diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..bafb98285 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,5 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer +c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 5cf624347..98de59882 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -22,13 +22,13 @@ jobs: - uses: actions/checkout@v2 with: submodules: true - - name: Set up Python 3.8 + - name: Set up Python 3.11 uses: actions/setup-python@v1 with: - python-version: 3.8 + python-version: 3.11 - name: Install dependencies run: | - pip install sigma-cli~=0.3.2 + pip install sigma-cli~=0.5.3 - name: Test Sigma Rule Syntax run: | sigma check rules diff --git a/LICENSE b/LICENSE index 0b9e352e3..2c06c4bed 100644 --- a/LICENSE +++ b/LICENSE @@ -3,5 +3,5 @@ The content of this repository is released under the following licenses: - The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License -- The Sigma specification and the Sigma logo are public domain -- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1 +- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain +- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the Detection Rule License (DRL) 1.1 diff --git a/Pipfile.lock b/Pipfile.lock index 2416e3258..f56216248 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" + "sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8" }, "pipfile-spec": 6, "requires": { @@ -18,42 +18,43 @@ "default": { "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "deprecated": { "hashes": [ - "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", - "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" + "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d", + "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.12" + "version": "==1.2.13" }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "jsonschema": { "hashes": [ @@ -80,30 +81,31 @@ }, "pyrsistent": { "hashes": [ - "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", - "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", - "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", - "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", - "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", - "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", - "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", - "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", - "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", - "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", - "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", - "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", - "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", - "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", - "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", - "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", - "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", - "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", - "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", - "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", - "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + "sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed", + "sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb", + "sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a", + "sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95", + "sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712", + "sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73", + "sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41", + "sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b", + "sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78", + "sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab", + "sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308", + "sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425", + "sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2", + "sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e", + "sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6", + "sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2", + "sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a", + "sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291", + "sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584", + "sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a", + "sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0", + "sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770" ], - "markers": "python_version >= '3.6'", - "version": "==0.18.0" + "markers": "python_version >= '3.7'", + "version": "==0.19.2" }, "python-dateutil": { "hashes": [ @@ -115,10 +117,11 @@ }, "python-utils": { "hashes": [ - "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", - "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" + "sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592", + "sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a" ], - "version": "==2.5.6" + "markers": "python_version >= '3.7'", + "version": "==3.4.5" }, "pyyaml": { "hashes": [ @@ -165,38 +168,59 @@ }, "ruamel.yaml": { "hashes": [ - "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", - "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7", + "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af" ], "index": "pypi", - "version": "==0.17.10" + "version": "==0.17.21" }, "ruamel.yaml.clib": { "hashes": [ - "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", - "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", - "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", - "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", - "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", - "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", - "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", - "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", - "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", - "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", - "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", - "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", - "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", - "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", - "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", - "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", - "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", - "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", - "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", - "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", - "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + "sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e", + "sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3", + "sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5", + "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497", + "sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f", + "sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac", + "sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697", + "sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763", + "sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282", + "sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94", + "sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1", + "sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072", + "sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9", + "sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5", + "sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231", + "sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93", + "sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b", + "sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb", + "sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f", + "sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307", + "sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8", + "sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b", + "sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b", + "sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640", + "sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7", + "sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a", + "sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71", + "sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8", + "sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7", + "sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80", + "sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e", + "sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab", + "sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0", + "sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646" ], - "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", - "version": "==0.2.6" + "markers": "python_version < '3.11' and platform_python_implementation == 'CPython'", + "version": "==0.2.7" + }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" }, "six": { "hashes": [ @@ -206,6 +230,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "termcolor": { + "hashes": [ + "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b", + "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd" + ], + "index": "pypi", + "version": "==2.1.1" + }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -216,69 +248,191 @@ }, "wrapt": { "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" + "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3", + "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b", + "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4", + "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2", + "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656", + "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3", + "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff", + "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310", + "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a", + "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57", + "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069", + "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383", + "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe", + "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87", + "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d", + "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b", + "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907", + "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f", + "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0", + "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28", + "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1", + "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853", + "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc", + "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3", + "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3", + "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164", + "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1", + "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c", + "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1", + "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7", + "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1", + "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320", + "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed", + "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1", + "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248", + "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c", + "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456", + "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77", + "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef", + "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1", + "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7", + "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86", + "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4", + "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d", + "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d", + "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8", + "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5", + "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471", + "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00", + "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68", + "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3", + "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d", + "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735", + "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d", + "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569", + "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7", + "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59", + "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5", + "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb", + "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b", + "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f", + "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462", + "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015", + "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af" ], - "version": "==1.12.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.14.1" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", - "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", - "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", - "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", - "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", - "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", - "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", - "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", - "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", - "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", - "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", - "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", - "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", - "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", - "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", - "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", - "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", - "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", - "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", - "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", - "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", - "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", - "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", - "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", - "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", - "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", - "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", - "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", - "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", - "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", - "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", - "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", - "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", - "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", - "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", - "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", - "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" + "sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8", + "sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142", + "sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18", + "sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34", + "sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a", + "sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033", + "sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06", + "sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4", + "sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d", + "sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b", + "sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc", + "sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091", + "sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d", + "sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85", + "sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb", + "sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937", + "sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf", + "sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1", + "sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b", + "sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d", + "sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269", + "sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da", + "sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346", + "sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494", + "sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697", + "sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4", + "sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585", + "sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c", + "sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da", + "sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad", + "sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2", + "sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6", + "sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c", + "sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849", + "sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa", + "sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b", + "sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb", + "sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7", + "sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715", + "sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76", + "sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d", + "sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276", + "sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6", + "sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37", + "sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb", + "sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d", + "sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c", + "sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446", + "sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008", + "sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342", + "sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d", + "sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7", + "sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061", + "sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba", + "sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7", + "sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290", + "sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0", + "sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d", + "sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8", + "sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f", + "sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48", + "sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502", + "sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62", + "sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9", + "sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403", + "sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77", + "sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476", + "sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e", + "sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96", + "sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5", + "sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784", + "sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091", + "sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b", + "sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97", + "sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a", + "sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2", + "sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9", + "sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d", + "sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73", + "sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017", + "sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363", + "sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c", + "sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d", + "sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618", + "sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491", + "sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b", + "sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca" ], "markers": "python_version >= '3.6'", - "version": "==3.7.4.post0" + "version": "==3.8.3" + }, + "aiosignal": { + "hashes": [ + "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc", + "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.1" }, "antlr4-python3-runtime": { "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b" ], "markers": "python_version >= '3'", - "version": "==4.8" + "version": "==4.9.3" }, "async-timeout": { "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" + "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15", + "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c" ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" + "markers": "python_version >= '3.6'", + "version": "==4.0.2" }, "attackcti": { "hashes": [ @@ -290,34 +444,27 @@ }, "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" - }, - "chardet": { - "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==4.0.0" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "colorama": { "hashes": [ @@ -401,79 +548,197 @@ "index": "pypi", "version": "==6.2.0" }, + "frozenlist": { + "hashes": [ + "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", + "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", + "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", + "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", + "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", + "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", + "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", + "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", + "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", + "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", + "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", + "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", + "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", + "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", + "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", + "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", + "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", + "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", + "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", + "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", + "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", + "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", + "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", + "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", + "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", + "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", + "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", + "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", + "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", + "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", + "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", + "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", + "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", + "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", + "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", + "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", + "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", + "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", + "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", + "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", + "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", + "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", + "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", + "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", + "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", + "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", + "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", + "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", + "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", + "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", + "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", + "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", + "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", + "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", + "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", + "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", + "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", + "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", + "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", + "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", + "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", + "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", + "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", + "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", + "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", + "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", + "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", + "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", + "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", + "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", + "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", + "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", + "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", + "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.3" + }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "more-itertools": { "hashes": [ - "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", - "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" + "sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41", + "sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab" ], - "markers": "python_version >= '3.5'", - "version": "==8.8.0" + "markers": "python_version >= '3.7'", + "version": "==9.0.0" }, "multidict": { "hashes": [ - "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", - "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", - "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", - "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", - "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", - "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", - "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", - "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", - "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", - "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", - "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", - "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", - "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", - "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", - "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", - "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", - "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", - "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", - "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", - "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", - "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", - "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", - "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", - "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", - "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", - "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", - "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", - "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", - "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", - "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", - "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", - "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", - "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", - "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", - "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", - "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", - "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" + "sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce", + "sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce", + "sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57", + "sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335", + "sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38", + "sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2", + "sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a", + "sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418", + "sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d", + "sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c", + "sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30", + "sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852", + "sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718", + "sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614", + "sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b", + "sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e", + "sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4", + "sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c", + "sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3", + "sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d", + "sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45", + "sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89", + "sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f", + "sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827", + "sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6", + "sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51", + "sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69", + "sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba", + "sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91", + "sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131", + "sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37", + "sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd", + "sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46", + "sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0", + "sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd", + "sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d", + "sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee", + "sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531", + "sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d", + "sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7", + "sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c", + "sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a", + "sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08", + "sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e", + "sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759", + "sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986", + "sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a", + "sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d", + "sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64", + "sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116", + "sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7", + "sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d", + "sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9", + "sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea", + "sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303", + "sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102", + "sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38", + "sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef", + "sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a", + "sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438", + "sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3", + "sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9", + "sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f", + "sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0", + "sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022", + "sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2", + "sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67", + "sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11", + "sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734", + "sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945", + "sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb", + "sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000", + "sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253", + "sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544" ], - "markers": "python_version >= '3.6'", - "version": "==5.1.0" + "markers": "python_version >= '3.7'", + "version": "==6.0.3" }, "packaging": { "hashes": [ - "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", - "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.0" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pathspec": { "hashes": [ - "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", - "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" + "sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5", + "sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0" ], - "version": "==0.9.0" + "markers": "python_version >= '3.7'", + "version": "==0.10.2" }, "pluggy": { "hashes": [ @@ -485,19 +750,11 @@ }, "py": { "hashes": [ - "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", - "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" + "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719", + "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.10.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.11.0" }, "pytest": { "hashes": [ @@ -509,10 +766,10 @@ }, "pytz": { "hashes": [ - "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", - "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427", + "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2" ], - "version": "==2021.1" + "version": "==2022.6" }, "pyyaml": { "hashes": [ @@ -557,49 +814,80 @@ "index": "pypi", "version": "==2.26.0" }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" + }, "simplejson": { "hashes": [ - "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", - "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", - "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", - "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", - "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", - "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", - "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", - "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", - "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", - "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", - "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", - "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", - "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", - "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", - "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", - "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", - "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", - "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", - "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", - "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", - "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", - "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", - "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", - "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", - "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", - "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", - "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", - "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", - "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", - "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", - "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", - "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", - "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", - "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", - "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", - "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", - "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", - "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" + "sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e", + "sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840", + "sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76", + "sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea", + "sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342", + "sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7", + "sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a", + "sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1", + "sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0", + "sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7", + "sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15", + "sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce", + "sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e", + "sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf", + "sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710", + "sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2", + "sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b", + "sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986", + "sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac", + "sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871", + "sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710", + "sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31", + "sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b", + "sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387", + "sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6", + "sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83", + "sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea", + "sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a", + "sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5", + "sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a", + "sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688", + "sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99", + "sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e", + "sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe", + "sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673", + "sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67", + "sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39", + "sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e", + "sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43", + "sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4", + "sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d", + "sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430", + "sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac", + "sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4", + "sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b", + "sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266", + "sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f", + "sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b", + "sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73", + "sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df", + "sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22", + "sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29", + "sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51", + "sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d", + "sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa", + "sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3", + "sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce", + "sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059", + "sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6", + "sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619", + "sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb" ], "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.3" + "version": "==3.18.0" }, "six": { "hashes": [ @@ -618,10 +906,11 @@ }, "stix2-patterns": { "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08", + "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458" ], - "version": "==1.3.2" + "markers": "python_version >= '3.6'", + "version": "==2.0.0" }, "taxii2-client": { "hashes": [ @@ -630,14 +919,6 @@ ], "version": "==2.3.0" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "version": "==3.10.0.0" - }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -662,46 +943,83 @@ }, "yarl": { "hashes": [ - "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", - "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", - "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", - "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", - "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", - "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", - "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", - "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", - "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", - "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", - "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", - "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", - "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", - "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", - "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", - "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", - "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", - "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", - "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", - "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", - "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", - "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", - "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", - "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", - "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", - "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", - "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", - "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", - "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", - "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", - "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", - "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", - "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", - "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", - "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", - "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", - "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" + "sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87", + "sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89", + "sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a", + "sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08", + "sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996", + "sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077", + "sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901", + "sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e", + "sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee", + "sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574", + "sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165", + "sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634", + "sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229", + "sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b", + "sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f", + "sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7", + "sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf", + "sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89", + "sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0", + "sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1", + "sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe", + "sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf", + "sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76", + "sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951", + "sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863", + "sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06", + "sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562", + "sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6", + "sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c", + "sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e", + "sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1", + "sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3", + "sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3", + "sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778", + "sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8", + "sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2", + "sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b", + "sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d", + "sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f", + "sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c", + "sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581", + "sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918", + "sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c", + "sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e", + "sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220", + "sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37", + "sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739", + "sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77", + "sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6", + "sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42", + "sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946", + "sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5", + "sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d", + "sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146", + "sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a", + "sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83", + "sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef", + "sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80", + "sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588", + "sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5", + "sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2", + "sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef", + "sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826", + "sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05", + "sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516", + "sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0", + "sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4", + "sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2", + "sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0", + "sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd", + "sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8", + "sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b", + "sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1", + "sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c" ], - "markers": "python_version >= '3.6'", - "version": "==1.6.3" + "markers": "python_version >= '3.7'", + "version": "==1.8.2" } } } diff --git a/README.md b/README.md index 38d1e6b26..1fd9f412f 100644 --- a/README.md +++ b/README.md @@ -256,18 +256,21 @@ and included with `@filename` as parameter on the command line. Example: *misp.conf*: -``` + +```apacheconf url https://host key foobarfoobarfoobarfoobarfoobarfoobarfoo ``` Load Sigma rule into MISP event 1234: -``` + +```bash sigma2misp @misp.conf --event 1234 sigma_rule.py ``` Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*: -``` + +```bash sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ ``` @@ -280,11 +283,12 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules. Requirements: -- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`) + +* Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`) Usage samples: -``` +```bash # Use the default "rules" folder ./tools/sigma2attack @@ -345,8 +349,9 @@ If you want to contribute, you are more then welcome. There are numerous ways to If you use it, let us know what works and what does not work. E.g. -- Tell us about false positives (issues section) -- Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule + +* Tell us about false positives (issues section) +* Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule ## Work on open issues @@ -358,15 +363,15 @@ Please don't provide backends for the old code base (sigmac) anymore. Please use ## Spread the word -Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it. +Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it. # Licenses The content of this repository is released under the following licenses: -* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html) -* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain -* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) +* The toolchain (everything under tools/) is licensed under the[GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html) +* The [Sigma Specification](https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain +* The rules contained in the [SigmaHQ repository](https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) # Credits diff --git a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml new file mode 100644 index 000000000..d168fe6c9 --- /dev/null +++ b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml @@ -0,0 +1,24 @@ +title: MavInject Process Injection +id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 +status: deprecated +description: Detects process injection using the signed Windows tool Mavinject32.exe +author: Florian Roth +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +date: 2018/12/12 +modified: 2021/11/27 +tags: + - attack.t1055.001 + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: ' /INJECTRUNNING ' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml rename to rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml index 44dd578da..edd810bf5 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,11 +1,12 @@ title: Nslookup PwSh Download Cradle id: 72671447-4352-4413-bb91-b85569687135 -status: experimental +status: deprecated description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] references: - https://twitter.com/alh4zr3d/status/1566489367232651264 author: Zach Mathis (@yamatosecurity) date: 2022/09/06 +modified: 2022/12/14 # Deprecation date tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml similarity index 74% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index 900099c2e..990b256e8 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,7 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 -status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +status: deprecated +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml similarity index 70% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 623ebbfac..9d70c250c 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,13 +1,17 @@ -title: Excel Proxy Executing Regsvr32 With Payload +title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 -status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +status: deprecated +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml similarity index 79% rename from rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml rename to rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml index d31bcb063..cdaa52a4e 100644 --- a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -1,6 +1,6 @@ title: Abusing Windows Telemetry For Persistence - Registry id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 -status: experimental +status: deprecated description: | Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. @@ -23,19 +23,19 @@ detection: EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - - .sh - - .exe - - .dll - - .bin - - .bat - - .cmd - - .js - - .ps - - .vb - - .jar - - .hta - - .msi - - .vbs + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.ps' + - '.vb' + - '.jar' + - '.hta' + - '.msi' + - '.vbs' condition: selection fields: - EventID diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules-deprecated/windows/registry_set_silentprocessexit.yml similarity index 97% rename from rules/windows/registry/registry_set/registry_set_silentprocessexit.yml rename to rules-deprecated/windows/registry_set_silentprocessexit.yml index 19f3c96d0..e9ae3be90 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules-deprecated/windows/registry_set_silentprocessexit.yml @@ -1,6 +1,6 @@ title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 -status: experimental +status: deprecated description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml similarity index 94% rename from rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml rename to rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 4e9cb06cb..b031cd481 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell for Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc -status: experimental +status: deprecated description: Detects Accessing to lsass.exe by Powershell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/07/14 +modified: 2022/12/18 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml similarity index 92% rename from rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml rename to rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml index dc777781b..d53e7b71e 100644 --- a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml +++ b/rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml @@ -1,12 +1,12 @@ title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon id: e554f142-5cf3-4e55-ace9-a1b59e0def65 -status: test +status: deprecated description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga date: 2020/10/12 -modified: 2022/11/26 +modified: 2022/12/18 tags: - attack.lateral_movement - attack.t1021.002 @@ -23,7 +23,7 @@ detection: EventID: 7 Image|endswith: '\Internet Explorer\iexplore.exe' ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' - condition: selection_one or selection_two + condition: 1 of selection_* falsepositives: - Unknown level: critical diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index eba50e063..aa9d8b3e6 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -1,17 +1,20 @@ title: Account Created And Deleted By Non Approved Users id: c98184ba-4a27-4e10-b7b7-da48e71f4d25 status: experimental -description: Detects when accounts are created and deleted by non-approved users. -author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +description: Detects accounts that are created or deleted by non-approved users. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.t1078 logsource: product: azure service: auditlogs detection: selection: - properties.message: + properties.message: - Add user - Delete user Status: Sucess @@ -20,7 +23,4 @@ detection: condition: selection and not valid_admin falsepositives: - Legit administrative action -tags: - - attack.defense_evasion - - attack.t1078 level: medium diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index e573ef7a3..df931f828 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -1,11 +1,14 @@ title: Authentication Occuring Outside Normal Business Hours id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526 status: experimental -description: Detects when an a user signs in outside of normal business hours. -author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +description: Detects user signs ins outside of normal business hours. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' +date: 2022/08/11 +tags: + - attack.persistence + - attack.t1078 logsource: product: azure service: signinlogs @@ -19,7 +22,4 @@ detection: condition: selection falsepositives: - User doing actual work outside of normal business hours. -tags: - - attack.persistence - - attack.t1078 level: low diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 3acc5d8f0..6e2438b90 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -1,16 +1,20 @@ title: Privilege Role Elevation Not Occuring on SAW or PAW id: 38a5e67b-436a-4e77-9f73-f48a82626890 status: experimental -description: Detects when an account fails a sign-in when in from a PAW or SAW device -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects failed sign-in from a PAW or SAW device references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1078 logsource: product: azure service: signinlogs detection: - # You have to tune the rule for your environnement before use it + # You have to tune the rule for your environment before use it selection: properties.message|contains: Add memmber to role completed (PIM aciviation) # Countries you DO operate out of e,g GB, use list for mulitple @@ -25,8 +29,4 @@ detection: condition: selection falsepositives: - Not using a PAW/SAW in the environment -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1078 level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index 7949f61dd..95d3033d7 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -1,16 +1,19 @@ title: Privilege Role Sign-In Outside Expected Controls id: cf1e5687-84e1-41af-97a9-158094efef53 status: experimental -description: Detects when an account fails a sign-in when it doesn't meet expected controls for admins -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects failed sign-in due to user not meeting expected controls for adminitrators references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.t1078 logsource: product: azure service: signinlogs detection: - # You have to tune the rule for your environnement before use it + # You have to tune the rule for your environment before use it selection: Status: failure # Countries you do NOT operate out of e,g GB, use list for mulitple @@ -21,7 +24,4 @@ detection: condition: selection falsepositives: - A legit admin not following proper processes -tags: - - attack.defense_evasion - - attack.t1078 level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 403ce5eb2..fd702d956 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -1,11 +1,14 @@ title: Privilege Role Sign-In Outside Of Normal Hours id: e927a2f5-e7af-424f-ace7-70ebb49e8976 status: experimental -description: Detects when an account signs in from outside normal hours or locations. Admin accounts should be investigated -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.persistence + - attack.t1078 logsource: product: azure service: signinlogs @@ -20,8 +23,5 @@ detection: Initiatied.By: '%ApprovedUserUpn%' condition: selection falsepositives: - - An admin doing actual work outside of normal business hours. -tags: - - attack.persistence - - attack.t1078 + - An admin doing actual work outside of normal business hours level: high diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index 04fbe6eb0..266ac8c68 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -20,7 +20,7 @@ detection: - 'shell32.dll' - 'shellexec_rundll' - 'powershell' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 96% rename from rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index b3afed27b..4f23f2659 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -3,14 +3,14 @@ id: d585ab5a-6a69-49a8-96e8-4a726a54de46 related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived -status: test +status: unsupported description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1134.001 @@ -51,4 +51,4 @@ fields: - ImagePath falsepositives: - Highly unlikely -level: critical +level: critical \ No newline at end of file diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index 8c29fdb92..a00032666 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -19,8 +19,7 @@ detection: - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - - Signature|contains: - - 'Hacktool' + - Signature|contains: 'Hacktool' condition: selection fields: - FileName diff --git a/rules/application/antivirus/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml index 7caa873ba..eb6a4ef3a 100644 --- a/rules/application/antivirus/av_relevant_files.yml +++ b/rules/application/antivirus/av_relevant_files.yml @@ -6,14 +6,14 @@ references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ author: Florian Roth, Arnim Rupp date: 2018/09/09 -modified: 2021/11/23 +modified: 2022/12/18 tags: - attack.resource_development - attack.t1588 logsource: category: antivirus detection: - selection: + selection_path: - Filename|startswith: - 'C:\Windows\' - 'C:\Temp\' @@ -29,7 +29,7 @@ detection: - 'tomcat' - 'nginx' - 'weblogic' - selection2: + selection_ext: Filename|endswith: - '.asax' - '.ashx' @@ -69,7 +69,7 @@ detection: - '.wsf' - '.wsh' - '.xml' - condition: selection or selection2 + condition: 1 of selection_* fields: - Signature - User diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml new file mode 100644 index 000000000..9ba8f1a88 --- /dev/null +++ b/rules/cloud/aws/aws_delete_identity.yml @@ -0,0 +1,22 @@ +title: SES Identity Has Been Deleted +id: 20f754db-d025-4a8f-9d74-e0037e999a9a +status: experimental +description: Detects an instance of an SES identity being deleted via the "delete-identity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ses.amazonaws.com' + eventName: 'delete-identity' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml new file mode 100644 index 000000000..50fa152c6 --- /dev/null +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -0,0 +1,32 @@ +title: Potential Backup Enumeration on An AWS Instance +id: 76255e09-755e-4675-8b6b-dbce9842cd2a +status: experimental +description: Detects potential enumeration activity targeting an AWS instance backups +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1580 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ec2.amazonaws.com' + eventName: + - 'GetPasswordData' + - 'GetEbsEncryptionByDefault' + - 'GetEbsDefaultKmsKeyId' + - 'GetBucketReplication' + - 'DescribeVolumes' + - 'DescribeVolumesModifications' + - 'DescribeSnapshotAttribute' + - 'DescribeSnapshotTierStatus' + - 'DescribeImages' + timeframe: 10m + condition: selection | count() > 5 +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml new file mode 100644 index 000000000..41297071c --- /dev/null +++ b/rules/cloud/aws/aws_enum_network.yml @@ -0,0 +1,29 @@ +title: Potential Network Enumeration on An AWS Instance +id: c3d53999-4b14-4ddd-9d9b-e618c366b54d +status: experimental +description: Detects network enumeration performed on an AWS instance. +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1016 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ec2.amazonaws.com' + eventName: + - 'DescribeCarrierGateways' + - 'DescribeVpcEndpointConnectionNotifications' + - 'DescribeTransitGatewayMulticastDomains' + - 'DescribeClientVpnRoutes' + - 'DescribeDhcpOptions' + - 'GetTransitGatewayRouteTableAssociations' + timeframe: 10m + condition: selection | count() > 5 +falsepositives: + - Unknown +level: low diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml new file mode 100644 index 000000000..6a9ad5b41 --- /dev/null +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -0,0 +1,30 @@ +title: Potential Storage Enumeration on An AWS Instance +id: 4723218f-2048-41f6-bcb0-417f2d784f61 +status: experimental +description: Detects potential enumeration activity targeting AWS storage +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1619 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 's3.amazonaws.com' + eventName: + - 'ListBuckets' + - 'GetBucketCors' + - 'GetBucketInventoryConfiguration' + - 'GetBucketPublicAccessBlock' + - 'GetBucketMetricsConfiguration' + - 'GetBucketPolicy' + - 'GetBucketTagging' + timeframe: 10m + condition: selection | count() > 5 +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml index 04e2d099a..95ef3b65e 100644 --- a/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml @@ -7,23 +7,20 @@ references: - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html author: Austin Songer @austinsonger date: 2021/10/03 -modified: 2021/10/13 +modified: 2022/12/18 tags: - attack.privilege_escalation logsource: product: aws service: cloudtrail detection: - selection1: - eventSource: glue.amazonaws.com - eventName: CreateDevEndpoint - selection2: - eventSource: glue.amazonaws.com - eventName: DeleteDevEndpoint - selection3: - eventSource: glue.amazonaws.com - eventName: UpdateDevEndpoint - condition: selection1 or selection2 or selection3 + selection: + eventSource: 'glue.amazonaws.com' + eventName: + - 'CreateDevEndpoint' + - 'DeleteDevEndpoint' + - 'UpdateDevEndpoint' + condition: selection falsepositives: - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml new file mode 100644 index 000000000..55a5038d6 --- /dev/null +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -0,0 +1,26 @@ +title: Potential Phshing Activity Via AWS Cloud Email Service Abuse +id: 60b84424-a724-4502-bd0d-cc676e1bc90e +status: experimental +description: Detects potential phshing activity when the email sending feature is enabled for an account and the email address verification request is dispatched in quick succession +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/12 +tags: + - attack.t1583.006 + - attack.resource_development +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: 'ses.amazonaws.com' + eventName: 'UpdateAccountSendingEnabled' + selection2: + eventSource: 'ses.amazonaws.com' + eventName: 'VerifyEmailIdentity' + timeframe: 5m + condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events +falsepositives: + - Legitimate SES configuration activity +level: medium diff --git a/rules/cloud/aws/aws_susp_saml_activity.yml b/rules/cloud/aws/aws_susp_saml_activity.yml index e97a2be62..531596e17 100644 --- a/rules/cloud/aws/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/aws_susp_saml_activity.yml @@ -7,7 +7,7 @@ references: - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html author: Austin Songer date: 2021/09/22 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078 @@ -20,13 +20,13 @@ logsource: product: aws service: cloudtrail detection: - selection1: - eventSource: sts.amazonaws.com - eventName: AssumeRoleWithSAML - selection2: - eventSource: iam.amazonaws.com - eventName: UpdateSAMLProvider - condition: selection1 or selection2 + selection_sts: + eventSource: 'sts.amazonaws.com' + eventName: 'AssumeRoleWithSAML' + selection_iam: + eventSource: 'iam.amazonaws.com' + eventName: 'UpdateSAMLProvider' + condition: 1 of selection_* falsepositives: - Automated processes that uses Terraform may lead to false positives. - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. diff --git a/rules/cloud/azure/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..41bada855 --- /dev/null +++ b/rules/cloud/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: experimental +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index b9eeb44b6..10bbbe188 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/11/25 -modified: 2022/08/23 +modified: 2022/12/18 tags: - attack.persistence - attack.t1078 @@ -24,17 +24,14 @@ logsource: product: azure service: activitylogs detection: - selection1: - operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' - selection2: - operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' - operationName|endswith: - - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' - - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' - condition: selection1 or selection2 + condition: selection falsepositives: - Azure Kubernetes Admissions Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 2cec75874..dfd53d5b8 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -12,7 +12,7 @@ references: - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ author: Austin Songer @austinsonger date: 2021/11/22 -modified: 2022/08/23 +modified: 2022/12/18 tags: - attack.persistence - attack.privilege_escalation @@ -21,17 +21,14 @@ logsource: product: azure service: activitylogs detection: - selection1: - operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' operationName|endswith: - '/CRONJOBS/WRITE' - '/JOBS/WRITE' - selection2: - operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' - operationName|endswith: - - '/CRONJOBS/WRITE' - - '/JOBS/WRITE' - condition: selection1 or selection2 + condition: selection falsepositives: - Azure Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 09b969dc3..4685828d0 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078.004 @@ -13,13 +14,13 @@ logsource: product: azure service: signinlogs detection: - selection: + selection_50074: ResultType: 50074 ResultDescription|contains: 'Strong Auth required' - selection1: + selection_500121: ResultType: 500121 ResultDescription|contains: 'Authentication failed during strong authentication request' - condition: selection or selection1 + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/cloud/azure/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/azure_unusual_authentication_interruption.yml index 2d867f7be..f500f32a5 100644 --- a/rules/cloud/azure/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/azure_unusual_authentication_interruption.