From f4d4526d0fcde4d7605dead52d4d7bf955f2ddec Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 11 Jan 2023 20:05:55 +0100 Subject: [PATCH 1/8] fix: fp found in testing --- .../proc_access_win_invoke_patchingapi.yml | 22 +++++++++++++------ .../proc_creation_win_susp_cmd.yml | 6 ++++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index bb444d03d..0fc1790c3 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/01/09 +modified: 2023/01/11 tags: - attack.defense_evasion - attack.t1562.002 @@ -20,12 +20,20 @@ detection: CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' - filter_msbuild: - SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' - SourceImage|endswith: - - '\MSBuild\Current\Bin\amd64\MSBuild.exe' - - '\MSBuild\Current\Bin\MSBuild.exe' - TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + filter_generic: + SourceImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + TargetImage|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + filter_thor: + SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' + SourceImage|endswith: '\thor\thor64.exe' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index dfb0314f7..e07ac11d2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) date: 2022/12/05 -modified: 2023/01/10 +modified: 2023/01/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -53,6 +53,10 @@ detection: ParentImage|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\' ParentImage|endswith: '\CitrixReceiverUpdater.exe' Image|endswith: '\cmd.exe' + filter_thor: + ParentImage|endswith: '\python.exe' + CommandLine: 'C:\WINDOWS\system32\cmd.exe /c "ver"' + CurrentDirectory|contains: 'C:\WINDOWS\Temp\asgard2-agent\' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From acf4a404d59ca057b9e1e8416d34b6bf2b58afdd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 11 Jan 2023 22:23:52 +0100 Subject: [PATCH 2/8] feat: add `Microsoft-Windows-AppXDeploymentServer/Operational` --- tools/config/elk-windows.yml | 7 ++++++- tools/config/elk-winlogbeat-sp.yml | 7 ++++++- tools/config/elk-winlogbeat.yml | 7 ++++++- tools/config/fireeye-helix.yml | 7 ++++++- tools/config/generic/windows-services.yml | 8 ++++++-- tools/config/hawk.yml | 7 ++++++- tools/config/logpoint-windows.yml | 7 ++++++- tools/config/logstash-windows.yml | 7 ++++++- tools/config/powershell.yml | 7 ++++++- tools/config/splunk-windows.yml | 7 ++++++- tools/config/sumologic.yml | 7 ++++++- tools/config/thor.yml | 7 ++++++- tools/config/winlogbeat-modules-enabled.yml | 7 ++++++- tools/config/winlogbeat-old.yml | 7 ++++++- tools/config/winlogbeat.yml | 7 ++++++- tools/config/zircolite.yml | 9 +++++++-- 16 files changed, 97 insertions(+), 18 deletions(-) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index fbc7f26be..082e16543 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -118,5 +118,10 @@ logsources: product: windows service: vhdmp conditions: - EventLog: 'Microsoft-Windows-VHDMP-Operational' + EventLog: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 90684e8a8..ef8f00c8c 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - log_name: 'Microsoft-Windows-VHDMP-Operational' + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 12c12844b..bddb77bb4 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - logname: 'Microsoft-Windows-VHDMP-Operational' + logname: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + logname: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index f1bdce047..22ad9942b 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -146,7 +146,12 @@ logsources: product: windows service: vhdmp conditions: - channel: 'Microsoft-Windows-VHDMP-Operational' + channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index d8cbb3456..6ee5072bd 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -197,5 +197,9 @@ logsources: product: windows service: vhdmp conditions: - Provider_Name: 'Microsoft-Windows-VHDMP-Operational' - \ No newline at end of file + Provider_Name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Provider_Name: 'Microsoft-Windows-AppXDeploymentServer/Operational' diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c32fb1483..7c0a87300 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -132,7 +132,12 @@ logsources: product: windows service: vhdmp conditions: - event_channel: 'Microsoft-Windows-VHDMP-Operational' + event_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' windows-network-connection: product: windows category: network_connection diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index ee500508b..ab59c8ae7 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -118,7 +118,12 @@ logsources: product: windows service: vhdmp conditions: - event_source: 'Microsoft-Windows-VHDMP-Operational' + event_source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 3ac6dcb3b..b78d770c5 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -139,5 +139,10 @@ logsources: product: windows service: vhdmp conditions: - Channel: 'Microsoft-Windows-VHDMP-Operational' + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 43da93080..567bcb7bf 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -160,4 +160,9 @@ logsources: product: windows service: vhdmp conditions: - LogName: 'Microsoft-Windows-VHDMP-Operational' + LogName: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational' diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 5c0daafeb..c7715c29c 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -180,6 +180,11 @@ logsources: product: windows service: vhdmp conditions: - source: 'Microsoft-Windows-VHDMP-Operational' + source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index a496b4b44..c6addce9d 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -149,7 +149,12 @@ logsources: product: windows service: vhdmp conditions: - source: 'Microsoft-Windows-VHDMP-Operational' + source: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + source: 