security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: various new hktl rules

Browse Source
This commit is contained in:
Paul Hager
2023-04-17 12:08:30 +02:00
parent 06352916f8
commit 0420e9c3bb
8 changed files with 239 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+8 -1
View File
@@ -23,9 +23,12 @@ references:
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018/04/07
modified: 2023/01/23
modified: 2023/04/17
tags:
- attack.execution
- attack.t1059.001
@@ -257,6 +260,10 @@ detection:
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
- '\Powermad.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml
+34 -1
View File
@@ -23,9 +23,12 @@ references:
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/20
modified: 2023/03/06
modified: 2023/04/17
tags:
- attack.execution
- attack.discovery
@@ -206,6 +209,36 @@ detection:
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# powermad
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone
- 'Get-KerberosAESKey'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Grant-ADIDNSPermission'
- 'Invoke-AgentSmith'
- 'Invoke-DNSUpdate'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # *Set-ADIDNSNodeAttribute, *Set-ADIDNSNodeOwner
- 'Set-MachineAccountAttribute'
# ADRecon
- 'Invoke-ADRecon'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+34 -1
View File
@@ -27,9 +27,12 @@ references:
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017/03/05
modified: 2023/03/06
modified: 2023/04/17
tags:
- attack.execution
- attack.discovery
@@ -210,6 +213,36 @@ detection:
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# powermad
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone
- 'Get-KerberosAESKey'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Grant-ADIDNSPermission'
- 'Invoke-AgentSmith'
- 'Invoke-DNSUpdate'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # *Set-ADIDNSNodeAttribute, *Set-ADIDNSNodeOwner
- 'Set-MachineAccountAttribute'
# ADRecon
- 'Invoke-ADRecon'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
filter_1:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
rules/windows/process_creation/proc_creation_win_hktl_certify.yml
+39
View File
@@ -0,0 +1,39 @@
title: HackTool - Certify
id: 762f2482-ff21-4970-8939-0aa317a886bb
status: experimental
description: Detects hacktool 'Certify' - Tool for Active Directory certificate abuse
references:
- https://github.com/GhostPack/Certify
author: pH-T (Nextron Systems)
date: 2023/04/17
modified: 2023/04/17
tags:
- attack.discovery
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection_base:
- Image|endswith: '\Certify.exe'
- OriginalFileName: '\Certify.exe'
- Description: 'Certify'
selection_base_cli:
CommandLine|contains:
- '.exe cas '
- '.exe find '
- '.exe pkiobjects '
- '.exe request '
- '.exe download '
selection_cli:
CommandLine|contains:
- 'vulnerable '
- 'template'
- 'altname'
- 'domain'
- 'path'
- ' /ca:'
condition: selection_base or (selection_base_cli and selection_cli)
falsepositives:
- Very unlikely
level: high
rules/windows/process_creation/proc_creation_win_hktl_certipy.yml
+38
View File
@@ -0,0 +1,38 @@
title: HackTool - Certipy
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: experimental
description: Detects hacktool 'Certipy' - Tool for Active Directory Certificate Services enumeration and abuse
references:
- https://github.com/ly4k/Certipy
author: pH-T (Nextron Systems)
date: 2023/04/17
modified: 2023/04/17
tags:
- attack.discovery
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection_base:
- Image|endswith: '\Certipy.exe'
- OriginalFileName: '\Certipy.exe'
- Description: 'Certipy'
selection_base_cli:
CommandLine|contains:
- ' find '
- ' req '
- ' auth '
- ' shadow '
- ' forge '
selection_cli:
CommandLine|contains:
- ' -dc-ip '
- ' -target'
- ' -pfx '
- ' -username '
- ' -ca-pfx '
condition: selection_base or (selection_base_cli and selection_cli)
falsepositives:
- Very unlikely
level: high
rules/windows/process_creation/proc_creation_win_hktl_crassus.yml
+24
View File
@@ -0,0 +1,24 @@
title: HackTool - Crassus
id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
status: experimental
description: Detects hacktool 'Crassus' - Windows privilege escalation discovery tool
references:
- https://github.com/vu-ls/Crassus
author: pH-T (Nextron Systems)
date: 2023/04/17
modified: 2023/04/17
tags:
- attack.discovery
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Crassus.exe'
- OriginalFileName: '\Crassus.exe'
- Description: 'Crassus'
condition: selection
falsepositives:
- Very unlikely
level: high
rules/windows/process_creation/proc_creation_win_hktl_stracciatella.yml
+28
View File
@@ -0,0 +1,28 @@
title: HackTool - Stracciatella
id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
status: experimental
description: Detects hacktool 'Stracciatella' - OpSec-safe Powershell runspace from within C#
references:
- https://github.com/mgeeky/Stracciatella
author: pH-T (Nextron Systems)
date: 2023/04/17
modified: 2023/04/17
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_base:
- Image|endswith: '\Stracciatella.exe'
- OriginalFileName: '\Stracciatella.exe'
- Description: 'Stracciatella'
- Hashes|contains: 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- sha256: '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
condition: selection_base
falsepositives:
- Very unlikely
level: high
rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml
+34 -1
View File
@@ -23,9 +23,12 @@ references:
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/02
modified: 2023/03/06
modified: 2023/04/17
tags:
- attack.execution
- attack.discovery
@@ -205,6 +208,36 @@ detection:
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# powermad
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone
- 'Get-KerberosAESKey'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Grant-ADIDNSPermission'
- 'Invoke-AgentSmith'
- 'Invoke-DNSUpdate'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MachineAccountAttribute'
# ADRecon
- 'Invoke-ADRecon'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
condition: selection
falsepositives:
- Unknown