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: Austin Songer @austinsonger date: 2021/11/26 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078 @@ -13,16 +14,16 @@ logsource: product: azure service: signinlogs detection: - selection1: + selection_50097: ResultType: 50097 ResultDescription: 'Device authentication is required' - selection2: + selection_50155: ResultType: 50155 ResultDescription: 'DeviceAuthenticationFailed' - selection3: + selection_50158: ResultType: 50158 ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' - condition: selection1 or selection2 or selection3 + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index e78d76b2d..2f3f2c6e3 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,7 +12,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs author: Austin Songer @austinsonger date: 2021/11/25 -modified: 2021/11/26 +modified: 2022/12/18 tags: - attack.persistence - attack.t1078 @@ -23,19 +23,16 @@ logsource: product: gcp service: gcp.audit detection: - selection1: - gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.' + selection: + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v' + gcp.audit.method_name|contains: + - '.mutatingwebhookconfigurations.' + - '.validatingwebhookconfigurations.' gcp.audit.method_name|endswith: - 'create' - 'patch' - 'replace' - selection2: - gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.' - gcp.audit.method_name|endswith: - - 'create' - - 'patch' - - 'replace' - condition: selection1 or selection2 + condition: selection falsepositives: - Google Cloud Kubernetes Admission Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index ae841cf4d..71a21f5b2 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -3,10 +3,12 @@ id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. references: - - 'MITRE Attack technique T1136; Create Account ' -author: Marie Euler + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files + - https://access.redhat.com/articles/4409591#audit-record-types-2 + - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 +author: Marie Euler, Pawel Mazur date: 2020/05/18 -modified: 2021/11/27 +modified: 2022/12/20 tags: - attack.t1136.001 - attack.persistence @@ -14,10 +16,12 @@ logsource: product: linux service: auditd detection: - selection: + selection_syscall_record_type: type: 'SYSCALL' exe|endswith: '/useradd' - condition: selection + selection_add_user_record_type: + type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos + condition: 1 of selection_* falsepositives: - Admin activity level: medium diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 42678145f..45bb7de35 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -9,7 +9,7 @@ references: - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit author: Bhabesh Raj date: 2021/02/01 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.privilege_escalation - attack.t1068 @@ -18,26 +18,20 @@ logsource: product: linux service: auditd detection: - selection: + cmd_base: type: 'EXECVE' a0: '/usr/bin/sudoedit' - cmd1: - a1: '-s' - cmd2: - a2: '-s' - cmd3: - a3: '-s' - cmd4: - a4: '-s' - cmd5: - a1: '\' - cmd6: - a2: '\' - cmd7: - a3: '\' - cmd8: - a4: '\' - condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 + cmd_s: + - a1: '-s' + - a2: '-s' + - a3: '-s' + - a4: '-s' + cmd_backslash: + - a1: '\' + - a2: '\' + - a3: '\' + - a4: '\' + condition: all of cmd_* | count() by host > 50 falsepositives: - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 9db5ef2f8..d4584852a 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -1,13 +1,14 @@ -title: CVE-2021-4034 Exploitation Attempt +title: Potential CVE-2021-4034 Exploitation Attempt id: 40a016ab-4f48-4eee-adde-bbf612695c53 status: experimental -description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. +description: Detects exploitation attempt of the vulnerability described in CVE-2021-4034. references: - https://github.com/berdav/CVE-2021-4034 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 - https://access.redhat.com/security/cve/CVE-2021-4034 -author: 'Pawel Mazur' +author: Pawel Mazur date: 2022/01/27 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1068 @@ -15,14 +16,14 @@ logsource: product: linux service: auditd detection: - proctitle: + selection_proctitle: type: PROCTITLE proctitle: '(null)' - syscall: + selection_syscall: type: SYSCALL comm: pkexec exe: '/usr/bin/pkexec' - condition: proctitle and syscall + condition: selection_proctitle |near selection_syscall falsepositives: - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index c946fd66c..39db6d496 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -10,7 +10,7 @@ references: - https://access.redhat.com/articles/4409591#audit-record-types-2 author: 'Pawel Mazur' date: 2021/05/24 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.credential_access - attack.t1003 @@ -19,16 +19,16 @@ logsource: product: linux service: auditd detection: - path_events: + selection_path_events: type: PATH name: - '/etc/pam.d/system-auth' - '/etc/pam.d/password-auth' - tty_events: + selection_tty_events: type: - 'TTY' - 'USER_TTY' - condition: path_events or tty_events + condition: 1 of selection_* falsepositives: - Administrative work level: high diff --git a/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/rules/linux/auditd/lnx_auditd_network_sniffing.yml index ea8cdd3e6..f0b51e629 100644 --- a/rules/linux/auditd/lnx_auditd_network_sniffing.yml +++ b/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2022/11/26 +modified: 2022/12/18 tags: - attack.credential_access - attack.discovery @@ -17,17 +17,17 @@ logsource: product: linux service: auditd detection: - selection1: + selection_1: type: 'execve' a0: 'tcpdump' a1: '-c' a3|contains: '-i' - selection2: + selection_2: type: 'execve' a0: 'tshark' a1: '-c' a3: '-i' - condition: selection1 or selection2 + condition: 1 of selection_* falsepositives: - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index d2fc4eefb..e3c0abbad 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -10,7 +10,7 @@ references: - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu author: Ömer Günal, oscd.community, Pawel Mazur date: 2020/10/08 -modified: 2021/11/12 +modified: 2022/12/18 tags: - attack.discovery - attack.t1201 @@ -18,26 +18,26 @@ logsource: product: linux service: auditd detection: - files: + selection_files: type: 'PATH' name: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - '/etc/login.defs' - chage: + selection_chage: type: 'EXECVE' a0: 'chage' a1: - '--list' - '-l' - passwd: + selection_passwd: type: 'EXECVE' a0: 'passwd' a1: - '-S' - '--status' - condition: files or chage or passwd + condition: 1 of selection_* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index 924c3cd21..b25f8a5ae 100644 --- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -8,7 +8,7 @@ references: - https://linux.die.net/man/1/xwd author: 'Pawel Mazur' date: 2021/09/13 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.collection - attack.t1113 @@ -16,7 +16,7 @@ logsource: product: linux service: auditd detection: - xwd: + selection: type: EXECVE a0: xwd xwd_root_window: @@ -26,7 +26,7 @@ detection: xwd_no_root_window: a1: '-out' a2|endswith: '.xwd' - condition: xwd and (xwd_root_window or xwd_no_root_window) + condition: selection and 1 of xwd_* falsepositives: - Legitimate use of screenshot utility level: low diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index bece5830b..7c8906701 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md author: 'Pawel Mazur' date: 2021/09/03 -modified: 2022/11/27 +modified: 2022/12/18 tags: - attack.discovery - attack.t1082 @@ -15,18 +15,18 @@ logsource: product: linux service: auditd detection: - selection: + selection_1: type: PATH name: - /etc/lsb-release - /etc/redhat-release - /etc/issue - selection2: + selection_2: type: EXECVE a0: - uname - uptime - condition: selection or selection2 + condition: 1 of selection_* falsepositives: - Legitimate administrative activity level: low diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml new file mode 100644 index 000000000..ceb66f538 --- /dev/null +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -0,0 +1,34 @@ +title: Privileged User Has Been Created +id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e +status: experimental +description: Detects the addition of a new user to a privileged group such as "root" or "sudo" +references: + - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 + - https://linux.die.net/man/8/useradd + - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid +author: Pawel Mazur +date: 2022/12/21 +tags: + - attack.persistence + - attack.t1136.001 + - attack.t1098 +logsource: + product: linux + definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work' +detection: + # Example of the events that could be observed when matching these would be as follow + # Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash + # Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash + # Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash + # Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash + selection_new_user: + - 'new user' + selection_uids_gids: + - 'GID=0' # root group + - 'UID=0' # root UID + - 'GID=10' # wheel group + - 'GID=27' # sudo group + condition: all of selection_* +falsepositives: + - Administrative activity +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml new file mode 100644 index 000000000..fb8f9b8ca --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -0,0 +1,24 @@ +title: Group Has Been Deleted Via Groupdel +id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 +status: experimental +description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/groupdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/groupdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml new file mode 100644 index 000000000..f226f649b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -0,0 +1,24 @@ +title: User Has Been Deleted Via Userdel +id: 08f26069-6f80-474b-8d1f-d971c6fedea0 +status: experimental +description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/userdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/userdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml new file mode 100644 index 000000000..fe2386dde --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -0,0 +1,25 @@ +title: User Added To Root/Sudoers Group Using Usermod +id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 +status: experimental +description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ + - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ +author: TuanLe (GTSC) +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.persistence +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml similarity index 100% rename from rules/compliance/firewall_cleartext_protocols.yml rename to rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index df6565c0f..3ff369979 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -13,7 +13,7 @@ references: - https://threatpost.com/microsoft-petitpotam-poc/168163/ author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.t1557.001 - attack.t1187 @@ -22,9 +22,7 @@ logsource: service: dce_rpc detection: selection: - operation|startswith: - - 'Efs' - - 'efs' + operation|startswith: 'efs' condition: selection fields: - id.orig_h diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 453bcc009..6ac028468 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -14,7 +14,7 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' date: 2021/05/04 -modified: 2022/10/05 +modified: 2022/11/29 tags: - attack.t1095 - attack.t1571 @@ -40,9 +40,7 @@ detection: - '.azuregov-dns.org' exclude_query_types: qtype_name: - - 'NS' - 'ns' - - 'MX' - 'mx' exclude_responses: answers|endswith: '\\x00' diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml new file mode 100644 index 000000000..9a9b9c44e --- /dev/null +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -0,0 +1,33 @@ +title: Potential OWASSRF Exploitation Attempt - Proxy +id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: proxy +detection: + selection: + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/' + - '/powershell' + c-uri|contains: + - '@' + - '%40' + filter: + c-useragent: + - 'ClientInfo' + - 'Microsoft WinRM Client' + - 'Exchange BackEnd Probes' + condition: selection and not filter +falsepositives: + - Web vulnerability scanners +level: high diff --git a/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml new file mode 100644 index 000000000..22a19f10b --- /dev/null +++ b/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml @@ -0,0 +1,28 @@ +title: OWASSRF Exploitation Attempt Using Public POC - Proxy +id: fdd7e904-7304-4616-a46a-e32f917c4be4 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ + - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: proxy +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36' + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 06376a5b0..35990eb17 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -1,7 +1,10 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental -description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +description: Detects Bitsadmin connections to domains with uncommon TLDs +references: + - https://twitter.com/jhencinski/status/1102695118455349248 + - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth, Tim Shelton date: 2019/03/07 modified: 2022/08/16 diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml new file mode 100644 index 000000000..a22076843 --- /dev/null +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -0,0 +1,33 @@ +title: Potential CVE-2021-26084 Exploitation Attempt +id: 38825179-3c78-4fed-b222-2e2166b926b1 +description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection +status: experimental +references: + - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md + - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html + - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ +author: Sittikorn S, Nuttakorn T +date: 2022/12/13 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection_main: + cs-method: 'POST' + sc-status: '200' + username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts + selection_exploit_1: + c-uri|contains|all: + - '/pages/createpage-entervariables.action' + - 'SpaceKey=x' # This URI assume that you can't have a space ID of "X" + selection_exploit_2_uri: + c-uri|contains: '/doenterpagevariables.action' + selection_exploit_2_keyword: + - 'u0027' # This string should appear in the post body as a value of the parameter "queryString" + condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*) +falsepositives: + - Unknown +level: high diff --git a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml new file mode 100644 index 000000000..697558820 --- /dev/null +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -0,0 +1,36 @@ +title: Potential CVE-2021-27905 Exploitation Attempt +id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 +status: experimental +description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. +references: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://twitter.com/sec715/status/1373472323538362371 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 + - https://github.com/murataydemir/CVE-2021-27905 +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.initial_access + - attack.t1190 + - cve.2021.27905 +logsource: + category: webserver +detection: + selection_request1: + c-uri|contains|all: + - '/solr/' + - '/debug/dump?' + - 'param=ContentStream' + sc-status: '200' + selection_request2: + cs-method: 'GET' + c-uri|contains|all: + - '/solr/' + - 'command=fetchindex' + - 'masterUrl=' + sc-status: '200' + condition: 1 of selection_* +falsepositives: + - Vulnerability Scanners +level: medium diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml new file mode 100644 index 000000000..5327931cb --- /dev/null +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -0,0 +1,33 @@ +title: Potential OWASSRF Exploitation Attempt - Webserver +id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/' + - '/powershell' + c-uri|contains: + - '@' + - '%40' + filter: + c-useragent: + - 'ClientInfo' + - 'Microsoft WinRM Client' + - 'Exchange BackEnd Probes' + condition: selection and not filter +falsepositives: + - Web vulnerability scanners +level: high diff --git a/rules/web/web_exchange_owassrf_poc_exploitation.yml b/rules/web/web_exchange_owassrf_poc_exploitation.yml new file mode 100644 index 000000000..8ace4c265 --- /dev/null +++ b/rules/web/web_exchange_owassrf_poc_exploitation.yml @@ -0,0 +1,28 @@ +title: OWASSRF Exploitation Attempt Using Public POC - Webserver +id: 92d78c63-5a5c-4c40-9b60-463810ffb082 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ + - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36' + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml index e60913cb0..fc5d77a72 100644 --- a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -34,5 +34,5 @@ detection: Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi' condition: selection and not 1 of filter_* falsepositives: - - Some false positives may occur depending on the environnement + - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares level: medium diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..d4ac076dd --- /dev/null +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,26 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: experimental +description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'lsass.exe' + ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL + condition: selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 2f3880ab4..c3a6c072c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -8,7 +8,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth date: 2022/06/28 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -35,6 +35,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 0ce0c383d..f777c4dc8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log date: 2022/01/20 -modified: 2022/11/07 +modified: 2022/12/12 tags: - attack.execution logsource: @@ -71,10 +71,6 @@ detection: FileNameBuffer|endswith: - '\Program Files\Avast Software\Avast\aswAMSI.dll' - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll' - ProcessNameBuffer|endswith: - - '\Windows\System32\SIHClient.exe' - - '\Windows\System32\svchost.exe' - - '\Windows Defender\MpCmdRun.exe' RequestedPolicy: - 8 - 12 @@ -88,7 +84,14 @@ detection: ProcessNameBuffer|contains: '\Windows\Microsoft.NET\' RequestedPolicy: 8 ValidatedPolicy: 2 + filter_google_drive: + # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe + FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\' + FileNameBuffer|endswith: '\crashpad_handler.exe' + ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe' + RequestedPolicy: 8 + ValidatedPolicy: 1 condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Antivirus products level: high diff --git a/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml similarity index 100% rename from rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml diff --git a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml index a99d2da29..fb40783bf 100644 --- a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml @@ -1,7 +1,7 @@ title: USB Device Plugged id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 status: test -description: Detects plugged USB devices +description: Detects plugged/unplugged USB devices references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ @@ -14,7 +14,7 @@ tags: logsource: product: windows service: driver-framework - definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog' detection: selection: EventID: diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index b7ff1f8b5..d9d3365e3 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -1,14 +1,15 @@ -title: LDAP Reconnaissance / Active Directory Enumeration +title: Potential Active Directory Reconnaissance/Enumeration Via LDAP id: 31d68132-4038-47c7-8f8e-635a39a7c174 status: test -description: Detects possible Active Directory enumeration via LDAP +description: Detects potential Active Directory enumeration via LDAP references: - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs + - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c author: Adeem Mawani date: 2021/06/22 -modified: 2022/10/09 +modified: 2022/12/14 tags: - attack.discovery - attack.t1069.002 @@ -51,6 +52,8 @@ detection: - '(primaryGroupID=515)' - '(primaryGroupID=512)' - 'Domain Admins' + - 'objectGUID=\*' + - '(schemaIDGUID=\*)' suspicious_flag: EventID: 30 SearchFilter|contains: diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml similarity index 73% rename from rules/windows/builtin/security/win_security_etw_modification.yml rename to rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index e05e6598e..8787ac6c4 100644 --- a/rules/windows/builtin/security/win_security_etw_modification.