parameters id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 -description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. - For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys -status: experimental +status: test +description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys author: Konstantin Grishchenko, oscd.community -date: 2020/10/06 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml - - https://twitter.com/pabraeken/status/993497996179492864 -tags: - - attack.defense_evasion - - attack.t1112 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml + - https://twitter.com/pabraeken/status/993497996179492864 +date: 2020/10/06 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\VBoxDrvInst.exe' - CommandLine|contains|all: - - 'driver' - - 'executeinf' - condition: selection + selection: + Image|endswith: '\VBoxDrvInst.exe' + CommandLine|contains|all: + - 'driver' + - 'executeinf' + condition: selection fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + - ComputerName + - User + - CommandLine + - ParentCommandLine falsepositives: - - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process level: medium +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index ffc7efcaf..59cb8ece0 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -1,25 +1,26 @@ title: Whoami Execution id: e28a5a99-da44-436d-b7a0-2afc20a5f413 -status: experimental +status: test description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators -references: - - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth +references: + - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ + - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ date: 2018/08/13 -tags: - - attack.discovery - - attack.t1033 - - car.2016-03-001 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\whoami.exe' - condition: selection + selection: + Image|endswith: '\whoami.exe' + condition: selection falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment - - Monitoring activity + - Admin activity + - Scripts and administrative tools used in the monitored environment + - Monitoring activity level: medium +tags: + - attack.discovery + - attack.t1033 + - car.2016-03-001 diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml index 108b1c27f..3fc44a897 100644 --- a/rules/windows/process_creation/win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -1,27 +1,28 @@ title: Remote Code Execute via Winrm.vbs id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 +status: test description: Detects an attempt to execute code or create service on remote host via winrm.vbs. -status: experimental -references: - - https://twitter.com/bohops/status/994405551751815170 - - https://redcanary.com/blog/lateral-movement-winrm-wmi/ author: Julia Fomina, oscd.community +references: + - https://twitter.com/bohops/status/994405551751815170 + - https://redcanary.com/blog/lateral-movement-winrm-wmi/ date: 2020/10/07 -tags: - - attack.defense_evasion - - attack.t1216 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - 'winrm' - - 'invoke Create wmicimv2/Win32_' - - '-r:http' - condition: selection -level: medium + selection: + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - 'winrm' + - 'invoke Create wmicimv2/Win32_' + - '-r:http' + condition: selection falsepositives: - - Legitimate use for administartive purposes. Unlikely - + - Legitimate use for administartive purposes. Unlikely + +level: medium +tags: + - attack.defense_evasion + - attack.t1216 diff --git a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml index 9ed00e6b9..19e8d3d73 100644 --- a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml +++ b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml @@ -1,26 +1,27 @@ title: Suspicious WMI Execution Using Rundll32 id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 -status: experimental +status: test description: Detects WMI executing rundll32 -references: - - https://thedfirreport.com/2020/10/08/ryuks-return/ author: Florian Roth +references: + - https://thedfirreport.com/2020/10/08/ryuks-return/ date: 2020/10/12 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'process call create' - - 'rundll32' - condition: selection + selection: + CommandLine|contains|all: + - 'process call create' + - 'rundll32' + condition: selection fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.t1047 + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml index 71c561a9b..f69ca2899 100644 --- a/rules/windows/process_creation/win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml @@ -1,27 +1,28 @@ title: WSL Execution id: dec44ca7-61ad-493c-bfd7-8819c5faa09b -status: experimental +status: test description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ -tags: - - attack.execution - - attack.defense_evasion - - attack.t1218 - - attack.t1202 author: 'oscd.community, Zach Stanford @svch0st' +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ date: 2020/10/05 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\wsl.exe' - CommandLine|contains: - - ' -e ' - - ' --exec ' - condition: selection + selection: + Image|endswith: + - '\wsl.exe' + CommandLine|contains: + - ' -e ' + - ' --exec ' + condition: selection falsepositives: - - Automation and orchestration scripts may use this method execute scripts etc + - Automation and orchestration scripts may use this method execute scripts etc level: medium +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 diff --git a/rules/windows/process_creation/win_tap_installer_execution.yml b/rules/windows/process_creation/win_tap_installer_execution.yml index 3c7c71969..25bfe1c0d 100644 --- a/rules/windows/process_creation/win_tap_installer_execution.yml +++ b/rules/windows/process_creation/win_tap_installer_execution.yml @@ -1,19 +1,20 @@ title: Tap Installer Execution id: 99793437-3e16-439b-be0f-078782cf953d +status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques -status: experimental author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -tags: - - attack.exfiltration - - attack.t1048 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\tapinstall.exe' - condition: selection + selection: + Image|endswith: '\tapinstall.exe' + condition: selection falsepositives: - - Legitimate OpenVPN TAP insntallation + - Legitimate OpenVPN TAP insntallation level: medium +tags: + - attack.exfiltration + - attack.t1048 diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml index f49573a1d..2cae512fb 100644 --- a/rules/windows/process_creation/win_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml @@ -1,29 +1,29 @@ title: Terminal Service Process Spawn id: 1012f107-b8f1-4271-af30-5aed2de89b39 -status: experimental +status: test description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -references: - - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth +references: + - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ date: 2019/05/22 -modified: 2020/08/29 -tags: - - attack.initial_access - - attack.t1190 - - attack.lateral_movement - - attack.t1210 - - car.2013-07-002 +modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection: - ParentCommandLine|contains|all: - - '\svchost.exe' - - 'termsvcs' - filter: - Image|endswith: '\rdpclip.exe' - condition: selection and not filter + selection: + ParentCommandLine|contains|all: + - '\svchost.exe' + - 'termsvcs' + filter: + Image|endswith: '\rdpclip.exe' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.initial_access + - attack.t1190 + - attack.lateral_movement + - attack.t1210 + - car.2013-07-002 diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 76922a0a1..8e731a03d 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -1,34 +1,34 @@ title: Bypass UAC via CMSTP id: e66779cc-383e-4224-a3a4-267eeb585c40 +status: test description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2020/08/29 references: - - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 - - attack.t1218.003 - - attack.t1191 # an old one - - attack.t1088 # an old one + - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cmstp.exe' - CommandLine|contains: - - '/s' - - '/au' - condition: selection + selection: + Image|endswith: '\cmstp.exe' + CommandLine|contains: + - '/s' + - '/au' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Legitimate use of cmstp.exe utility by legitimate user + - Legitimate use of cmstp.exe utility by legitimate user level: high +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - attack.t1218.003 + - attack.t1191 # an old one + - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index 303625acc..2e11331ae 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -1,28 +1,28 @@ title: Bypass UAC via Fodhelper.exe id: 7f741dcf-fc22-4759-87b4-9ae8376676a2 +status: test description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md -tags: - - attack.privilege_escalation - - attack.t1548.002 - - attack.t1088 # an old one + - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\fodhelper.exe' - condition: selection + selection: + ParentImage|endswith: '\fodhelper.exe' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Legitimate use of fodhelper.exe utility by legitimate user + - Legitimate use of fodhelper.exe utility by legitimate user level: high +tags: + - attack.privilege_escalation + - attack.t1548.002 + - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 62bb664af..948c66174 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -1,25 +1,25 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c +status: test description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2019/11/11 references: - - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html -tags: - - attack.privilege_escalation - - attack.t1548.002 - - attack.t1088 # an old one + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +date: 2019/10/24 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\wsreset.exe' - filter: - Image|endswith: '\conhost.exe' - condition: selection and not filter + selection: + ParentImage|endswith: '\wsreset.exe' + filter: + Image|endswith: '\conhost.exe' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.t1548.002 + - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml index 8f456adc6..c813f1ce7 100644 --- a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -1,34 +1,34 @@ title: Possible Privilege Escalation via Weak Service Permissions id: d937b75f-a665-4480-88a5-2f20e9f9b22a +status: test description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://pentestlab.blog/2017/03/30/weak-service-permissions/ -tags: - - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1574.011 -status: experimental author: Teymur Kheirkhabarov +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/30/weak-service-permissions/ date: 2019/10/26 -modified: 2020/08/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - scbynonadmin: - Image|endswith: '\sc.exe' - IntegrityLevel: 'Medium' - binpath: - CommandLine|contains|all: - - 'config' - - 'binPath' - failurecommand: - CommandLine|contains|all: - - 'failure' - - 'command' - condition: scbynonadmin and (binpath or failurecommand) + scbynonadmin: + Image|endswith: '\sc.exe' + IntegrityLevel: 'Medium' + binpath: + CommandLine|contains|all: + - 'config' + - 'binPath' + failurecommand: + CommandLine|contains|all: + - 'failure' + - 'command' + condition: scbynonadmin and (binpath or failurecommand) falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml index aa3b63073..883c3fc7f 100644 --- a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml +++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -1,33 +1,33 @@ title: Using SettingSyncHost.exe as LOLBin -description: Detects using SettingSyncHost.exe to run hijacked binary id: b2ddd389-f676-4ac4-845a-e00781a48e5f -status: experimental -references: - - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -tags: - - attack.execution - - attack.defense_evasion - - attack.t1574.008 +status: test +description: Detects using SettingSyncHost.exe to run hijacked binary author: Anton Kutepov, oscd.community +references: + - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin date: 2020/02/05 -modified: 2020/10/10 -level: high +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - system_utility: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - parent_is_settingsynchost: - ParentCommandLine|contains|all: - - 'cmd.exe /c' - - 'RoamDiag.cmd' - - '-outputpath' - condition: not system_utility and parent_is_settingsynchost + system_utility: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + parent_is_settingsynchost: + ParentCommandLine|contains|all: + - 'cmd.exe /c' + - 'RoamDiag.cmd' + - '-outputpath' + condition: not system_utility and parent_is_settingsynchost fields: - - TargetFilename - - Image + - TargetFilename + - Image falsepositives: - - unknown + - unknown +level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1574.008 diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml index 99c649aec..9d8bb5841 100644 --- a/rules/windows/process_creation/win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -1,29 +1,30 @@ title: Verclsid.exe Runs COM Object id: d06be4b9-8045-428b-a567-740a26d9db25 -status: experimental +status: test description: Detects when verclsid.exe is used to run COM object via GUID -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml - - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Victor Sergeev, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml + - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - image_path: - Image|endswith: '\verclsid.exe' - cmd_s: - CommandLine|contains: '/S' - cmd_c: - CommandLine|contains: '/C' - condition: image_path and cmd_c and cmd_s + image_path: + Image|endswith: '\verclsid.exe' + cmd_s: + CommandLine|contains: '/S' + cmd_c: + CommandLine|contains: '/C' + condition: image_path and cmd_c and cmd_s fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml index 3682987bf..872456611 100644 --- a/rules/windows/process_creation/win_visual_basic_compiler.yml +++ b/rules/windows/process_creation/win_visual_basic_compiler.yml @@ -1,22 +1,23 @@ title: Visual Basic Command Line Compiler Usage id: 7b10f171-7f04-47c7-9fa2-5be43c76e535 -status: experimental +status: test description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' references: - - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ -author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' + - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ date: 2020/10/07 -tags: - - attack.defense_evasion - - attack.t1027.004 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\vbc.exe' - Image|endswith: '\cvtres.exe' - condition: selection + selection: + ParentImage|endswith: '\vbc.exe' + Image|endswith: '\cvtres.exe' + condition: selection falsepositives: - - Utilization of this tool should not be seen in enterprise environment + - Utilization of this tool should not be seen in enterprise environment level: high +tags: + - attack.defense_evasion + - attack.t1027.004 diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 57908d8fb..ea60a52bd 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -1,26 +1,26 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 +status: test description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -status: experimental author: Florian Roth date: 2019/01/16 -modified: 2020/08/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: 'transport=dt_socket,address=' - exclusion: - - CommandLine|contains: 'address=127.0.0.1' - - CommandLine|contains: 'address=localhost' - condition: selection and not exclusion + selection: + CommandLine|contains: 'transport=dt_socket,address=' + exclusion: + - CommandLine|contains: 'address=127.0.0.1' + - CommandLine|contains: 'address=localhost' + condition: selection and not exclusion fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium tags: - - attack.t1203 - - attack.execution \ No newline at end of file + - attack.t1203 + - attack.execution diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index 5c9663ce7..1686926ee 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -1,42 +1,43 @@ title: Webshell Recon Detection Via CommandLine & Processes id: f64e5c19-879c-4bae-b471-6d84c8339677 -status: experimental +status: test description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. author: Cian Heasley references: - - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html + - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html date: 2020/07/22 -tags: - - attack.persistence - - attack.t1505.003 - - attack.privilege_escalation # an old one - - attack.t1100 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - ParentImage|contains: - - '\apache' - - '\tomcat' - - ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - selection2: - Image|endswith: - - '\cmd.exe' - CommandLine|contains: - - 'perl --help' - - 'python --help' - - 'wget --help' - - 'perl -h' - condition: selection and selection2 + selection: + - ParentImage|contains: + - '\apache' + - '\tomcat' + - ParentImage|endswith: + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + selection2: + Image|endswith: + - '\cmd.exe' + CommandLine|contains: + - 'perl --help' + - 'python --help' + - 'wget --help' + - 'perl -h' + condition: selection and selection2 fields: - - Image - - CommandLine - - ParentCommandLine + - Image + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: high +tags: + - attack.persistence + - attack.t1505.003 + - attack.privilege_escalation # an old one + - attack.t1100 # an old one diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 197567f6a..0a10f4993 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -1,37 +1,37 @@ title: Shells Spawned by Web Servers id: 8202070f-edeb-4d31-a010-a26c72ac5600 -status: experimental +status: test description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke date: 2019/01/16 -modified: 2020/03/25 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\w3wp.exe' - - '\httpd.exe' - - '\nginx.exe' - - '\php-cgi.exe' - - '\tomcat.exe' - - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html - Image|endswith: - - '\cmd.exe' - - '\sh.exe' - - '\bash.exe' - - '\powershell.exe' - - '\bitsadmin.exe' - condition: selection + selection: + ParentImage|endswith: + - '\w3wp.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\tomcat.exe' + - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html + Image|endswith: + - '\cmd.exe' + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\bitsadmin.exe' + condition: selection fields: - - CommandLine - - ParentCommandLine -tags: - - attack.persistence - - attack.t1505.003 - - attack.privilege_escalation # an old one - - attack.t1190 + - CommandLine + - ParentCommandLine falsepositives: - - Particular web applications may spawn a shell process legitimately + - Particular web applications may spawn a shell process legitimately level: high +tags: + - attack.persistence + - attack.t1505.003 + - attack.privilege_escalation # an old one + - attack.t1190 diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 282891345..8bdca5328 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -1,29 +1,29 @@ title: Windows 10 Scheduled Task SandboxEscaper 0-day id: 931b6802-d6a6-4267-9ffa-526f57f22aaf -status: experimental +status: test description: Detects Task Scheduler .job import arbitrary DACL write\par -references: - - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe author: Olaf Hartong +references: + - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe date: 2019/05/22 -modified: 2020/08/29 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/change' - - '/TN' - - '/RU' - - '/RP' - condition: selection + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/change' + - '/TN' + - '/RU' + - '/RP' + condition: selection falsepositives: - - Unknown -tags: - - attack.privilege_escalation - - attack.t1053.005 - - attack.t1053 # an old one - - car.2013-08-001 + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.t1053.005 + - attack.t1053 # an old one + - car.2013-08-001 diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml index cae14f604..bb7d2b8be 100644 --- a/rules/windows/process_creation/win_winword_dll_load.yml +++ b/rules/windows/process_creation/win_winword_dll_load.yml @@ -1,25 +1,26 @@ title: Winword.exe Loads Suspicious DLL id: 2621b3a6-3840-4810-ac14-a02426086171 -status: experimental +status: test description: Detects Winword.exe loading of custmom dll via /l cmd switch -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml author: Victor Sergeev, oscd.community +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml date: 2020/10/09 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - image_path: - Image|endswith: '\winword.exe' - cmd: - CommandLine|contains: '/l' - condition: image_path and cmd + image_path: + Image|endswith: '\winword.exe' + cmd: + CommandLine|contains: '/l' + condition: image_path and cmd fields: - - CommandLine -tags: - - attack.defense_evasion - - attack.t1202 + - CommandLine falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 4e8ce30d6..d7a084782 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -1,24 +1,24 @@ title: WMI Backdoor Exchange Transport Agent id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b -status: experimental +status: test description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters author: Florian Roth -date: 2019/10/11 references: - - https://twitter.com/cglyer/status/1182389676876980224 - - https://twitter.com/cglyer/status/1182391019633029120 + - https://twitter.com/cglyer/status/1182389676876980224 + - https://twitter.com/cglyer/status/1182391019633029120 +date: 2019/10/11 +modified: 2021/11/27 logsource: - category: process_creation - product: windows -tags: - - attack.persistence - - attack.t1546.003 - - attack.t1084 # an old one + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\EdgeTransport.exe' - condition: selection + selection: + ParentImage|endswith: '\EdgeTransport.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical - +tags: + - attack.persistence + - attack.t1546.003 + - attack.t1084 # an old one diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index bfa4c899c..2f6e315fe 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -1,25 +1,25 @@ title: WMI Persistence - Script Event Consumer id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e -status: experimental +status: test description: Detects WMI script event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ date: 2018/03/07 -modified: 2020/08/29 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.003 - - attack.t1047 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: C:\WINDOWS\system32\wbem\scrcons.exe - ParentImage: C:\Windows\System32\svchost.exe - condition: selection + selection: + Image: C:\WINDOWS\system32\wbem\scrcons.exe + ParentImage: C:\Windows\System32\svchost.exe + condition: selection falsepositives: - - Legitimate event consumers + - Legitimate event consumers level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.003 + - attack.t1047 # an old one diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 6b7116aec..52d386477 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -1,29 +1,29 @@ title: Wsreset UAC Bypass id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae -status: experimental +status: test description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC -references: - - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - - https://www.activecyber.us/activelabs/windows-uac-bypass - - https://twitter.com/ReaQta/status/1222548288731217921 author: Florian Roth +references: + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ + - https://www.activecyber.us/activelabs/windows-uac-bypass + - https://twitter.com/ReaQta/status/1222548288731217921 date: 2020/01/30 -modified: 2020/08/29 -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 - - attack.t1088 # an old one +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: - - '\WSreset.exe' - condition: selection + selection: + ParentImage|endswith: + - '\WSreset.exe' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unknown sub processes of Wsreset.exe + - Unknown sub processes of Wsreset.exe level: high +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 + - attack.t1088 # an old one diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index 5b709c938..a33f05c87 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -1,27 +1,26 @@ title: XSL Script Processing id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d -status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries - abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +status: test +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md +date: 2019/10/21 +modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - Image|endswith: '\wmic.exe' - CommandLine|contains: '/format' # wmic process list /FORMAT /? - - Image|endswith: '\msxsl.exe' - condition: selection + selection: + - Image|endswith: '\wmic.exe' + CommandLine|contains: '/format' # wmic process list /FORMAT /? + - Image|endswith: '\msxsl.exe' + condition: selection falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - msxsl.exe is not installed by default, so unlikely. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. + - msxsl.exe is not installed by default, so unlikely. level: medium tags: - - attack.defense_evasion - - attack.t1220 - - attack.execution # an old one + - attack.defense_evasion + - attack.t1220 + - attack.execution # an old one diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml index d20032bda..f4037542f 100644 --- a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml +++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml @@ -1,29 +1,30 @@ title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 -status: experimental +status: test description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -references: - - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - - https://lolbas-project.github.io/lolbas/Binaries/Wsreset -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 author: oscd.community, Dmitry Uchakin +references: + - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset date: 2020/10/07 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: - - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' - condition: selection + selection: + TargetObject|endswith: + - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + condition: selection fields: - - ComputerName - - Image - - EventType - - TargetObject + - ComputerName + - Image + - EventType + - TargetObject falsepositives: - - unknown -level: high \ No newline at end of file + - unknown +level: high +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml index dedf925a5..4f4bcdb13 100644 --- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml @@ -1,24 +1,25 @@ title: COM Hijack via Sdclt id: 07743f65-7ec9-404a-a519-913db7118a8d -status: experimental +status: test description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' author: Omkar Gudhate -date: 2020/09/27 references: - - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - - https://www.exploit-db.com/exploits/47696 -tags: - - attack.privilege_escalation - - attack.t1546 - - attack.t1548 + - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass + - https://www.exploit-db.com/exploits/47696 +date: 2020/09/27 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject: - - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - condition: selection + selection: + TargetObject: + - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' + condition: selection falsepositives: - - unknown + - unknown level: high +tags: + - attack.privilege_escalation + - attack.t1546 + - attack.t1548 diff --git a/rules/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml index 8a02f889e..f87f36d85 100644 --- a/rules/windows/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/windows/registry_event/sysmon_cve_2020_1048.yml @@ -1,30 +1,30 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048) id: 7ec912f2-5175-4868-b811-ec13ad0f8567 -status: experimental +status: test description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 author: EagleEye Team, Florian Roth, NVISO -date: 2020/05/13 -modified: 2020/09/06 references: - - https://windows-internals.com/printdemon-cve-2020-1048/ -tags: - - attack.persistence - - attack.execution - - attack.defense_evasion - - attack.t1112 + - https://windows-internals.com/printdemon-cve-2020-1048/ +date: 2020/05/13 +modified: 2021/11/27 logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' - Details|contains: - - '.dll' - - '.exe' - - '.bat' - - '.com' - - 'C:' - condition: selection + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' + Details|contains: + - '.dll' + - '.exe' + - '.bat' + - '.com' + - 'C:' + condition: selection falsepositives: - - New printer port install on host -level: high \ No newline at end of file + - New printer port install on host +level: high +tags: + - attack.persistence + - attack.execution + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index d8b7daf7c..da3724582 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -1,28 +1,28 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a -status: experimental -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the - DHCP server (restart required) -references: - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -date: 2017/05/15 +status: test +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) author: Dimitrios Slamaris -tags: - - attack.defense_evasion - - attack.t1073 # an old one - - attack.t1574.002 - - attack.t1112 +references: + - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html + - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx + - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx +date: 2017/05/15 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: - - '\Services\DHCPServer\Parameters\CalloutDlls' - - '\Services\DHCPServer\Parameters\CalloutEnabled' - condition: selection + selection: + TargetObject|endswith: + - '\Services\DHCPServer\Parameters\CalloutDlls' + - '\Services\DHCPServer\Parameters\CalloutEnabled' + condition: selection falsepositives: - - unknown + - unknown level: high +tags: + - attack.defense_evasion + - attack.t1073 # an old one + - attack.t1574.002 + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index d43eca7b5..8196fc086 100755 --- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,33 +1,33 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 -status: experimental +status: test description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. -references: - - https://twitter.com/0gtweet/status/1182516740955226112 -tags: - - attack.defense_evasion - - attack.t1089 # an old one - - attack.t1562.001 - - attack.t1112 author: Ilyas Ochkov, oscd.community +references: + - https://twitter.com/0gtweet/status/1182516740955226112 date: 2019/10/25 -modified: 2019/11/13 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - EventType: 'CreateKey' # we don't want deletekey - - # key rename - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: selection + selection: + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + EventType: 'CreateKey' # we don't want deletekey + # key rename + - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + condition: selection fields: - - EventID - - Image - - TargetObject - - NewName + - EventID + - Image + - TargetObject + - NewName falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml index 07ffdf7ce..4e9dc3168 100644 --- a/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml @@ -1,21 +1,22 @@ title: Wdigest CredGuard Registry Modification id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +status: test description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. -status: experimental -date: 2019/08/25 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1112 references: - - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ + - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ +date: 2019/08/25 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: '\IsCredGuardEnabled' - condition: selection + selection: + TargetObject|endswith: '\IsCredGuardEnabled' + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml index 384ed94f0..555dcc6da 100644 --- a/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml @@ -1,25 +1,26 @@ title: Enabling COR Profiler Environment Variables id: ad89044a-8f49-4673-9a55-cbd88a1b374f +status: test description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured. -status: experimental -date: 2020/09/10 author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -tags: - - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1574.012 references: - - https://twitter.com/jamieantisocial/status/1304520651248668673 - - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors - - https://www.sans.org/cyber-security-summit/archives + - https://twitter.com/jamieantisocial/status/1304520651248668673 + - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors + - https://www.sans.org/cyber-security-summit/archives +date: 2020/09/10 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: - - '\COR_ENABLE_PROFILING' - - '\COR_PROFILER' - condition: selection -level: high \ No newline at end of file + selection: + TargetObject|endswith: + - '\COR_ENABLE_PROFILING' + - '\COR_PROFILER' + condition: selection +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.012 diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml index 03e3bbd40..0694d6440 100644 --- a/rules/windows/registry_event/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -1,7 +1,8 @@ title: COMPlus_ETWEnabled Registry Modification id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 -status: experimental +status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,19 +13,19 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -tags: - - attack.defense_evasion - - attack.t1112 +modified: 2021/11/27 logsource: - product: windows - category: registry_event + product: windows + category: registry_event detection: - selection: - TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' - Details: 'DWORD (0x00000000)' - condition: selection + selection: + TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' + Details: 'DWORD (0x00000000)' + condition: selection falsepositives: - - unknown -level: critical \ No newline at end of file + - unknown +level: critical +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 474dbecb6..8d127a5ee 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -1,24 +1,24 @@ title: Windows Credential Editor Registry id: a6b33c02-8305-488f-8585-03cb2a7763f2 +status: test description: Detects the use of Windows Credential Editor (WCE) -status: experimental author: Florian Roth references: - - https://www.ampliasecurity.com/research/windows-credentials-editor/ + - https://www.ampliasecurity.com/research/windows-credentials-editor/ date: 2019/12/31 -modified: 2020/09/06 -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.s0005 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|contains: Services\WCESERVICE\Start - condition: selection + selection: + TargetObject|contains: Services\WCESERVICE\Start + condition: selection falsepositives: - - Unknown + - Unknown level: critical +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.s0005 diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index e9ee2839a..e8302dd00 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -1,25 +1,25 @@ title: Logon Scripts (UserInitMprLogonScript) Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb -status: experimental +status: test description: Detects creation or execution of UserInitMprLogonScript persistence method -references: - - https://attack.mitre.org/techniques/T1037/ -tags: - - attack.t1037 # an old one - - attack.t1037.001 - - attack.persistence - - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) +references: + - https://attack.mitre.org/techniques/T1037/ date: 2019/01/12 -modified: 2020/07/01 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - create_keywords_reg: - TargetObject|contains: 'UserInitMprLogonScript' - condition: create_keywords_reg + create_keywords_reg: + TargetObject|contains: 'UserInitMprLogonScript' + condition: create_keywords_reg falsepositives: - - exclude legitimate logon scripts - - penetration tests, red teaming + - exclude legitimate logon scripts + - penetration tests, red teaming level: high +tags: + - attack.t1037 # an old one + - attack.t1037.001 + - attack.persistence + - attack.lateral_movement diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml index 8dd2cc28f..8d3d3b261 100644 --- a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml +++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -1,16 +1,13 @@ title: Path To Screensaver Binary Modified id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 -status: experimental +status: test description: Detects value modification of registry key containing path to binary used as screensaver. +author: Bartlomiej Czyz @bczyz1, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.002 -author: Bartlomiej Czyz @bczyz1, oscd.community date: 2020/10/11 +modified: 2021/11/27 logsource: category: registry_event product: windows @@ -22,6 +19,10 @@ detection: - '\rundll32.exe' - '\explorer.exe' condition: selection and not filter -level: medium falsepositives: - 'Legitimate modification of screensaver.' +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.002 diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 0aa4f9b1d..82b14f362 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -1,26 +1,26 @@ title: Narrator's Feedback-Hub Persistence id: f663a6d9-9d1b-49b8-b2b1-0637914d199a +status: test description: Detects abusing Windows 10 Narrator's Feedback-Hub -references: - - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 author: Dmitriy Lifanov, oscd.community -status: experimental +references: + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html date: 2019/10/25 -modified: 2020/09/06 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection1: - EventType: DeleteValue - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' - selection2: - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - condition: 1 of them + selection1: + EventType: DeleteValue + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' + selection2: + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' + condition: 1 of them falsepositives: - - unknown + - unknown level: high +tags: + - attack.persistence + - attack.t1060 # an old one + - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml index 298f2660f..0f58ac137 100644 --- a/rules/windows/registry_event/sysmon_new_application_appcompat.yml +++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml @@ -1,24 +1,25 @@ title: New Application in AppCompat id: 60936b49-fca0-4f32-993d-7415edcf9a5d +status: test description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.execution - - attack.t1204.002 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/1 + - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: windows - category: registry_event + product: windows + category: registry_event detection: - selection: - TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' - condition: selection + selection: + TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' + condition: selection falsepositives: - - This rule is to explore new applications on an endpoint. False positives depends on the organization. - - Newly setup system. - - Legitimate installation of new application. -level: informational \ No newline at end of file + - This rule is to explore new applications on an endpoint. False positives depends on the organization. + - Newly setup system. + - Legitimate installation of new application. +level: informational +tags: + - attack.execution + - attack.t1204.002 diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 7a2f3e618..1c4d405b0 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,33 +1,32 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 -status: experimental -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation - by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. -references: - - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html -tags: - - attack.persistence - - attack.t1182 # an old one - - attack.t1546.009 +status: test +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. author: Ilyas Ochkov, oscd.community +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html date: 2019/10/25 -modified: 2020/09/06 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' - - # key rename - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' - condition: selection + selection: + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' + # key rename + - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' + condition: selection fields: - - EventID - - Image - - TargetObject - - NewName + - EventID + - Image + - TargetObject + - NewName falsepositives: - - Unknown + - Unknown level: medium +tags: + - attack.persistence + - attack.t1182 # an old one + - attack.t1546.009 diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 3df09fb62..65ffce511 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -1,30 +1,30 @@ title: RDP Registry Modification id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 +status: test description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. -status: experimental -date: 2019/09/12 -modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html -tags: - - attack.defense_evasion - - attack.t1112 + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html +date: 2019/09/12 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: - - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' - Details: 'DWORD (0x00000000)' - condition: selection + selection: + TargetObject|endswith: + - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' + - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' + Details: 'DWORD (0x00000000)' + condition: selection fields: - - ComputerName - - Image - - EventType - - TargetObject + - ComputerName + - Image + - EventType + - TargetObject falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml index f14fcbfe0..7687ee2c5 100755 --- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml @@ -1,25 +1,25 @@ title: RDP Sensitive Settings Changed id: 171b67e1-74b4-460e-8d55-b331f3e32d67 +status: test description: Detects changes to RDP terminal service sensitive settings -status: experimental -references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html -date: 2019/04/03 -modified: 2020/09/06 author: Samir Bousseaden +references: + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html +date: 2019/04/03 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_reg: - TargetObject|contains: - - '\services\TermService\Parameters\ServiceDll' - - '\Control\Terminal Server\fSingleSessionPerUser' - - '\Control\Terminal Server\fDenyTSConnections' - condition: selection_reg -tags: - - attack.defense_evasion - - attack.t1112 + selection_reg: + TargetObject|contains: + - '\services\TermService\Parameters\ServiceDll' + - '\Control\Terminal Server\fSingleSessionPerUser' + - '\Control\Terminal Server\fDenyTSConnections' + condition: selection_reg falsepositives: - - unknown + - unknown level: high +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml index 13b192848..7e00f57ee 100644 --- a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml +++ b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -1,21 +1,22 @@ title: RedMimicry Winnti Playbook Registry Manipulation id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 +status: test description: Detects actions caused by the RedMimicry Winnti playbook -status: experimental -references: - - https://redmimicry.com author: Alexander Rausch +references: + - https://redmimicry.com date: 2020/06/24 -tags: - - attack.defense_evasion - - attack.t1112 +modified: 2021/11/27 logsource: - product: windows - category: registry_event + product: windows + category: registry_event detection: - selection: - TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data - condition: selection + selection: + TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 3cc60515e..42cbead5a 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -1,25 +1,26 @@ title: Suspicious Printer Driver Empty Manufacturer id: e0813366-0407-449a-9869-a2db1119dc41 -status: experimental +status: test description: Detects a suspicious printer driver installation with an empty Manufacturer value -references: - - https://twitter.com/SBousseaden/status/1410545674773467140 author: Florian Roth +references: + - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -tags: - - attack.privilege_escalation - - attack.t1574 - - cve.2021.1675 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|contains|all: - - '\Control\Print\Environments\Windows x64\Drivers' - - '\Manufacturer' - Details: '(Empty)' - condition: selection + selection: + TargetObject|contains|all: + - '\Control\Print\Environments\Windows x64\Drivers' + - '\Manufacturer' + Details: '(Empty)' + condition: selection falsepositives: - - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value + - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value level: high +tags: + - attack.privilege_escalation + - attack.t1574 + - cve.2021.1675 diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml index 19d68a223..15b607a3e 100755 --- a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml @@ -1,24 +1,24 @@ title: Windows Registry Trust Record Modification id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 -status: experimental +status: test description: Alerts on trust record modification within the registry, indicating usage of macros -references: - - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html author: Antonlovesdnb +references: + - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ + - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html date: 2020/02/19 -modified: 2020/09/06 -tags: - - attack.initial_access - - attack.t1193 # an old one - - attack.t1566.001 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|contains: 'TrustRecords' - condition: selection + selection: + TargetObject|contains: 'TrustRecords' + condition: selection falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate + - Alerts on legitimate macro usage as well, will need to filter as appropriate level: medium +tags: + - attack.initial_access + - attack.t1193 # an old one + - attack.t1566.001 diff --git a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml index d834dcb1b..a7d1a3602 100644 --- a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -1,26 +1,27 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 +status: test description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. -status: experimental -date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1112 references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html - - https://docs.microsoft.com/en-us/windows/win32/shell/launch - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code + - https://github.com/OTRF/detection-hackathon-apt29/issues/7 + - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html + - https://docs.microsoft.com/en-us/windows/win32/shell/launch + - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +date: 2020/05/02 +modified: 2021/11/27 logsource: - product: windows - category: registry_event + product: windows + category: registry_event detection: - selection: - EventType: 'DeleteKey' - TargetObject|endswith: '\shell\open\command' - condition: selection + selection: + EventType: 'DeleteKey' + TargetObject|endswith: '\shell\open\command' + condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_runkey_winekey.yml b/rules/windows/registry_event/sysmon_runkey_winekey.yml index f6367545d..38219ed86 100644 --- a/rules/windows/registry_event/sysmon_runkey_winekey.yml +++ b/rules/windows/registry_event/sysmon_runkey_winekey.yml @@ -1,27 +1,28 @@ -title: WINEKEY Registry Modification +title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 +status: test description: Detects potential malicious modification of run keys by winekey or team9 backdoor -status: experimental -date: 2020/10/30 author: omkar72 references: - - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html -tags: - - attack.persistence - - attack.t1547 + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +date: 2020/10/30 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: - - 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' - condition: selection + selection: + TargetObject|endswith: + - 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' + condition: selection fields: - - ComputerName - - Image - - EventType - - TargetObject + - ComputerName + - Image + - EventType + - TargetObject falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.t1547 diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml index 6e74aedb5..1ef98ded7 100644 --- a/rules/windows/registry_event/sysmon_runonce_persistence.yml +++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml @@ -1,23 +1,24 @@ title: Run Once Task Configuration in Registry id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff +status: test description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup author: 'Avneet Singh @v3t0_, oscd.community' -status: experimental -date: 2020/11/15 references: - - https://twitter.com/pabraeken/status/990717080805789697 - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml -tags: - - attack.defense_evasion - - attack.t1112 + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +date: 2020/11/15 +modified: 2021/11/27 logsource: - product: windows - category: registry_event + product: windows + category: registry_event detection: - selection: - TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' - TargetObject|endswith: '\StubPath' - condition: selection + selection: + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' + TargetObject|endswith: '\StubPath' + condition: selection falsepositives: - - Legitimate modification of the registry key by legitimate program + - Legitimate modification of the registry key by legitimate program level: medium +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml index 12db337d3..4a2d3bb86 100755 --- a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml @@ -1,29 +1,29 @@ title: Security Support Provider (SSP) Added to LSA Configuration id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc -status: experimental +status: test description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -references: - - https://attack.mitre.org/techniques/T1101/ - - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ -tags: - - attack.persistence - - attack.t1101 # an old one - - attack.t1547.005 author: iwillkeepwatch +references: + - https://attack.mitre.org/techniques/T1101/ + - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ date: 2019/01/18 -modified: 2020/09/06 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_registry: - TargetObject: - - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' - - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' - exclusion_images: - - Image: C:\Windows\system32\msiexec.exe - - Image: C:\Windows\syswow64\MsiExec.exe - condition: selection_registry and not exclusion_images + selection_registry: + TargetObject: + - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' + - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' + exclusion_images: + - Image: C:\Windows\system32\msiexec.exe + - Image: C:\Windows\syswow64\MsiExec.exe + condition: selection_registry and not exclusion_images falsepositives: - - Unlikely + - Unlikely level: critical +tags: + - attack.persistence + - attack.t1101 # an old one + - attack.t1547.005 diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index fcc8c3b45..b790158bc 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -1,27 +1,27 @@ title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be -status: experimental +status: test description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -references: - - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ author: Florian Roth +references: + - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ date: 2019/10/01 -modified: 2020/09/06 -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - Image|contains: - - '\Downloads\' - - '\Temporary Internet Files\Content.Outlook\' - - '\Local Settings\Temporary Internet Files\' - TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - condition: selection + selection: + Image|contains: + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' + condition: selection falsepositives: - - Software installers downloaded and used by users + - Software installers downloaded and used by users level: high +tags: + - attack.persistence + - attack.t1060 # an old one + - attack.t1547.001 diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index d17f68a15..0ba4aebe0 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -1,27 +1,27 @@ title: DLL Load via LSASS id: b3503044-60ce-4bf4-bbcb-e3db98788823 -status: experimental +status: test description: Detects a method to load DLL via LSASS process using an undocumented Registry key author: Florian Roth -date: 2019/10/16 -modified: 2020/07/01 references: - - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - - https://twitter.com/SBousseaden/status/1183745981189427200 + - https://blog.xpnsec.com/exploring-mimikatz-part-1/ + - https://twitter.com/SBousseaden/status/1183745981189427200 +date: 2019/10/16 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|contains: - - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' - - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' - condition: selection -tags: - - attack.execution - - attack.persistence - - attack.t1177 # an old one - - attack.t1547.008 + selection: + TargetObject|contains: + - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' + - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' + condition: selection falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.execution + - attack.persistence + - attack.t1177 # an old one + - attack.t1547.008 diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index b1ce684ac..598a7756b 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -1,37 +1,37 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 -status: experimental +status: test description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder author: Florian Roth, oscd.community -date: 2018/07/18 -modified: 2020/09/06 references: - - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ + - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ +date: 2018/07/18 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection: - TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - selection2: - - Details|startswith: - - 'C:\Windows\Temp\' - - 'C:\ProgramData\' - - 'C:\$Recycle.bin\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' - condition: selection