diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 94593ccba..ad300afd4 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -23,9 +23,12 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat + - https://github.com/Kevin-Robertson/Powermad + - https://github.com/adrecon/ADRecon + - https://github.com/adrecon/AzureADRecon author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/01/23 +modified: 2023/04/17 tags: - attack.execution - attack.t1059.001 @@ -257,6 +260,10 @@ detection: - '\VolumeShadowCopyTools.ps1' - '\WinPwn.ps1' - '\WSUSpendu.ps1' + - '\Powermad.ps1' + - '\Invoke-DNSUpdate.ps1' + - '\ADRecon.ps1' + - '\AzureADRecon.ps1' selection_invoke_sharp: TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants TargetFilename|endswith: '.ps1' diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 65ed9ac27..72247d142 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -23,9 +23,12 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat + - https://github.com/Kevin-Robertson/Powermad + - https://github.com/adrecon/ADRecon + - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/20 -modified: 2023/03/06 +modified: 2023/04/17 tags: - attack.execution - attack.discovery @@ -206,6 +209,36 @@ detection: - 'Start-CaptureServer' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' + # powermad + - 'Disable-ADIDNSNode' + - 'Disable-MachineAccount' + - 'Enable-ADIDNSNode' + - 'Enable-MachineAccount' + - 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone + - 'Get-KerberosAESKey' + - 'Get-MachineAccountAttribute' + - 'Get-MachineAccountCreator' + - 'Grant-ADIDNSPermission' + - 'Invoke-AgentSmith' + - 'Invoke-DNSUpdate' + - 'New-ADIDNSNode' + - 'New-DNSRecordArray' + - 'New-MachineAccount' + - 'New-SOASerialNumberArray' + - 'Remove-ADIDNSNode' + - 'Remove-MachineAccount' + - 'Rename-ADIDNSNode' + - 'Revoke-ADIDNSPermission' + - 'Set-ADIDNSNode' # *Set-ADIDNSNodeAttribute, *Set-ADIDNSNodeOwner + - 'Set-MachineAccountAttribute' + # ADRecon + - 'Invoke-ADRecon' + - 'Export-ADR' + - 'Export-ADRCSV' + - 'Export-ADRExcel' + - 'Export-ADRHTML' + - 'Export-ADRJSON' + - 'Export-ADRXML' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 138186c68..d4fbb0aa5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -27,9 +27,12 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat + - https://github.com/Kevin-Robertson/Powermad + - https://github.com/adrecon/ADRecon + - https://github.com/adrecon/AzureADRecon author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 -modified: 2023/03/06 +modified: 2023/04/17 tags: - attack.execution - attack.discovery @@ -210,6 +213,36 @@ detection: - 'Start-CaptureServer' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' + # powermad + - 'Disable-ADIDNSNode' + - 'Disable-MachineAccount' + - 'Enable-ADIDNSNode' + - 'Enable-MachineAccount' + - 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone + - 'Get-KerberosAESKey' + - 'Get-MachineAccountAttribute' + - 'Get-MachineAccountCreator' + - 'Grant-ADIDNSPermission' + - 'Invoke-AgentSmith' + - 'Invoke-DNSUpdate' + - 'New-ADIDNSNode' + - 'New-DNSRecordArray' + - 'New-MachineAccount' + - 'New-SOASerialNumberArray' + - 'Remove-ADIDNSNode' + - 'Remove-MachineAccount' + - 'Rename-ADIDNSNode' + - 'Revoke-ADIDNSPermission' + - 'Set-ADIDNSNode' # *Set-ADIDNSNodeAttribute, *Set-ADIDNSNodeOwner + - 'Set-MachineAccountAttribute' + # ADRecon + - 'Invoke-ADRecon' + - 'Export-ADR' + - 'Export-ADRCSV' + - 'Export-ADRExcel' + - 'Export-ADRHTML' + - 'Export-ADRJSON' + - 'Export-ADRXML' filter_1: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml new file mode 100644 index 000000000..b4f467709 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -0,0 +1,39 @@ +title: HackTool - Certify +id: 762f2482-ff21-4970-8939-0aa317a886bb +status: experimental +description: Detects hacktool 'Certify' - Tool for Active Directory certificate abuse +references: + - https://github.com/GhostPack/Certify +author: pH-T (Nextron Systems) +date: 2023/04/17 +modified: 2023/04/17 +tags: + - attack.discovery + - attack.t1590.001 +logsource: + category: process_creation + product: windows +detection: + selection_base: + - Image|endswith: '\Certify.exe' + - OriginalFileName: '\Certify.exe' + - Description: 'Certify' + selection_base_cli: + CommandLine|contains: + - '.exe cas ' + - '.exe find ' + - '.exe pkiobjects ' + - '.exe request ' + - '.exe download ' + selection_cli: + CommandLine|contains: + - 