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification +title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc +related: + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,22 +15,31 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/10/05 +modified: 2022/12/20 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows service: security detection: - selection: + selection_etw_enabled: EventID: 4657 ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' ObjectValueName: 'ETWEnabled' NewValue: 0 - condition: selection + selection_complus: + EventID: 4657 + ObjectName|contains: '\Environment' + ObjectValueName: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' + NewValue: 0 + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/compliance/group_modification_logging.yml b/rules/windows/builtin/security/win_security_group_modification_logging.yml similarity index 100% rename from rules/compliance/group_modification_logging.yml rename to rules/windows/builtin/security/win_security_group_modification_logging.yml diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index e92ba8390..e5410b21d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - Security id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 related: - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 3e9ad2a3d..ccdbd306d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - Security id: dcf2db1f-f091-425b-a821-c05875b8925a related: - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 0d343062d..4fd05aae6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/10/10 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 296db2432..e5aca8c5f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - Security id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca related: - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 5cf5c548e..8fbfc81c5 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - Security id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 related: - id: 487c7524-f892-4054-b263-8a0ace63fc25 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index c074a1adc..993ea36df 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - Security id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 related: - id: 63e3365d-4824-42d8-8b82-e56810fefa0c @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/04/26 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 9bbd74ce0..6d35db162 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - Security id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a related: - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index 950410203..9162070c8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - Security id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a related: - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index c14da7c1d..0d871fb2f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 related: - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 43921309e..f8146e092 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -1,4 +1,4 @@ -title: Credential Dumping Tools Service Execution +title: Credential Dumping Tools Service Execution - Security id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed @@ -9,7 +9,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.credential_access - attack.execution diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 67aff470d..72343baff 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -1,4 +1,4 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation +title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 @@ -10,7 +10,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1134.001 diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index 3b956de46..fd4ec339f 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -1,4 +1,4 @@ -title: PowerShell Scripts Installed as Services +title: PowerShell Scripts Installed as Services - Security id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 related: - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml new file mode 100644 index 000000000..c0601b803 --- /dev/null +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -0,0 +1,48 @@ +title: Remote Access Tool Services Have Been Installed - Security +id: c8b00925-926c-47e3-beea-298fd563728e +related: + - id: 1a31b18a-f00c-4061-9900-f735b96c99fc + type: similar +status: experimental +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform +references: + - https://redcanary.com/blog/misbehaving-rats/ +author: Connor Martin, Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.persistence + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 +detection: + selection: + EventID: 4697 + ServiceFileName|contains: + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - 'SSUService' + - 'SplashtopRemoteService' # https://www.splashtop.com/ + - 'Atera' + - 'LogMeIn' # https://www.logmein.com/ + - 'LMIGuardianSvc' # https://www.logmein.com/ + - 'TeamViewer' + - 'RPCService' # https://www.remotepc.com/ + - 'RPCPerformanceService' # https://www.remotepc.com/ + - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html + - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - 'GoToMyPC' # https://get.gotomypc.com/ + - 'monblanking' + - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - 'GoToAssist' # https://www.goto.com/it-management/resolve + - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'vncserver' + - 'Parsec' + - 'chromoting' + - 'Zoho' + - 'jumpcloud' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index e49c724d3..f9f4dc85c 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -21,8 +22,8 @@ detection: selection: EventID: 4697 selection_pid: - - ClientProcessId: '0' - - ParentProcessId: '0' + - ClientProcessId: 0 + - ParentProcessId: 0 condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 78d011da9..9ea2d5750 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Code integrity failures may indicate tampered executables. +description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index b1cc85a8b..ee4e6a7a7 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -1,4 +1,4 @@ -title: Suspicious Outbound Kerberos Connection +title: Suspicious Outbound Kerberos Connection - Security id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 status: test description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. @@ -6,7 +6,7 @@ references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community date: 2019/10/24 -modified: 2022/08/15 +modified: 2022/11/29 tags: - attack.lateral_movement - attack.t1558.003 diff --git a/rules/windows/builtin/security/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/win_security_susp_rottenpotato.yml index 8087c1167..ee7bf0bcf 100644 --- a/rules/windows/builtin/security/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_security_susp_rottenpotato.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' date: 2019/11/15 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.credential_access @@ -18,9 +18,11 @@ detection: selection: EventID: 4624 LogonType: 3 - TargetUserName: 'ANONYMOUS_LOGON' + TargetUserName: 'ANONYMOUS LOGON' WorkstationName: '-' - IpAddress: '127.0.0.1' + IpAddress: + - '127.0.0.1' + - '::1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..4da7fb242 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,61 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +modified: 2022/12/07 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..1d43f616a --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,46 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +modified: 2022/12/09 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + filter_ac_power_download: + Task|contains: '\Windows\UpdateOrchestrator\AC Power Download' + filter_sys_username: + SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index 6e27ffa1b..8be8889b3 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -1,4 +1,4 @@ -title: Tap Driver Installation +title: Tap Driver Installation - Security id: 9c8afa4d-0022-48f0-9456-3712466f9701 related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 @@ -7,7 +7,7 @@ status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 510820c61..b7f5c465b 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2021/11/30 +modified: 2022/12/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,14 +27,17 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' filter: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' + - ProcessName: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\wimserv.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - 'C:\Windows\System32\SystemSettingsBroker.exe' + - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 557572482..2851c8613 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -1,4 +1,4 @@ -title: WMI Persistence +title: WMI Persistence - Security id: f033f3f3-fd24-4995-97d8-a3bb17550a88 related: - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b @@ -10,7 +10,7 @@ references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/compliance/workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml similarity index 100% rename from rules/compliance/workstation_was_locked.yml rename to rules/windows/builtin/security/win_security_workstation_was_locked.yml diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml index 4cc044bd0..8d5f2f31c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - System id: 72862bf2-0eb1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of stdin to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml index b2403a616..60962b066 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - System id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 status: experimental description: Detects Obfuscated use of Environment Variables to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml index 595aefc44..a21bc34ef 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - System id: 175997c5-803c-4b08-8bb0-70b099f47595 status: experimental description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml index 54bb0373f..843bd983c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - System id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 status: experimental description: Detects Obfuscated Powershell via RUNDLL LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml index 8a4091b6a..d7f5b3c5f 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - System id: 487c7524-f892-4054-b263-8a0ace63fc25 status: experimental description: Detects Obfuscated Powershell via Stdin in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml index e9cd49642..b31c2f9c1 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - System id: 63e3365d-4824-42d8-8b82-e56810fefa0c status: experimental description: Detects Obfuscated Powershell via use Clip.exe in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/04/26 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml index c109d7143..3445a5c0d 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - System id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 status: experimental description: Detects Obfuscated Powershell via use MSHTA in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/07/05 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml index 07b2781f8..6437adc9d 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - System id: 641a4bfb-c017-44f7-800c-2aee0184ce9b status: experimental description: Detects Obfuscated Powershell via use Rundll32 in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml index 76e3dac8c..17620261e 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 status: experimental description: Detects Obfuscated Powershell via VAR++ LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml index 2672ae2db..3ad2ff0ad 100644 --- a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml @@ -6,6 +6,7 @@ references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth date: 2022/10/07 +modified: 2022/12/04 tags: - attack.execution - attack.t1557.001 @@ -16,7 +17,7 @@ detection: selection: EventID: 10001 param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # is the Binary starting/started - param2: '2147943140' # is ERROR id + param2: 2147943140 # is ERROR id param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # is DCOM Server condition: selection falsepositives: diff --git a/rules/windows/builtin/system/win_system_mal_creddumper.yml b/rules/windows/builtin/system/win_system_mal_creddumper.yml index c43c90f65..6c946fc93 100644 --- a/rules/windows/builtin/system/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_system_mal_creddumper.yml @@ -1,4 +1,4 @@ -title: Credential Dumping Tools Service Execution +title: Credential Dumping Tools Service Execution - System id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed status: experimental description: Detects well-known credential dumping tools execution via service execution events @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/11/30 +modified: 2022/11/29 tags: - attack.credential_access - attack.execution diff --git a/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 8f845be01..13ffaa6a1 100644 --- a/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,4 +1,4 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation +title: Meterpreter or Cobalt Strike Getsystem Service Installation - System id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 status: experimental description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation @@ -7,7 +7,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/02/01 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1134.001 diff --git a/rules/windows/builtin/system/win_system_moriya_rootkit.yml b/rules/windows/builtin/system/win_system_moriya_rootkit.yml index 29fa39cf3..e31568a2b 100644 --- a/rules/windows/builtin/system/win_system_moriya_rootkit.yml +++ b/rules/windows/builtin/system/win_system_moriya_rootkit.yml @@ -1,4 +1,4 @@ -title: Moriya Rootkit +title: Moriya Rootkit - System id: 25b9c01c-350d-4b95-bed1-836d04a4f324 status: experimental description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report @@ -6,7 +6,7 @@ references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj date: 2021/05/06 -modified: 2021/11/30 +modified: 2022/11/29 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/builtin/system/win_system_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml index 5a2361e62..d0ae0f782 100644 --- a/rules/windows/builtin/system/win_system_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_system_pcap_drivers.yml @@ -6,14 +6,14 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley date: 2020/06/10 -modified: 2021/11/27 +modified: 2022/12/22 tags: - attack.discovery - attack.credential_access - attack.t1040 logsource: product: windows - service: security + service: system definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: diff --git a/rules/windows/builtin/system/win_system_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_service_install_anydesk.yml similarity index 100% rename from rules/windows/builtin/system/win_system_anydesk_service_installation.yml rename to rules/windows/builtin/system/win_system_service_install_anydesk.yml diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 69d804443..7441654f1 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -28,8 +28,7 @@ detection: - 'pwdump' - 'gsecdump' - 'cachedump' - - ImagePath|contains: - - 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: service and selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml new file mode 100644 index 000000000..2d51a1dad --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml @@ -0,0 +1,25 @@ +title: Mesh Agent Service Installation +id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc +status: experimental +description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'MeshAgent.exe' + - ServiceName|contains: 'Mesh Agent' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium diff --git a/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml new file mode 100644 index 000000000..e6bee6ff7 --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml @@ -0,0 +1,50 @@ +title: Remote Access Tool Services Have Been Installed - System +id: 1a31b18a-f00c-4061-9900-f735b96c99fc +related: + - id: c8b00925-926c-47e3-beea-298fd563728e + type: similar +status: experimental +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform +references: + - https://redcanary.com/blog/misbehaving-rats/ +author: Connor Martin, Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.persistence + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: + - 7045 + - 7036 + ServiceName|contains: + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - 'SSUService' + - 'SplashtopRemoteService' # https://www.splashtop.com/ + - 'Atera' + - 'LogMeIn' # https://www.logmein.com/ + - 'LMIGuardianSvc' # https://www.logmein.com/ + - 'TeamViewer' + - 'RPCService' # https://www.remotepc.com/ + - 'RPCPerformanceService' # https://www.remotepc.com/ + - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html + - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - 'GoToMyPC' # https://get.gotomypc.com/ + - 'monblanking' + - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - 'GoToAssist' # https://www.goto.com/it-management/resolve + - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'vncserver' + - 'Parsec' + - 'chromoting' + - 'Zoho' + - 'jumpcloud' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml new file mode 100644 index 000000000..ea4a33722 --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml @@ -0,0 +1,25 @@ +title: TacticalRMM Service Installation +id: 4bb79b62-ef12-4861-981d-2aab43fab642 +status: experimental +description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'tacticalrmm.exe' + - ServiceName|contains: 'TacticalRMM Agent Service' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium diff --git a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml index cfd318f9a..d5d3b1ff0 100644 --- a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml @@ -9,6 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -19,7 +20,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ProcessId: '0' + ProcessId: 0 condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml similarity index 84% rename from rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml new file mode 100644 index 000000000..3a4008f9c --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: experimental +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1c18c99c1 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 -modified: 2021/10/13 +modified: 2022/12/07 tags: - attack.execution - attack.t1059 @@ -15,8 +15,8 @@ logsource: service: windefend detection: selection: - EventID: 1116 - Source_Name: 'AMSI' + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. + SourceName: 'AMSI' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..9ecb61821 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 + selection: + EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..692e62478 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,16 +6,17 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: NewValue|contains: # Add more paths you don't allow in your org @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..81aea09c4 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..1aa0edf42 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 801bd44f-ceed-4eb6-887c-11544633c0aa +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + NewValue|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware ' + #- '\Windows Defender\Features\TamperProtection ' # Might produce FP + - '\Windows Defender\Scan\DisableRemovableDriveScanning ' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' + - '\Real-Time Protection\SpyNetReporting ' + - '\Real-Time Protection\SubmitSamplesConsent ' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml index be58155f7..d94154070 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml @@ -10,7 +10,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2022/08/26 +modified: 2022/12/14 tags: - attack.privilege_escalation - attack.defense_evasion @@ -95,6 +95,14 @@ detection: - 'C:\Windows\System32\schtasks.exe' - 'C:\Windows\SysWOW64\schtasks.exe' TargetImage: 'C:\Windows\System32\conhost.exe' + filter_nvidia: + SourceImage: 'C:\Windows\explorer.exe' + TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + #filter_powerpnt: + # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 + # SourceImage|contains: '\Microsoft Office\' + # SourceImage|endswith: '\POWERPNT.EXE' + # TargetImage: 'C:\Windows\System32\csrss.exe' condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml new file mode 100644 index 000000000..b6ab658fb --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml @@ -0,0 +1,30 @@ +title: Potential Credential Dumping Attempt Via PowerShell Remote Thread +id: fb656378-f909-47c1-8747-278bf09f4f4f +related: + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 + type: similar +status: experimental +description: Detects remote thread creation by PowerShell processes into "lsass.exe" +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + TargetImage|endswith: '\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml index 1e94c3ad2..5babf5085 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.exe:Zone' diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml index a32c292cc..b47dc0e17 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.ps1:Zone' diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index e173ec41c..c8d2af60c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -4,8 +4,9 @@ status: experimental description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali, Florian Roth date: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.t1564.004 @@ -13,18 +14,8 @@ logsource: product: windows category: create_stream_hash detection: - selection_domain: - Contents|contains: - - '://1' - - '://2' - - '://3' - - '://4' - - '://5' - - '://6' - - '://7' - - '://8' - - '://9' - selection_extension: + selection: + Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' TargetFilename|contains: - '.ps1:Zone' - '.bat:Zone' @@ -32,7 +23,7 @@ detection: - '.vbe:Zone' - '.vbs:Zone' - '.dll:Zone' - condition: all of selection* + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml similarity index 61% rename from rules/windows/dns_query/dns_query_remote_access_software_domains.yml rename to rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml index 33a709c18..405c67f68 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml @@ -1,4 +1,4 @@ -title: Query To Remote Access Software Domain +title: DNS Query To Remote Access Software Domain id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 related: - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f @@ -17,9 +17,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution - https://redcanary.com/blog/misbehaving-rats/ -author: frack113 +author: frack113, Connor Martin date: 2022/07/11 -modified: 2022/10/31 +modified: 2022/12/23 tags: - attack.command_and_control - attack.t1219 @@ -34,6 +34,44 @@ detection: - '.ammyy.com' - '.netsupportsoftware.com' # For NetSupport Manager RAT - 'remoteutilities.com' # Usage of Remote Utilities RAT + - '.net.anydesk.com' + - 'api.playanext.com' + - '.relay.splashtop.com' + - '.api.splashtop.com' + - 'app.atera.com' + - '.agentreporting.atera.com' + - '.pubsub.atera.com' + - 'logmeincdn.http.internapcdn.net' + - 'logmein-gateway.com' + - 'client.teamviewer.com' + - 'integratedchat.teamviewer.com' + - 'static.remotepc.com' + - '.n-able.com' + - 'comserver.corporate.beanywhere.com' + - '.swi-rc.com' + - '.swi-tc.com' + - 'telemetry.servers.qetqo.com' + - 'relay.screenconnect.com' + - 'control.connectwise.com' + - 'express.gotoassist.com' + - 'authentication.logmeininc.com' + - '.services.vnc.com' + - '.tmate.io' + - 'api.parsec.app' + - 'parsecusercontent.com' + - 'remotedesktop-pa.googleapis.com' + - '.logmein-gateway.com' + - 'secure.logmeinrescue.com' + - 'join.zoho.com' + - 'assist.zoho.com' + - '.zohoassist.com' + - 'downloads.zohocdn.com' + - 'agent.jumpcloud.com' + - 'kickstart.jumpcloud.com' + - 'cdn.kaseya.net' + - 'relay.kaseya.net' + - 'license.bomgar.com' + - '.beyondtrustcloud.com' filter: # Exclude browsers for legitimate visits of the domains mentioned above # Add missing browsers you use and exclude the ones you don't @@ -50,5 +88,5 @@ detection: - '\CCleaner Browser\Application\CCleanerBrowser.exe' condition: selection and not filter falsepositives: - - FP may be caused in legitimate usage of the softwares mentioned above + - Legitimate usage of the softwares mentioned above level: medium diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_creddumper.yml rename to rules/windows/driver_load/driver_load_win_mal_creddumper.yml diff --git a/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml new file mode 100644 index 000000000..1be44592b --- /dev/null +++ b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml @@ -0,0 +1,69 @@ +title: Usage Of Malicious POORTRY Signed Driver +id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6 +status: experimental +description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. +references: + - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware +author: Nasreddine Bencherchali +date: 2022/12/16 +tags: + - attack.privilege_escalation + - attack.t1543 + - attack.t1068 +logsource: + category: driver_load + product: windows +detection: + selection_image: + ImageLoaded|contains: + - '\prokiller64.sys' + - '\gftkyj64.sys' + - '\KApcHelper_x64.sys' + - '\NodeDriver.sys' + - '\LcTkA.sys' + selection_sysmon: + Hashes|contains: + - 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' + - 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' + - 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' + - 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' + - 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' + - 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' + - 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' + - 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d' + - 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c' + - 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332' + - 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' + - 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98' + - 'MD5=10f3679384a03cb487bda9621ceb5f90' + - 'MD5=04a88f5974caa621cee18f34300fc08a' + - 'MD5=6fcf56f6ca3210ec397e55f727353c4a' + - 'MD5=0f16a43f7989034641fd2de3eb268bf1' + - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0' + - 'MD5=909f3fc221acbe999483c87d9ead024a' + selection_hash: + - SHA256: + - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' + - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' + - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' + - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' + - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' + - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' + - SHA1: + - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' + - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d' + - '6debce728bcff73d9d1d334df0c6b1c3735e295c' + - 'cc65bf60600b64feece5575f21ab89e03a728332' + - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' + - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98' + - MD5: + - '10f3679384a03cb487bda9621ceb5f90' + - '04a88f5974caa621cee18f34300fc08a' + - '6fcf56f6ca3210ec397e55f727353c4a' + - '0f16a43f7989034641fd2de3eb268bf1' + - 'ee6b1a79cb6641aa44c762ee90786fe0' + - '909f3fc221acbe999483c87d9ead024a' + condition: 1 of selection* +falsepositives: + - Legitimate BIOS driver updates (should be rare) +level: high diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml rename to rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml similarity index 100% rename from rules/windows/driver_load/driver_load_process_hacker.yml rename to rules/windows/driver_load/driver_load_win_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/driver_load/driver_load_susp_temp_use.yml rename to rules/windows/driver_load/driver_load_win_susp_temp_use.yml diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml similarity index 98% rename from rules/windows/driver_load/driver_load_vuln_dell_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml index dce4c8e04..bc5b26d8d 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml @@ -11,6 +11,7 @@ tags: - attack.privilege_escalation - cve.2021.21551 - attack.t1543 + - attack.t1068 logsource: category: driver_load product: windows diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml similarity index 97% rename from rules/windows/driver_load/driver_load_vuln_drivers.