'Microsoft-Windows-AppXDeploymentServer/Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 89df6a371..e28c22134 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -423,7 +423,12 @@ logsources: product: windows service: vhdmp sources: - - 'Microsoft-Windows-VHDMP-Operational' + - 'WinEventLog:Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + sources: + - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7d8189e32..449d5f68b 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -163,7 +163,12 @@ logsources: product: windows service: vhdmp conditions: - winlog_channel: 'Microsoft-Windows-VHDMP-Operational' + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index f0dc37930..1ad65cd76 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -126,7 +126,12 @@ logsources: product: windows service: vhdmp conditions: - log_name: 'Microsoft-Windows-VHDMP-Operational' + log_name: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b2716b44c..cfc9f432f 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -152,7 +152,12 @@ logsources: product: windows service: vhdmp conditions: - winlog_channel: 'Microsoft-Windows-VHDMP-Operational' + winlog_channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml index 4cc5d945f..6a1814574 100644 --- a/tools/config/zircolite.yml +++ b/tools/config/zircolite.yml @@ -113,9 +113,14 @@ logsources: product: windows service: bits-client conditions: - Channel: 'Microsoft-Windows-Bits-Client/Operational' + Channel: 'Microsoft-Windows-Bits-Client/Operational' windows-vhdmp-Operational: product: windows service: vhdmp conditions: - Channel: 'Microsoft-Windows-VHDMP-Operational' + Channel: 'Microsoft-Windows-VHDMP/Operational' + windows-appxdeployment-server: + product: windows + service: appxdeployment-server + conditions: + Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' From debd658aacf2b456c8431c94a804bb8582c5f220 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 11 Jan 2023 23:04:37 +0100 Subject: [PATCH 3/8] feat: new rules related to appx packages --- .../appxdeployment_server_mal_appx_names.yml | 22 ++++++++++ ..._server_susp_appx_package_installation.yml | 23 +++++++++++ .../appxdeployment_server_susp_domains.yml | 41 +++++++++++++++++++ ...ployment_server_susp_package_locations.yml | 36 ++++++++++++++++ ...ment_server_uncommon_package_locations.yml | 33 +++++++++++++++ ...proc_creation_win_turn_on_dev_features.yml | 28 +++++++++++++ ...gistry_set_powershell_execution_policy.yml | 30 ++++++++++++++ tests/logsource.json | 3 +- 8 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml create mode 100644 rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml create mode 100644 rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml create mode 100644 rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml create mode 100644 rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml create mode 100644 rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml create mode 100644 rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml new file mode 100644 index 000000000..60fcac442 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml @@ -0,0 +1,22 @@ +title: Malicious AppX Package Installed +id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce +status: experimental +description: Detects installation of known malicious appx packages +references: + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 401 + # Add more malicious package names + PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9_96.0.1072.0_' + condition: selection +falsepositives: + - Rare occasions where a malicious package uses the exact same name and version as a legtimate application +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml new file mode 100644 index 000000000..91f775513 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml @@ -0,0 +1,23 @@ +title: Suspicious AppX Package Installation Attempt +id: 898d5fc9-fbc3-43de-93ad-38e97237c344 +status: experimental +description: Detects an appx package installation with the error code "0x80073cff". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 401 + ErrorCode: '0x80073cff' # Check ref section to learn more about this error code + condition: selection +falsepositives: + - Legitimate AppX packages not signed by MS used part of an enterprise +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml new file mode 100644 index 000000000..28ee245b7 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml @@ -0,0 +1,41 @@ +title: Suspicious Remote AppX Package Locations +id: 8b48ad89-10d8-4382-a546-50588c410f0d +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + Path|contains: + - 'transfer.sh' + - 'raw.githubusercontent.com' + - 'gist.githubusercontent.com' + - 'pastebin.com' + - 'cdn.discordapp.com/attachments/' + - 'mediafire.com' + - 'mega.nz' + - 'ddns.net' + - '.paste.ee' + - '.hastebin.com' + - '.ghostbin.co/' + - 'ufile.io' + - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml new file mode 100644 index 000000000..c3861d622 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml @@ -0,0 +1,36 @@ +title: Suspicious AppX Package Locations +id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - 'C:\Users\Public\' + - '/users/public/' + - 'C:\PerfLogs\' + - 'C:/perflogs/' + - '\Desktop\' + - '/desktop/' + - '\Downloads\' + - '/Downloads/' + - 'C:\Windows\Temp\' + - 'C:/Windows/Temp/' + - '\AppdData\Local\Temp\' + - '/AppdData/Local/Temp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml new file mode 100644 index 000000000..236ec229b --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -0,0 +1,33 @@ +title: Uncommon AppX Package Locations +id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + filter_generic: + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - 'C:\Program Files\WindowsApps\' + - 'C:\Program Files (x86)\' + - 'C:\WINDOWS\SystemApps\' + - 'x-windowsupdate://' + - 'file:///C:/Program%20Files%20(x86)/' + - 'file:///C:/Program%20Files%20/' + filter_specific: + Path|contains: 'https://statics.teams.cdn.office.net/' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml new file mode 100644 index 000000000..408d48a90 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml @@ -0,0 +1,28 @@ +title: Potential Signing Bypass Via Windows Developer Features +id: a383dec4-deec-4e6e-913b-ed9249670848 +status: experimental +description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\SystemSettingsAdminFlows.exe' + - OriginalFileName: 'SystemSettingsAdminFlows.EXE' + selection_flag: + CommandLine|contains: 'TurnOnDeveloperFeatures' + selection_options: + CommandLine|contains: + - 'DeveloperUnlock' + - 'EnableSideloading' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml new file mode 100644 index 000000000..2a38234f2 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -0,0 +1,30 @@ +title: Potential PowerShell Execution Policy Tampering +id: fad91067-08c5-4d1a-8d8c-d96a21b37814 +status: experimental +description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution +references: + - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: + # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux + # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there + # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3 + - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy' + - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy' + Details|contains: + - 'Bypass' + - 'RemoteSigned' + - 'Unrestricted' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index 9d3897280..a6f8cb803 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -87,7 +87,8 @@ "printservice-admin":[], "msexchange-management":[], "applocker":[], - "vhdmp":[] + "vhdmp":[], + "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"] } }, "linux":{ From b6b1eba014ba524d61298e0b521a603b234c1e29 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 11 Jan 2023 23:39:15 +0100 Subject: [PATCH 4/8] fix: fp and add related fields --- ...ment_server_uncommon_package_locations.yml | 4 ++- ...posh_ps_set_policies_to_unsecure_level.yml | 7 ++++ ...ion_win_set_policies_to_unsecure_level.yml | 7 ++++ ...ion_win_set_unsecure_powershell_policy.yml | 34 +++++++++++++++++++ ...gistry_set_powershell_execution_policy.yml | 11 +++++- 5 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml index 236ec229b..485eb508e 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -21,7 +21,9 @@ detection: # Paths can be written using forward slash if the "file://" protocol is used - 'C:\Program Files\WindowsApps\' - 'C:\Program Files (x86)\' - - 'C:\WINDOWS\SystemApps\' + - 'C:\Windows\SystemApps\' + - 'C:\Windows\PrintDialog\' + - 'C:\Windows\ImmersiveControlPanel\' - 'x-windowsupdate://' - 'file:///C:/Program%20Files%20(x86)/' - 'file:///C:/Program%20Files%20/' diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 92e9ce7ff..baed83349 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,5 +1,12 @@ title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: experimental description: Detects use of Set-ExecutionPolicy to set insecure policies references: diff --git a/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml index fe1e866c1..b94636117 100644 --- a/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml @@ -1,5 +1,12 @@ title: Change PowerShell Policies to an Insecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: experimental description: Detects use of executionpolicy option to set insecure policies references: diff --git a/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml new file mode 100644 index 000000000..7844a5267 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml @@ -0,0 +1,34 @@ +title: Potential PowerShell Execution Policy Tampering - ProcCreation +id: cf2e938e-9a3e-4fe8-a347-411642b28a9f +related: + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar +status: experimental +description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine +references: + - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +author: Nasreddine Bencherchali +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_path: + CommandLine|contains: + - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy' + - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy' + selection_values: + CommandLine|contains: + - 'Bypass' + - 'RemoteSigned' + - 'Unrestricted' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 2a38234f2..f4c5c4fa4 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -1,5 +1,12 @@ title: Potential PowerShell Execution Policy Tampering id: fad91067-08c5-4d1a-8d8c-d96a21b37814 +related: + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar status: experimental description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: @@ -24,7 +31,9 @@ detection: - 'Bypass' - 'RemoteSigned' - 'Unrestricted' - condition: selection + filter_svchost: + Image: 'C:\Windows\system32\svchost.exe' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: medium From d0b2e2cbba696c9ca47f8f3d5ce7c4eb52cbb087 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 11 Jan 2023 23:47:12 +0100 Subject: [PATCH 5/8] fix: more fp and duplicate id --- .../appxdeployment_server_uncommon_package_locations.yml | 9 +++++---- .../registry_set_powershell_execution_policy.yml | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml index 485eb508e..2e1eceaa5 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -1,5 +1,5 @@ title: Uncommon AppX Package Locations -id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +id: c977cb50-3dff-4a9f-b873-9290f56132f1 status: experimental description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: @@ -25,10 +25,11 @@ detection: - 'C:\Windows\PrintDialog\' - 'C:\Windows\ImmersiveControlPanel\' - 'x-windowsupdate://' - - 'file:///C:/Program%20Files%20(x86)/' - - 'file:///C:/Program%20Files%20/' + - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/' filter_specific: - Path|contains: 