'vulnerable ' + - 'template' + - 'altname' + - 'domain' + - 'path' + - ' /ca:' + condition: selection_base or (selection_base_cli and selection_cli) +falsepositives: + - Very unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml new file mode 100644 index 000000000..d360b1965 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -0,0 +1,38 @@ +title: HackTool - Certipy +id: 6938366d-8954-4ddc-baff-c830b3ba8fcd +status: experimental +description: Detects hacktool 'Certipy' - Tool for Active Directory Certificate Services enumeration and abuse +references: + - https://github.com/ly4k/Certipy +author: pH-T (Nextron Systems) +date: 2023/04/17 +modified: 2023/04/17 +tags: + - attack.discovery + - attack.t1590.001 +logsource: + category: process_creation + product: windows +detection: + selection_base: + - Image|endswith: '\Certipy.exe' + - OriginalFileName: '\Certipy.exe' + - Description: 'Certipy' + selection_base_cli: + CommandLine|contains: + - ' find ' + - ' req ' + - ' auth ' + - ' shadow ' + - ' forge ' + selection_cli: + CommandLine|contains: + - ' -dc-ip ' + - ' -target' + - ' -pfx ' + - ' -username ' + - ' -ca-pfx ' + condition: selection_base or (selection_base_cli and selection_cli) +falsepositives: + - Very unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crassus.yml b/rules/windows/process_creation/proc_creation_win_hktl_crassus.yml new file mode 100644 index 000000000..05a77aae1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_crassus.yml @@ -0,0 +1,24 @@ +title: HackTool - Crassus +id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 +status: experimental +description: Detects hacktool 'Crassus' - Windows privilege escalation discovery tool +references: + - https://github.com/vu-ls/Crassus +author: pH-T (Nextron Systems) +date: 2023/04/17 +modified: 2023/04/17 +tags: + - attack.discovery + - attack.t1590.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\Crassus.exe' + - OriginalFileName: '\Crassus.exe' + - Description: 'Crassus' + condition: selection +falsepositives: + - Very unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella.yml new file mode 100644 index 000000000..43631ffb8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella.yml @@ -0,0 +1,28 @@ +title: HackTool - Stracciatella +id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 +status: experimental +description: Detects hacktool 'Stracciatella' - OpSec-safe Powershell runspace from within C# +references: + - https://github.com/mgeeky/Stracciatella +author: pH-T (Nextron Systems) +date: 2023/04/17 +modified: 2023/04/17 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059 + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_base: + - Image|endswith: '\Stracciatella.exe' + - OriginalFileName: '\Stracciatella.exe' + - Description: 'Stracciatella' + - Hashes|contains: 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' + - sha256: '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' + condition: selection_base +falsepositives: + - Very unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 19f3eadfb..59dc0f9e9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -23,9 +23,12 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat + - https://github.com/Kevin-Robertson/Powermad + - https://github.com/adrecon/ADRecon + - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 -modified: 2023/03/06 +modified: 2023/04/17 tags: - attack.execution - attack.discovery @@ -205,6 +208,36 @@ detection: - 'Start-CaptureServer' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' + # powermad + - 'Disable-ADIDNSNode' + - 'Disable-MachineAccount' + - 'Enable-ADIDNSNode' + - 'Enable-MachineAccount' + - 'Get-ADIDNS' # *NodeAttribute, *NodeOwner, *NodeTombstoned, *Permission, *Zone + - 'Get-KerberosAESKey' + - 'Get-MachineAccountAttribute' + - 'Get-MachineAccountCreator' + - 'Grant-ADIDNSPermission' + - 'Invoke-AgentSmith' + - 'Invoke-DNSUpdate' + - 'New-ADIDNSNode' + - 'New-DNSRecordArray' + - 'New-MachineAccount' + - 'New-SOASerialNumberArray' + - 'Remove-ADIDNSNode' + - 'Remove-MachineAccount' + - 'Rename-ADIDNSNode' + - 'Revoke-ADIDNSPermission' + - 'Set-ADIDNSNode' # Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner + - 'Set-MachineAccountAttribute' + # ADRecon + - 'Invoke-ADRecon' + - 'Export-ADR' + - 'Export-ADRCSV' + - 'Export-ADRExcel' + - 'Export-ADRHTML' + - 'Export-ADRJSON' + - 'Export-ADRXML' condition: selection falsepositives: - Unknown