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 018868c3b..8e2449b70 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -21,10 +21,11 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/10/19 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 + - attack.t1068 logsource: product: windows category: driver_load @@ -287,6 +288,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92' + - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327' + - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -540,6 +548,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -798,6 +813,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - '4927d843577bada119a17b249ff4e7f5e9983a92' + - 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - '755349d56cdd668ca22eebc4fc89f0cccef47327' + - '56af49e030eb85528e82849d7d1b6147f3c4973e' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -864,8 +886,6 @@ detection: - 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653' - 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028' - '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3' - - 'DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D' - - '0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5' - '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3' - 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955' - 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339' @@ -1061,6 +1081,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml similarity index 94% rename from rules/windows/driver_load/driver_load_vuln_drivers_names.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index 36e520478..85da6ba0c 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -20,10 +20,11 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 author: Nasreddine Bencherchali date: 2022/10/03 -modified: 2022/10/17 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 + - attack.t1068 logsource: product: windows category: driver_load @@ -203,8 +204,13 @@ detection: - '\ohm.sys' - '\sensorsview32_64.sys' - '\touchpointanalyticsclient.sys' + # PowerTool driver (kEvP64) renames from VT + - '\CQg5Jf.sys' + - '\HCdRDh.sys' + - '\NcDgDn.sys' + - '\vLTZ19.sys' condition: selection falsepositives: - - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. - If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible) level: medium diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hevd_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hw_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_winring0_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml similarity index 100% rename from rules/windows/driver_load/driver_load_windivert.yml rename to rules/windows/driver_load/driver_load_win_windivert.yml diff --git a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml index 3779cc8a0..3b5545d29 100644 --- a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -1,4 +1,4 @@ -title: Advanced IP Scanner +title: Advanced IP Scanner - File Event id: fed85bf9-e075-4280-9159-fbe8a023d6fa related: - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f @@ -13,7 +13,7 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' date: 2020/05/12 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml index ba06ae6e2..22a3c70fb 100644 --- a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml +++ b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml @@ -1,4 +1,4 @@ -title: Unidentified Attacker November 2018 +title: Unidentified Attacker November 2018 - File id: 3a3f81ca-652c-482b-adeb-b1c804727f74 related: - id: 7453575c-a747-40b9-839b-125a0aae324b @@ -9,7 +9,7 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 -modified: 2021/09/19 +modified: 2022/12/02 tags: - attack.execution - attack.t1218.011 diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml new file mode 100644 index 000000000..23c65c682 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -0,0 +1,38 @@ +title: Creation Of Non-Existent DLLs In System Folders +id: df6ecb8b-7822-4f4b-b412-08f524b4576c +related: + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 + type: similar +status: experimental +description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +author: Nasreddine Bencherchali +date: 2022/12/01 +modified: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + filter: + Image|startswith: 'C:\Windows\System32\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 3f2a81958..771b72aec 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -1,4 +1,4 @@ -title: WScript or CScript Dropper +title: WScript or CScript Dropper - File id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 related: - id: cea72823-df4d-4567-950c-0b579eaf0846 @@ -9,7 +9,7 @@ references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton date: 2022/01/10 -modified: 2022/01/11 +modified: 2022/12/02 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..3704cad95 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,29 @@ +title: Potential DCOM InternetExplorer.Application DLL Hijack +id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa +related: + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: f354eba5-623b-450f-b073-0b5b2773b6aa + type: similar +status: test +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network +references: + - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +date: 2020/10/12 +modified: 2022/12/18 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image: System + TargetFilename|endswith: '\Internet Explorer\iertutil.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml index cfdfb81b9..e420bb832 100644 --- a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -1,4 +1,4 @@ -title: Persistence Via ErrorHandler.Cmd +title: Potential Persistence Attempt Via ErrorHandler.Cmd id: 15904280-565c-4b73-9303-3291f964e7f9 status: experimental description: | @@ -9,6 +9,7 @@ references: - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali date: 2022/08/09 +modified: 2022/12/19 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml index a80f7ffeb..3a4290d13 100755 --- a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml @@ -1,4 +1,4 @@ -title: Dumpert Process Dumper +title: Dumpert Process Dumper Default File id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 related: - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 @@ -10,7 +10,7 @@ references: - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth date: 2020/02/04 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index 889b3c559..e5532258a 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -26,8 +26,7 @@ detection: - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: - - 'C:\windows\temp\sam' # C# version of HiveNightmare + - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml new file mode 100644 index 000000000..522ab6eb3 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml @@ -0,0 +1,24 @@ +title: LSASS Process Dump Artefact In CrashDumps Folder +id: 6902955a-01b7-432c-b32a-6f5f81d8f625 +status: experimental +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash' +date: 2022/12/08 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' + TargetFilename|endswith: '.dmp' + condition: selection +falsepositives: + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index c4ce26312..1b454703c 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -1,4 +1,4 @@ -title: Adwind RAT / JRAT +title: Adwind RAT / JRAT File Artifact id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml rename to rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 6ad24e0ed..65bf8e139 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 -modified: 2022/10/07 +modified: 2022/11/28 tags: - attack.t1218.011 - attack.defense_evasion @@ -19,10 +19,7 @@ detection: filter: TargetFilename|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\SysWow64\' - - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - 'C:\$WINDOWS.~BT\NewOS\' condition: selection and not filter diff --git a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml index 01e27932c..e34e274bd 100644 --- a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml +++ b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - File id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index acbf6fb28..ea8c16054 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -15,9 +15,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -145,12 +147,15 @@ detection: - '\Invoke-Get-RBCD-Threaded.ps1' - '\Invoke-Gopher.ps1' - '\Invoke-Grouper2.ps1' + - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' - '\Invoke-Internalmonologue.ps1' + - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - '\Invoke-MITM6.ps1' + - '\Invoke-MalSCCM.ps1' - '\Invoke-NanoDump.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' @@ -184,6 +189,7 @@ detection: - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpPrinter.ps1' - '\Invoke-SharpRDP.ps1' + - '\Invoke-SharpSCCM.ps1' - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpSecDump.ps1' - '\Invoke-SharpSniper.ps1' @@ -191,6 +197,7 @@ detection: - '\Invoke-SharpSpray.ps1' - '\Invoke-SharpStay.ps1' - '\Invoke-SharpUp.ps1' + - '\Invoke-SharpWSUS.ps1' - '\Invoke-SharpWatson.ps1' - '\Invoke-Sharphound2.ps1' - '\Invoke-Sharphound3.ps1' @@ -205,6 +212,7 @@ detection: - '\Invoke-StickyNotesExtract.ps1' - '\Invoke-Thunderfox.ps1' - '\Invoke-Tokenvator.ps1' + - '\Invoke-TotalExec.ps1' - '\Invoke-UrbanBishop.ps1' - '\Invoke-Whisker.ps1' - '\Invoke-WireTap.ps1' diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 3f768d093..c52e47eb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1587.001 @@ -76,9 +76,15 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + filter_vscode: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\' + Image|endswith: '\Microsoft VS Code\Code.exe' + TargetFilename|contains: '\.vscode\extensions\' condition: selection and not 1 of filter_* falsepositives: - Software installers - Update utilities + - 32bit applications launching their 64bit versions #Please contribute to FP to increase the level level: low diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index 2a904a121..6a68b5207 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -25,5 +25,5 @@ detection: - '\Program Files\PowerShell\7\profile.ps1' condition: selection falsepositives: - - System administrator create Powershell profile manually + - System administrator creating Powershell profile manually level: high diff --git a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml new file mode 100644 index 000000000..28746ba13 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -0,0 +1,30 @@ +title: Potential Privilege Escalation Attempt Via .Exe.Local Technique +id: 07a99744-56ac-40d2-97b7-2095967b0e03 +status: experimental +description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +references: + - https://github.com/binderlabs/DirCreate2System + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt +author: Nasreddine Bencherchali, Subhash P (@pbssubhash) +date: 2022/12/16 +modified: 2022/12/19 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: + - 'C:\Windows\System32\logonUI.exe.local' + - 'C:\Windows\System32\werFault.exe.local' + - 'C:\Windows\System32\consent.exe.local' + - 'C:\Windows\System32\narrator.exe.local' + - 'C:\Windows\System32\wermgr.exe.local' + TargetFilename|endswith: '\comctl32.dll' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index dd0c53af5..eff3e341d 100644 --- a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,4 +1,4 @@ -title: Wmiprvse Wbemcomn DLL Hijack +title: Wmiprvse Wbemcomn DLL Hijack - File id: 614a7e17-5643-4d89-b6fe-f9df1a79641c status: test description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index d7c7b4b0c..5f9316e43 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -30,8 +30,7 @@ detection: - '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - '\msedgewebview2.exe' - '\OneDrive.exe' - - Image|startswith: - - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image: null condition: selection_dll and not filter_legit falsepositives: diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml index 198a753af..6b1b71242 100644 --- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - Image id: fe6e002f-f244-4278-9263-20e4b593827f status: experimental description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 -modified: 2022/11/22 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml b/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..40dc3a5b3 --- /dev/null +++ b/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,29 @@ +title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load +id: f354eba5-623b-450f-b073-0b5b2773b6aa +related: + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa + type: similar +status: test +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +references: + - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +date: 2020/10/12 +modified: 2022/12/18 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\Internet Explorer\iexplore.exe' + ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index eaf808b22..8c0ca56f2 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -1,12 +1,12 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL image load activity as used by FoggyWeb backdoor loader +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth date: 2021/09/27 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.resource_development - attack.t1587 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: C:\Windows\ADFS\version.dll + ImageLoaded: 'C:\Windows\ADFS\version.dll' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index 7b8c90b68..f26a922ae 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - Image id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/08/14 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml new file mode 100644 index 000000000..04b3c3755 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -0,0 +1,27 @@ +title: Potential DLL Sideloading Via ClassicExplorer32.dll +id: caa02837-f659-466f-bca6-48bde2826ab4 +status: experimental +description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software +references: + - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets + - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ +author: frack113 +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_classicexplorer: + ImageLoaded|endswith: '\ClassicExplorer32.dll' + filter_classicexplorer: + ImageLoaded|startswith: 'C:\Program Files\Classic Shell\' + condition: selection_classicexplorer and not filter_classicexplorer +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml new file mode 100644 index 000000000..39a6d77ca --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_comctl32.yml @@ -0,0 +1,32 @@ +title: Potential DLL Sideloading Via comctl32.dll +id: 6360757a-d460-456c-8b13-74cf0e60cceb +status: experimental +description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges +references: + - https://github.com/binderlabs/DirCreate2System + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt +author: Nasreddine Bencherchali, Subhash Popuri (@pbssubhash) +date: 2022/12/16 +modified: 2022/12/19 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|startswith: + - 'C:\Windows\System32\logonUI.exe.local\' + - 'C:\Windows\System32\werFault.exe.local\' + - 'C:\Windows\System32\consent.exe.local\' + - 'C:\Windows\System32\narrator.exe.local\' + - 'C:\windows\system32\wermgr.exe.local\' + ImageLoaded|endswith: '\comctl32.dll' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 7df5528b4..342b35fc7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/10/25 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -433,6 +433,13 @@ detection: - '\igd10iumd64.dll' - '\igd12umd64.dll' - '\igdusc64.dll' + # Other + - '\WLBSCTRL.dll' + - '\TSMSISrv.dll' + - '\TSVIPSrv.dll' + - '\wow64log.dll' + - '\WptsExtensions.dll' + - '\wbemcomn.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml new file mode 100644 index 000000000..43ef42e0b --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -0,0 +1,27 @@ +title: Potential DLL Sideloading Via JsSchHlp +id: 68654bf0-4412-43d5-bfe8-5eaa393cd939 +status: experimental +description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor +references: + - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ + - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp +author: frack113 +date: 2022/12/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\JSESPR.dll' + filter: + ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml new file mode 100644 index 000000000..619f4fdf7 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -0,0 +1,43 @@ +title: Sideloading Of Non-Existent DLLs From System Folders +id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 +related: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + type: similar +status: experimental +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + # Add other DLLs + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' + filter_ms_signed: + Signed: 'true' + # There could be other signatures (please add when found) + Signature: 'Microsoft Windows' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_scm.yml b/rules/windows/image_load/image_load_side_load_scm.yml new file mode 100644 index 000000000..fd244a0c5 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_scm.yml @@ -0,0 +1,29 @@ +title: SCM DLL Sideload +id: bc3cc333-48b9-467a-9d1f-d44ee594ef48 +status: experimental +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + Image: 'C:\Windows\System32\svchost.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml new file mode 100644 index 000000000..952edea99 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -0,0 +1,29 @@ +title: VMGuestLib DLL Sideload +id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff +status: experimental +description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains|all: + - '\VMware\VMware Tools\vmStatsProvider\win32' + - '\vmGuestLib.dll' + Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe' + filter: + Signed: 'true' + condition: selection and not filter +falsepositives: + - FP could occure if the legitimate version of vmGuestLib already exists on the system +level: medium diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index bc7467c9c..5d2a23294 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -11,7 +11,7 @@ references: - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 -modified: 2022/09/15 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -50,7 +50,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: 'FALSE' + Signed: 'false' filter1: - Image|contains: 'Visual Studio' - CommandLine|contains: diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 38f4572c2..fc2acbb2e 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali date: 2022/07/17 -modified: 2022/10/12 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070 @@ -28,6 +28,12 @@ detection: - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - Image: + - 'C:\Windows\SysWOW64\rundll32.exe' # Typical for installers and updaters + - 'C:\Windows\System32\rundll32.exe' # Typical for installers and updaters + - CommandLine|contains|all: + - '\AppData\Local\Temp\' # Typical for installers and updaters + - '\setup.exe' filter_cleanmgr: # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: # Sometimes the DLL gets loaded from %temp% diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index d707c3081..4a169cff3 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,8 +18,7 @@ detection: selection: Description: 'Python Core' filter_generic: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml index 94cbfed76..c3914694b 100644 --- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml @@ -6,6 +6,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2022/10/31 +modified: 2022/12/14 tags: - attack.defense_evasion - attack.impact @@ -23,6 +24,13 @@ detection: - 'C:\Windows\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' + # The following filter is required because of many FPs cause by : + # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe + # C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe + # etc. + - 'C:\ProgramData\Package Cache\' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml index 86f8dca1f..ee6c3c45f 100644 --- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -1,4 +1,4 @@ -title: SharpEvtMute EvtMuteHook Load +title: SharpEvtMute Imphash EvtMuteHook Load id: 49329257-089d-46e6-af37-4afce4290685 status: experimental description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs @@ -6,6 +6,7 @@ references: - https://github.com/bats3c/EvtMute author: Florian Roth date: 2022/09/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1562.002 diff --git a/rules/windows/image_load/image_load_tttracer_mod_load.yml b/rules/windows/image_load/image_load_tttracer_mod_load.yml index 43e405e1f..a6f3981b7 100644 --- a/rules/windows/image_load/image_load_tttracer_mod_load.yml +++ b/rules/windows/image_load/image_load_tttracer_mod_load.yml @@ -1,4 +1,4 @@ -title: Time Travel Debugging Utility Usage +title: Time Travel Debugging Utility Usage - Image id: e76c8240-d68f-4773-8880-5c6f63595aaf status: test description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. @@ -8,7 +8,7 @@ references: - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.credential_access diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 0a98c4d82..25641aa89 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -6,9 +6,10 @@ references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2018/08/30 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.lateral_movement - attack.t1105 @@ -33,6 +34,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' Image|startswith: - 'C:\Windows\' - 'C:\Users\Public\' diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index b52f0ede2..a0af40626 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -13,7 +13,6 @@ tags: logsource: category: network_connection product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: Initiated: 'true' diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a031d7218..d2e43c75c 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -22,10 +22,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: - - '127.' - - DestinationIp: - - '::1' + - DestinationIp|startswith: '127.' + - DestinationIp: '::1' condition: selection and selection2 falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index 72440a3e0..bfeb4b580 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -43,8 +43,7 @@ detection: - '51.103.' # Microsoft range, caused some FPs - '51.104.' # Microsoft range, caused some FPs - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' + - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' RemoteAddress|endswith: ':443' diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c1c0c605..06c238c9f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -27,10 +27,8 @@ detection: - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' false_positive1: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location condition: selection and not 1 of false_positive* diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 772359d25..d0694ab32 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -8,7 +8,7 @@ references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2021/11/27 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1218 @@ -18,7 +18,12 @@ logsource: detection: selection: Image|contains: wuauclt - condition: selection + # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer + filter_ms_range: # Sysmon + DestinationIp|startswith: '51.10' # Microsoft Range + filter_cmdline: + CommandLine|contains: '\UpdateDeploy.dll /ClassId ' + condition: selection and not 1 of filter* falsepositives: - Legitimate use of wuauclt.exe over the network. level: medium diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml index 3dcd47c86..079e16feb 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml @@ -7,7 +7,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth date: 2021/07/30 -modified: 2022/10/09 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,7 +23,7 @@ detection: - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}' - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml new file mode 100644 index 000000000..c19e56e38 --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -0,0 +1,31 @@ +title: Nslookup PowerShell Download Cradle +id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 +related: + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar +status: experimental +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/10 +modified: 2022/12/19 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_classic_start + definition: fields have to be extract from event +detection: + selection: + HostApplication|contains|all: + - 'powershell' + - 'nslookup' + HostApplication|contains: + - '-q=txt' + - '-querytype=txt' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 79c370e09..d93797ba2 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -21,6 +21,7 @@ detection: selection: HostApplication|contains: '*' filter: + # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs - HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1' condition: selection and not filter diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 9ce7332e3..8c46b03d4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -1,4 +1,4 @@ -title: PowerShell Downgrade Attack +title: PowerShell Downgrade Attack - PowerShell id: 6331d09b-4785-4c13-980f-f96661356249 status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 @@ -6,7 +6,7 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.execution diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index d81b9e4e6..6a079219a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell id: f65e22f9-819e-4f96-9c7b-498364ae7a25 related: - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 78d439ab8..394ae9e8a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell id: 71ff406e-b633-4989-96ec-bc49d825a412 related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index ccb752a5d..77839f775 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -1,4 +1,4 @@ -title: Suspicious XOR Encoded PowerShell Command Line +title: Suspicious XOR Encoded PowerShell Command Line - PowerShell id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 status: experimental description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 7f7928774..f5681b205 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - PowerShell Module id: 64e8e417-c19a-475a-8d19-98ea705394cc status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2022/10/10 +modified: 2022/12/13 tags: - attack.execution - attack.t1059.001 @@ -17,7 +17,7 @@ logsource: detection: selection: ContextInfo|contains: '*' - filter: + filter_powershell: # This filter covers the following use cases # - When powershell is called directly from commandline via keyword powershell or powershell.exe # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell @@ -28,8 +28,8 @@ detection: # In some cases powershell was invoked with inverted slashes - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell' - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' - # When MSDT is launched - - '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding ' + filter_sdiagnhost: + ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example filter_citrix: ContextInfo|contains: 'ConfigSyncRun.exe' filter_adace: # Active Directory Administrative Center Enhancements @@ -40,7 +40,7 @@ detection: Payload|contains: - 'Update-Help' - 'Failed to update Help for the module' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 08affa1ba..95535ca0b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell Module id: f99276ad-d122-4989-a09a-d00904a5f9d2 related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 53ca1e6a4..94e7993f4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 7c6480e6a..a121dcb1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 related: - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 1c4f947d8..15597a1fd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e related: - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index efece32de..c7c18db6b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 related: - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 1b3a08617..e09c50f8b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module id: a23791fe-8846-485a-b16b-ca691e1b03d4 related: - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 264ebea41..b1a887eba 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - PowerShell Module id: c72aca44-8d52-45ad-8f81-f96c4d3c755e related: - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index 2f9dc757e..755309d8f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - PowerShell Module id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd related: - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 26d7188af..8b68e2411 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index a9fa7122f..6689266a0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a related: - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index e76e8230b..fe9edfa52 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 related: - id: e54f5149-6ba3-49cf-b153-070d24679126 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index d0e211da3..c2c8b233a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -1,4 +1,4 @@ -title: Netcat The Powershell Version +title: Netcat The Powershell Version - PowerShell Module id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 date: 2021/07/21 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.command_and_control - attack.t1095 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index d7bd34858..6e59a9f24 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 5f36c7b73..0f8d9c8af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - PowerShell Module id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 0be65ca51..c5ffd17ef 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,4 +1,4 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection - PowerShell Module id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 +modified: 2022/12/02 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 58ab9a87c..e37c54b48 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Generic +title: Suspicious PowerShell Invocations - Generic - PowerShell Module id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 related: - id: 3d304fda-78aa-43ed-975c-d740798a49c1 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/12/02 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 0a8f13c05..8c224599e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Specific +title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/21 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index fed54bbf6..76ec86dc2 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,4 +1,4 @@ -title: Suspicious Get Information for SMB Share +title: Suspicious Get Information for SMB Share - PowerShell Module id: 6942bd25-5970-40ab-af49-944247103358 status: experimental description: | @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 date: 2021/12/15 +modified: 2022/12/02 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 1cd4292c4..0579a4f7a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index ec7d8c72a..ed0d1c132 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -1,4 +1,4 @@ -title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a related: - id: fde7929d-8beb-4a4c-b922-be9974671667 @@ -11,7 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml new file mode 100644 index 000000000..c922fce07 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -0,0 +1,51 @@ +title: AADInternals PowerShell Cmdlets Execution - PsScript +id: 91e69562-2426-42ce-a647-711b8152ced6 +related: + - id: c86500e9-a645-4680-98d7-f882c70c1ea3 + type: similar +status: experimental +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +references: + - https://o365blog.com/aadinternals/ + - https://github.com/Gerenios/AADInternals +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +date: 2022/12/23 +tags: + - attack.execution + - attack.reconnaissance + - attack.discovery + - attack.credential_access + - attack.impact +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection: + ScriptBlockText|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + - 'Add-AADInt' + - 'ConvertTo-AADInt' + - 'Disable-AADInt' + - 'Enable-AADInt' + - 'Export-AADInt' + - 'Get-AADInt' + - 'Grant-AADInt' + - 'Install-AADInt' + - 'Invoke-AADInt' + - 'Join-AADInt' + - 'New-AADInt' + - 'Open-AADInt' + - 'Read-AADInt' + - 'Register-AADInt' + - 'Remove-AADInt' + - 'Restore-AADInt' + - 'Search-AADInt' + - 'Send-AADInt' + - 'Set-AADInt' + - 'Start-AADInt' + - 'Update-AADInt' + condition: selection +falsepositives: + - Legitimate use of the library for administrative activity +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index ccdb8e75d..a745ebdc1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -3,6 +3,8 @@ id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d type: obsoletes + - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b + type: similar status: experimental description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 6793baf4e..12f875418 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell id: 26b692dc-1722-49b2-b496-a8258aa6371d related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2022/01/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml new file mode 100644 index 000000000..6199b3064 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -0,0 +1,25 @@ +title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script +id: df69cb1d-b891-4cd9-90c7-d617d90100ce +related: + - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f + type: similar +status: experimental +description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'FromBase64String' + - 'MemoryStream' + - 'H4sI' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index fdc6069f9..91814308c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 1b6852542..3d3d7da09 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - Powershell id: 779c8c12-0eb1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of stdin to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 14acfefd5..95f709d0b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - PowerShell id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of Environment Variables to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 5fcc15619..02dd3b05a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 status: experimental description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index c6b949baf..919c8b687 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 status: experimental description: Detects Obfuscated Powershell via RUNDLL LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 43e172219..241fcc730 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - Powershell id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 status: experimental description: Detects Obfuscated Powershell via Stdin in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index f5d1c7c90..bf7d82f0e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - Powershell id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 status: experimental description: Detects Obfuscated Powershell via use Clip.exe in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index a92f74421..f65a26588 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - PowerShell id: e55a5195-4724-480e-a77e-3ebe64bd3759 status: experimental description: Detects Obfuscated Powershell via use MSHTA in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index 5cde95d40..feb23733c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - PowerShell id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b status: experimental description: Detects Obfuscated Powershell via use Rundll32 in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 08d14edf4..0a2966fbf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell id: e54f5149-6ba3-49cf-b153-070d24679126 status: experimental description: Detects Obfuscated Powershell via VAR++ LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index acb76e795..91ccf529d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -9,9 +9,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update) + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) date: 2017/03/05 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -128,13 +130,14 @@ detection: - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - - 'Invoke-Grouper2' + - 'Invoke-Grouper' # cover Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - - 'Invoke-KrbRelayUp' + - 'Invoke-KrbRelay' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - 'Invoke-MITM6' + - 'Invoke-MalSCCM' - 'Invoke-NanoDump' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' @@ -144,6 +147,7 @@ detection: - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' - 'Invoke-Seatbelt' + - 'Invoke-ShadowSpray' - 'Invoke-SharPersist' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' @@ -157,7 +161,6 @@ detection: - 'Invoke-SharpGPOAbuse' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - - 'Invoke-SharpHound4' - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' @@ -167,6 +170,7 @@ detection: - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpPrinter' - 'Invoke-SharpRDP' + - 'Invoke-SharpSCCM' - 'Invoke-SharpSSDP' - 'Invoke-SharpSecDump' - 'Invoke-SharpSniper' @@ -174,9 +178,9 @@ detection: - 'Invoke-SharpSpray' - 'Invoke-SharpStay' - 'Invoke-SharpUp' + - 'Invoke-SharpWSUS' - 'Invoke-SharpWatson' - - 'Invoke-Sharphound2' - - 'Invoke-Sharphound3' + - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - 'Invoke-Sharplocker' - 'Invoke-Sharpshares' - 'Invoke-Sharpview' @@ -185,6 +189,7 @@ detection: - 'Invoke-Spoolsample' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-TotalExec' - 'Invoke-Thunderfox' - 'Invoke-Tokenvator' - 'Invoke-UrbanBishop' diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 7340abc67..269775a91 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -1,4 +1,4 @@ -title: Root Certificate Installed +title: Root Certificate Installed - PowerShell id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 -modified: 2021/12/04 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1553.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 48c6e97fe..3bbce1ac4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,4 +1,4 @@ -title: Change PowerShell Policies to an Insecure Level +title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b status: experimental description: Detects use of Set-ExecutionPolicy to set insecure policies @@ -8,7 +8,7 @@ references: - https://adsecurity.org/?p=2604 author: frack113 date: 2021/10/20 -modified: 2022/09/10 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 @@ -25,8 +25,7 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: - - 'C:\ProgramData\chocolatey\choco.exe' + - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 5e3bb6aec..1e7e08871 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -1,4 +1,4 @@ -title: Detected Windows Software Discovery +title: Detected Windows Software Discovery - PowerShell id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 status: experimental description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. @@ -7,7 +7,7 @@ references: - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 -modified: 2021/11/12 +modified: 2022/12/02 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index a216f6416..b8a2e0a53 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - Powershell Script id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index c3c9de7a3..863835803 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -1,4 +1,4 @@ -title: Delete Volume Shadow Copies via WMI with PowerShell +title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script id: e17121b4-ef2a-4418-8a59-12fb1631fa9e status: test description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 date: 2021/12/26 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index 97e19d2b6..5e1e90771 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -1,4 +1,4 @@ -title: Deletion of Volume Shadow Copies via WMI with PowerShell +title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script id: c1337eb8-921a-4b59-855b-4ba188ddcc42 related: - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e @@ -12,6 +12,7 @@ references: - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch date: 2022/09/20 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index e8f63ef62..5c4423415 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml new file mode 100644 index 000000000..223b3637b --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -0,0 +1,26 @@ +title: Suspicious X509Enrollment - Ps Script +id: 504d63cb-0dba-4d02-8531-e72981aace2c +related: + - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 + type: similar +status: experimental +description: Detect use of X509Enrollment +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - 'X509Enrollment.CBinaryConverter' + - '884e2002-217d-11da-b2a4-000e7bbb2b09' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 68cdb7742..819c68f88 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -9,7 +9,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/11/13 +modified: 2022/12/05 tags: - attack.credential_access - attack.t1003.001 @@ -69,7 +69,9 @@ detection: SourceImage|endswith: '\vmtoolsd.exe' filter6: SourceImage: 'C:\WINDOWS\system32\svchost.exe' - GrantedAccess: '0x100000' + GrantedAccess: + - '0x100000' + - '0x1410' filter7: SourceImage: - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml similarity index 85% rename from rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml rename to rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml index 5c5bb41df..d0d078105 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml @@ -1,10 +1,10 @@ -title: Shellcode Injection +title: Potential Shellcode Injection id: 250ae82f-736e-4844-a68b-0b5e8cc887da status: experimental -description: Detects shellcode injection by Metasploit's migrate and Empire's psinject +description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 -modified: 2022/11/01 +modified: 2022/12/20 tags: - attack.defense_evasion - attack.privilege_escalation @@ -57,7 +57,12 @@ detection: SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe + filter_wmiprvese: + SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe' + TargetImage: 'C:\Windows\system32\lsass.exe' + CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll' + CallTrace|contains: '\System.ni.dll+' condition: selection and not 1 of filter_* falsepositives: - - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well + - Unknown level: high diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_susp_seclogon.yml similarity index 100% rename from rules/windows/process_access/process_access_win_susp_seclogon.yml rename to rules/windows/process_access/proc_access_win_susp_seclogon.yml diff --git a/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml new file mode 100644 index 000000000..67702b53f --- /dev/null +++ b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml @@ -0,0 +1,30 @@ +title: Potential Credential Dumping Attempt Via PowerShell +id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 +related: + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: fb656378-f909-47c1-8747-278bf09f4f4f + type: similar +status: experimental +description: Detects PowerShell processes requesting access to "lsass.exe" +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: process_access +detection: + selection: + SourceImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + TargetImage|endswith: '\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml new file mode 100644 index 000000000..69cd97c42 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml @@ -0,0 +1,57 @@ +title: AADInternals PowerShell Cmdlets Execution - ProccessCreation +id: c86500e9-a645-4680-98d7-f882c70c1ea3 +related: + - id: 91e69562-2426-42ce-a647-711b8152ced6 + type: similar +status: experimental +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +references: + - https://o365blog.com/aadinternals/ + - https://github.com/Gerenios/AADInternals +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +date: 2022/12/23 +tags: + - attack.execution + - attack.reconnaissance + - attack.discovery + - attack.credential_access + - attack.impact +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.Exe' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + - 'Add-AADInt' + - 'ConvertTo-AADInt' + - 'Disable-AADInt' + - 'Enable-AADInt' + - 'Export-AADInt' + - 'Get-AADInt' + - 'Grant-AADInt' + - 'Install-AADInt' + - 'Invoke-AADInt' + - 'Join-AADInt' + - 'New-AADInt' + - 'Open-AADInt' + - 'Read-AADInt' + - 'Register-AADInt' + - 'Remove-AADInt' + - 'Restore-AADInt' + - 'Search-AADInt' + - 'Send-AADInt' + - 'Set-AADInt' + - 