and selection2 -tags: - - attack.persistence - - attack.t1060 # an old one - - attack.t1547.001 - # - capec.270 + selection: + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + selection2: + - Details|startswith: + - 'C:\Windows\Temp\' + - 'C:\ProgramData\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - Details|contains: + - '\AppData\' + condition: selection and selection2 fields: - - Image - - ParentImage + - Image + - ParentImage falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.persistence + - attack.t1060 # an old one + - attack.t1547.001 + # - capec.270 diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 00e4022e6..4fa03b7ea 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -1,33 +1,34 @@ title: Suspicious Service Installed id: f2485272-a156-4773-82d7-1d178bc4905b +status: test description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) -status: experimental -date: 2019/04/08 author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -tags: - - attack.t1089 # an old one - - attack.t1562.001 - - attack.defense_evasion + - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +date: 2019/04/08 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_1: - TargetObject: - - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' - selection_2: - Image|endswith: - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - selection_3: - Details|contains: - - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' - condition: selection_1 and not selection_2 and not selection_3 + selection_1: + TargetObject: + - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' + - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' + selection_2: + Image|endswith: + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + selection_3: + Details|contains: + - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' + condition: selection_1 and not selection_2 and not selection_3 falsepositives: - - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. + - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium +tags: + - attack.t1089 # an old one + - attack.t1562.001 + - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 6c26c7786..c6a0fd1fb 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -1,31 +1,30 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 -status: experimental -description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems - maintained by US staff only -references: - - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files +status: test +description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only author: Florian Roth +references: + - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index + - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2019/10/15 +modified: 2021/11/27 logsource: - category: registry_event - product: windows - definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' + category: registry_event + product: windows + definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: - selection_registry: - TargetObject|contains: - - '\Keyboard Layout\Preload\' - - '\Keyboard Layout\Substitutes\' - Details|contains: - - 00000429 # Persian (Iran) - - 00050429 # Persian (Iran) - - 0000042a # Vietnamese - condition: selection_registry + selection_registry: + TargetObject|contains: + - '\Keyboard Layout\Preload\' + - '\Keyboard Layout\Substitutes\' + Details|contains: + - 00000429 # Persian (Iran) + - 00050429 # Persian (Iran) + - 0000042a # Vietnamese + condition: selection_registry falsepositives: - - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" level: medium tags: - - attack.resource_development - - attack.t1588.002 + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index cd7301c71..2d7601fa0 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -1,37 +1,37 @@ title: Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 +status: test description: Detects persistence registry keys -status: experimental -references: - - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ -date: 2018/04/11 -modified: 2020/09/06 author: Karneades, Jonhnathan Ribeiro +references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +date: 2018/04/11 +modified: 2021/11/27 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_reg1: - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' - selection_reg2: - - TargetObject|contains|all: - - '\Image File Execution Options\' - - '\GlobalFlag' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\ReportingMode' - - TargetObject|contains|all: - - 'SilentProcessExit\' - - '\MonitorProcess' - condition: selection_reg1 and selection_reg2 -tags: - - attack.privilege_escalation - - attack.persistence - - attack.defense_evasion - - attack.t1183 # an old one - - attack.t1546.012 - - car.2013-01-002 + selection_reg1: + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + selection_reg2: + - TargetObject|contains|all: + - '\Image File Execution Options\' + - '\GlobalFlag' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\ReportingMode' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\MonitorProcess' + condition: selection_reg1 and selection_reg2 falsepositives: - - unknown + - unknown level: critical +tags: + - attack.privilege_escalation + - attack.persistence + - attack.defense_evasion + - attack.t1183 # an old one + - attack.t1546.012 + - car.2013-01-002 diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 6cdb6cb24..62dbf900b 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -1,29 +1,30 @@ -title: Registry Persistence Mechanism via Windows Telemetry +title: Registry Persistence Mechanism via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 -description: Detects persistence method using windows telemetry -status: experimental -date: 2020/10/16 -references: - - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +status: test +description: Detects persistence method using windows telemetry author: Lednyov Alexey, oscd.community -tags: - - attack.persistence - - attack.t1053.005 +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +date: 2020/10/16 +modified: 2021/11/27 logsource: - category: registry_event - product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' + category: registry_event + product: windows + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: - selection: - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - - '\Command' - Details|contains: '.exe' - filter: - Details|contains: - - '\system32\CompatTelRunner.exe' - - '\system32\DeviceCensus.exe' - condition: selection and not filter + selection: + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + - '\Command' + Details|contains: '.exe' + filter: + Details|contains: + - '\system32\CompatTelRunner.exe' + - '\system32\DeviceCensus.exe' + condition: selection and not filter falsepositives: - - unknown + - unknown level: critical +tags: + - attack.persistence + - attack.t1053.005 diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index fc1bb7513..d6d596476 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -1,23 +1,24 @@ title: WMI Event Subscription id: 0f06a3a5-6a09-413f-8743-e6cf35561297 -status: experimental +status: test description: Detects creation of WMI event subscription persistence method -tags: - - attack.t1084 # an old one - - attack.persistence - - attack.t1546.003 author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 +modified: 2021/11/27 logsource: - product: windows - category: wmi_event + product: windows + category: wmi_event detection: - selector: - EventID: - - 19 - - 20 - - 21 - condition: selector + selector: + EventID: + - 19 + - 20 + - 21 + condition: selector falsepositives: - - exclude legitimate (vetted) use of WMI event subscription in your network + - exclude legitimate (vetted) use of WMI event subscription in your network level: high +tags: + - attack.t1084 # an old one + - attack.persistence + - attack.t1546.003