'https://statics.teams.cdn.office.net/' + Path|contains: + - 'https://statics.teams.cdn.office.net/' + - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index f4c5c4fa4..684de8c71 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -32,7 +32,9 @@ detection: - 'RemoteSigned' - 'Unrestricted' filter_svchost: - Image: 'C:\Windows\system32\svchost.exe' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and not 1 of filter_* falsepositives: - Unknown From 67ea98a6db58aa81ec1fc9773f1a6e3736b904fd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 Jan 2023 01:05:48 +0100 Subject: [PATCH 6/8] feat: more updates and fixes --- .../appxdeployment_server_mal_appx_names.yml | 2 + ..._server_susp_appx_package_installation.yml | 1 + .../appxdeployment_server_susp_domains.yml | 1 + ...ployment_server_susp_package_locations.yml | 1 + ...ment_server_uncommon_package_locations.yml | 1 + ... => dns_query_win_lolbin_appinstaller.yml} | 6 +-- .../proc_creation_win_susp_appx_execution.yml | 38 +++++++++++++++++++ 7 files changed, 47 insertions(+), 3 deletions(-) rename rules/windows/dns_query/{dns_query_win_lobas_appinstaller.yml => dns_query_win_lolbin_appinstaller.yml} (78%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml index 60fcac442..9e7d13e2c 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml @@ -4,6 +4,7 @@ status: experimental description: Detects installation of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali date: 2023/01/11 tags: @@ -15,6 +16,7 @@ detection: selection: EventID: 401 # Add more malicious package names + # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9_96.0.1072.0_' condition: selection falsepositives: diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml index 91f775513..5399760e3 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml @@ -6,6 +6,7 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali date: 2023/01/11 tags: diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml index 28ee245b7..fe381e85b 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml @@ -6,6 +6,7 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali date: 2023/01/11 tags: diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml index c3861d622..73ee87ff0 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml @@ -6,6 +6,7 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali date: 2023/01/11 tags: diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml index 2e1eceaa5..937a84dfa 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -6,6 +6,7 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali date: 2023/01/11 tags: diff --git a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml similarity index 78% rename from rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml rename to rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml index 83f059132..6bd3dfe0f 100644 --- a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml @@ -1,13 +1,13 @@ -title: AppInstaller Attempts From URL by DNS +title: AppX Package Installation Attempts Via AppInstaller id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a status: test -description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL +description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 date: 2021/11/24 -modified: 2022/12/25 +modified: 2023/01/12 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml new file mode 100644 index 000000000..fccb3b1b4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -0,0 +1,38 @@ +title: Suspicious Windows App Activity +id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 +status: experimental +description: Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +references: + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali +date: 2023/01/12 +tags: + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_parent: + #GrandParentImage|endswith: '\sihost.exe' + ParentImage|contains: 'C:\Program Files\WindowsApps\' + selection_susp_img: + Image|endswith: + # You can add more LOLBINs + - '\poweshell.exe' + - '\pwsh.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + selection_susp_cli: + # You can add more suspicious keywords + CommandLine|contains: + - 'cmd /c' + - 'Invoke-' + - 'Base64' + condition: selection_parent and 1 of selection_susp_* +falsepositives: + - Unknown +level: high From 0470f45246e8a26d4d9660b383f70f3b9abb610e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 Jan 2023 10:36:13 +0100 Subject: [PATCH 7/8] fix: apply suggestions from code review Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../appxdeployment_server_mal_appx_names.yml | 1 + .../registry_set/registry_set_powershell_execution_policy.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml index 9e7d13e2c..1ecf76291 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml @@ -5,6 +5,7 @@ description: Detects installation of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ author: Nasreddine Bencherchali date: 2023/01/11 tags: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 684de8c71..eb935678c 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -10,7 +10,7 @@ related: status: experimental description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali date: 2023/01/11 tags: From e7a2e1c169f6387d221874a9d5c28702961ab65d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 Jan 2023 10:37:34 +0100 Subject: [PATCH 8/8] fix: remove version from name Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../appxdeployment_server_mal_appx_names.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml index 1ecf76291..7fee46f14 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml @@ -18,7 +18,7 @@ detection: EventID: 401 # Add more malicious package names # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9_96.0.1072.0_' + PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9' condition: selection falsepositives: - Rare occasions where a malicious package uses the exact same name and version as a legtimate application