'Start-AADInt' + - 'Update-AADInt' + condition: all of selection_* +falsepositives: + - Legitimate use of the library for administrative activity +level: high diff --git a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml index 0d9d237f6..35c8f10d2 100644 --- a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml @@ -1,31 +1,30 @@ -title: Abusing Windows Telemetry For Persistence +title: Potential Persistence Execution Via Microsoft Compatibility Appraiser id: f548a603-c9f2-4c89-b511-b089f7e94549 +related: + - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 + type: derived status: experimental -description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman date: 2020/09/29 -modified: 2022/02/21 +modified: 2022/12/19 tags: - - attack.defense_evasion - attack.persistence - - attack.t1112 - - attack.t1053 + - attack.t1053.005 logsource: product: windows category: process_creation detection: - selection: + selection_img: + Image|endswith: '\schtasks.exe' + OriginalFileName: 'schtasks.exe' + selection_cli: CommandLine|contains|all: - - 'schtasks' + - 'run ' - '\Application Experience\Microsoft Compatibility Appraiser' - condition: selection -fields: - - EventID - - CommandLine - - TargetObject - - Details + condition: all of selection_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index b7c40f826..bb2986d64 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -20,8 +20,7 @@ detection: - 'localgroup' - 'admin' - '/add' - - CommandLine|contains: - - '\Win64.exe' + - CommandLine|contains: '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index fa062bb0d..fea8a4164 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Apr21 id: 4a12fa47-c735-4032-a214-6fab5b120670 status: test description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity @@ -6,7 +6,7 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ author: Bhabesh Raj date: 2021/04/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index bf721ab56..cb8a67a3f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Dec20 id: 24c4d154-05a4-4b99-b57d-9b977472443a status: test description: Detects different process creation events as described in various threat reports on Lazarus group activity @@ -7,7 +7,7 @@ references: - https://www.hvs-consulting.de/lazarus-report/ author: Florian Roth date: 2020/12/23 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 5a05aff7b..b06bba960 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: test description: Detects automated lateral movement by Turla group diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml index 86c0f3bf0..817a4cc14 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Automated Turla Group Lateral Movement id: 75925535-ca97-4e0a-a850-00b5c00779dc status: test description: Detects automated lateral movement by Turla group @@ -6,7 +6,7 @@ references: - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0010 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index 69fc53568..3f2490a9c 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth date: 2021/01/22 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.execution - attack.t1059.001 @@ -16,9 +16,9 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_1: CommandLine|contains: '7z.exe a -v500m -mx9 -r0 -p' - selection2: + selection_2: ParentCommandLine|contains|all: - 'wscript.exe' - '.vbs' @@ -26,11 +26,11 @@ detection: - 'rundll32.exe' - 'C:\Windows' - '.dll,Tk_' - selection3: + selection_3: ParentImage|endswith: '\rundll32.exe' ParentCommandLine|contains: 'C:\Windows' CommandLine|contains: 'cmd.exe /C ' - selection4: + selection_4: CommandLine|contains|all: - 'rundll32 c:\windows\' - '.dll ' @@ -41,7 +41,7 @@ detection: CommandLine: - ' ' - '' - condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) + condition: 1 of selection_* or ( specific1 and not filter1 ) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 78a3f092b..4b40ae44b 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -7,9 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -45,6 +46,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml index c22ab4171..ed27eae69 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml @@ -6,9 +6,10 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.persistence @@ -47,7 +48,11 @@ detection: - 'https://7' - 'https://8' - 'https://9' - condition: all of selection_* + filter: + CommandLine|contains: + - 'https://7-' # For https://7-zip.org/ + - 'http://7-' + condition: all of selection_* and not filter fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index c465cbada..5d8e61ee1 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -6,9 +6,10 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.persistence @@ -32,6 +33,8 @@ detection: - 'C:\Users\Public\' - '%public%' - '\Desktop\' + - 'C:\Temp' + - 'C:\Perflogs' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index c2952164f..48f738718 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -6,6 +6,7 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 modified: 2022/11/11 diff --git a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml index b9641f1d0..67cb203bb 100644 --- a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml @@ -5,9 +5,11 @@ description: Detects browsers starting with the remote debugging flags. Which is references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ + - https://github.com/defaultnamehere/cookie_crimes/ + - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T, Nasreddine Bencherchali (update) date: 2022/07/27 -modified: 2022/10/12 +modified: 2022/12/23 tags: - attack.credential_access - attack.t1185 @@ -20,7 +22,7 @@ detection: CommandLine|contains: ' --remote-debugging-' selection_firefox: Image|endswith: '\firefox.exe' - CommandLine|contains: ' -start-debugger-server ' + CommandLine|contains: ' -start-debugger-server' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 694b2775a..002083247 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ + - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth date: 2022/09/13 +modified: 2022/12/07 tags: - attack.command_and_control - attack.t1090.001 @@ -25,11 +27,11 @@ detection: - 'exe server ' selection_param2: CommandLine|contains: - - ' --socks5' - - ' --reverse' + - '-socks5' + - '-reverse' - ' r:' - ':127.0.0.1:' - - ' --tls-skip-verify ' + - '-tls-skip-verify ' - ':socks' condition: selection_img or all of selection_param* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml new file mode 100644 index 000000000..2e9cc1673 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml @@ -0,0 +1,28 @@ +title: Potential Data Stealing Via Chromium Headless Debugging +id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 +status: experimental +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +references: + - https://github.com/defaultnamehere/cookie_crimes/ + - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password + - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ + - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1185 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + - '--remote-debugging-' + - '--user-data-dir' + - '--headless' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml index f48f2fde9..b21d331a4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -21,5 +21,5 @@ detection: CommandLine|contains: '>' condition: all of selection_* falsepositives: - - Unknown + - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment level: low diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml new file mode 100644 index 000000000..61e631384 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -0,0 +1,47 @@ +title: Potential Browser Data Stealing +id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b +related: + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived +status: experimental +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1555.003 +logsource: + category: process_creation + product: windows +detection: + selection_cmd: + - CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + - 'move' + - 'move-item' + - ' mi ' + - ' mv ' + - Image|endswith: + - '\xcopy.exe' + - '\robocopy.exe' + - OriginalFileName: + - 'XCOPY.EXE' + - 'robocopy.exe' + selection_path: + CommandLine|contains: + - '\Opera Software\Opera Stable\' + - '\Mozilla\Firefox\Profiles' + - '\Microsoft\Edge\User Data\' + - '\Google\Chrome\User Data\' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml new file mode 100644 index 000000000..fe58e5519 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml @@ -0,0 +1,29 @@ +title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +id: e9b61244-893f-427c-b287-3e708f321c6b +status: experimental +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md + - https://ss64.com/nt/mklink.html +author: frack113 +date: 2022/12/11 +modified: 2022/12/20 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.Exe' + selection_cli: + CommandLine|contains|all: + - 'mklink' + - '\osk.exe' + - '\cmd.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 1d03d645c..906bffd2f 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,7 +1,7 @@ -title: COMPlus_ETWEnabled Command Line Arguments +title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,9 +12,10 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1562 @@ -23,7 +24,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' + CommandLine|contains: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index ba28010ce..c1feb1bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -1,11 +1,12 @@ -title: False Sysinternals Suite Tools +title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental -description: Rename as a legitimate Sysinternals Suite tool to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 +modified: 2022/12/08 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml new file mode 100644 index 000000000..24390ceea --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml @@ -0,0 +1,24 @@ +title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation +id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f +related: + - id: df69cb1d-b891-4cd9-90c7-d617d90100ce + type: similar +status: experimental +description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - 'FromBase64String' + - 'MemoryStream' + - 'H4sI' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml new file mode 100644 index 000000000..23a623135 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -0,0 +1,32 @@ +title: Gpg4Win Decrypt Files From Suspicious Locations +id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d +status: experimental +description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html +author: Nasreddine Bencherchali, X__Junior +date: 2022/11/30 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: '\gpg2.exe' + - Product: 'GNU Privacy Guard (GnuPG)' + - Company: 'g10 Code GmbH' + selection_cli: + CommandLine|contains: '-passphrase' + selection_paths: + CommandLine|contains: + - '\AppData\Roaming\' + - 'C:\Perflogs\' + - 'C:\Windows\Temp\' + - 'C:\temp' + #- '' + condition: all of selection_* +falsepositives: + - Legitimate use +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 564767cb2..78a67801a 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -4,8 +4,11 @@ status: experimental description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html -author: Tim Rauch -date: 2022/09/28 + - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA + - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ +author: Tim Rauch, Janantha Marasinghe +date: 2022/11/08 +modified: 2022/12/17 tags: - attack.credential_access - attack.t1003 @@ -13,18 +16,25 @@ logsource: category: process_creation product: windows detection: - selection_name: + selection_base_name: - Image|endswith: '\appcmd.exe' - OriginalFilename: 'appcmd.exe' - selection_list: + selection_base_list: + CommandLine|contains: 'list ' + selection_standalone: CommandLine|contains: - - ' /list ' - - ' list ' - selection_all: - CommandLine|contains|all: + - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900 + - ' /xml' + selection_cmd_flags: + CommandLine|contains: + - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - - ' password' - condition: all of selection* + - ' /show' + selection_cmd_grep: + CommandLine|contains: + - ':\*' + - 'password' + condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index fb8f65ecb..ba53f5896 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -9,7 +9,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 -modified: 2021/11/27 +modified: 2022/12/08 tags: - attack.execution - attack.t1047 @@ -46,7 +46,7 @@ detection: - 'cmd.exe' - '/Q' - '/c' - - '\\\\127.0.0.1\' + - '\\\\127.0.0.1\\' - '&1' selection_atexec: ParentCommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml new file mode 100644 index 000000000..417f3166e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml @@ -0,0 +1,38 @@ +title: Impersonate Execution +id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 +status: experimental +description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +references: + - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ + - https://github.com/sensepost/impersonate +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1134.001 + - attack.t1134.003 +logsource: + product: windows + category: process_creation +detection: + selection_commandline_exe: + CommandLine|contains: 'impersonate.exe' + selection_commandline_opt: + CommandLine|contains: + - ' list ' + - ' exec ' + - ' adduser ' + selection_hash_plain: + Hashes|contains: + - 'MD5=9520714AB576B0ED01D1513691377D01' + - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' + selection_hash_ext: + - MD5: '9520714AB576B0ED01D1513691377D01' + - SHA256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - IMPHASH: '0A358FFC1697B7A07D0E817AC740DF62' + condition: all of selection_commandline_* or 1 of selection_hash_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml new file mode 100644 index 000000000..e75be25e3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -0,0 +1,40 @@ +title: AgentExecutor PowerShell Execution +id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 +related: + - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab + type: similar +status: experimental +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +author: Nasreddine Bencherchali, memory-shards +references: + - https://twitter.com/lefterispan/status/1286259016436514816 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ + - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://twitter.com/jseerden/status/1247985304667066373/photo/1 +date: 2022/12/24 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image: '\AgentExecutor.exe' + - OriginalFileName: 'AgentExecutor.exe' + selection_cli: + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag + - ' -remediationScript' + condition: all of selection_* +falsepositives: + - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml new file mode 100644 index 000000000..ecf092fb9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml @@ -0,0 +1,44 @@ +title: Suspicious AgentExecutor PowerShell Execution +id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab +related: + - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 + type: similar +status: experimental +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +author: Nasreddine Bencherchali, memory-shards +references: + - https://twitter.com/lefterispan/status/1286259016436514816 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ + - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://twitter.com/jseerden/status/1247985304667066373/photo/1 +date: 2022/12/24 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\AgentExecutor.exe' + - OriginalFileName: 'AgentExecutor.exe' + selection_cli: + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag + - ' -remediationScript' + filter: + CommandLine|contains: + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\' + condition: all of selection_* and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml index 4142110c3..4d6688ff0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml @@ -16,7 +16,7 @@ logsource: detection: selection: Image|endswith: '\xwizard.exe' - CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' + CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 68% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index 1754f8f63..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -24,22 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + filter: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml index fdb843257..906b0a985 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml @@ -1,12 +1,13 @@ -title: Rundll32 From Abnormal Drive +title: LOLBIN From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 status: experimental -description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO. -references: - - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2022/01/25 modified: 2022/02/14 +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ + - https://www.scythe.io/library/threat-emulation-qakbot tags: - attack.t1218.001 logsource: @@ -14,8 +15,15 @@ logsource: product: windows detection: selection: - Image|endswith: '\rundll32.exe' - filter: + - '\rundll32.exe' + - '\calc.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\regsvr32.exe' + - '\installutil.exe' + - '\cmstp.exe' + filter_currentdirectory: - CurrentDirectory|contains: 'C:\' - CurrentDirectory: '' filter_null: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml new file mode 100644 index 000000000..924eea112 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -0,0 +1,26 @@ +title: Use of Setres.exe +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: experimental +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\setres.exe' + Image|endswith: '\choice' + condition: all of selection* +falsepositives: + - Legitimate usage of Setres +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_type.yml b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml new file mode 100644 index 000000000..f52f1e88b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml @@ -0,0 +1,28 @@ +title: Potential Download/Upload Activity Using Type Command +id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f +status: experimental +description: Detects usage of the "type" command to download/upload data from WebDAV server +references: + - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 +author: Nasreddine Bencherchali +date: 2022/12/14 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + product: windows + category: process_creation +detection: + # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command + selection_upload: + CommandLine|contains|all: + - 'type ' + - ' > \\\\' + selection_download: + CommandLine|contains|all: + - 'type \\\\' + - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,29 +4,35 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_child_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml new file mode 100644 index 000000000..cc021edaa --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml @@ -0,0 +1,41 @@ +title: Potential Credential Dumping Via WER +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 +status: experimental +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' +date: 2022/12/08 +modified: 2022/12/09 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\Werfault.exe' + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity + - ' -u -p ' + - ' -ip ' + - ' -s ' + filter_lsass: + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* +falsepositives: + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index acecd619c..da6d670b4 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -1,4 +1,4 @@ -title: Ryuk Ransomware +title: Ryuk Ransomware Command Line Activity id: 0acaad27-9f02-4136-a243-c357202edd74 status: stable description: Detects Ryuk Ransomware command lines @@ -6,7 +6,7 @@ references: - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Vasiliy Burov date: 2019/08/06 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.execution - attack.t1204 diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 3f04250f4..e1724f884 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -7,7 +7,7 @@ references: - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 author: Florian Roth, Tom Ueltschi date: 2019/01/16 -modified: 2022/03/05 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1218.011 @@ -19,21 +19,22 @@ logsource: category: process_creation product: windows detection: - select_pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\\\.\\pipe\\' - select_rundll32_dash1: + selection_pattern: + CommandLine|contains: + - 'wevtutil cl Application & fsutil usn deletejournal /D C:' + - 'dllhost.dat %WINDIR%\ransoms' + selection_rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' - '.dat #1' # Sysmon removes comma - select_perfc_keyword: + - '.zip.dll",#1' + selection_perfc_keyword: - '\perfc.dat' - condition: 1 of select* + condition: 1 of selection* fields: - CommandLine - ParentCommandLine falsepositives: - - Admin activity + - Unknown level: critical diff --git a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml index 3e83ac024..7fb2f061e 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml @@ -27,8 +27,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml index ff534cdd5..ba499f84d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml @@ -30,8 +30,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3a6122f98..cf29b211d 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/01/16 -modified: 2022/10/23 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1218.007 @@ -30,7 +30,13 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution + - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' + - '\MsiExec.exe" -Y "C:\Windows\CCM\' + - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index a25ed13bc..4a10ff9e0 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -1,29 +1,34 @@ -title: Nslookup PowerShell Download +title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 +related: + - id: 72671447-4352-4413-bb91-b85569687135 + type: obsoletes + - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 + type: similar status: experimental -description: Detects usage of powershell in conjunction with nslookup as a mean of download. +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali date: 2022/09/05 +modified: 2022/12/19 tags: - attack.defense_evasion logsource: category: process_creation product: windows detection: - selection_cli: - CommandLine|contains|all: - - 'powershell .' - - 'nslookup' - - ' -q=txt ' selection_img: - ParentImage|endswith: '\powershell.exe' - Image|contains: '\nslookup.exe' + - Image|contains: '\nslookup.exe' + - OriginalFileName: '\nslookup.exe' + selection_cmd: + ParentImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' CommandLine|contains: - ' -q=txt ' - ' -querytype=txt ' - condition: 1 of selection_* + condition: all of selection_* falsepositives: - - Unlikely -level: high + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 989cb7972..572d79db8 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali date: 2022/08/06 -modified: 2022/09/18 +modified: 2022/12/12 tags: - attack.defense_evasion - attack.t1564.004 @@ -45,6 +45,7 @@ detection: - '\thor\thor64.exe' - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe - Image|contains: '\vcredi' + - ParentImage: 'C:\Windows\explorer.exe' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml new file mode 100644 index 000000000..071b258dc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml @@ -0,0 +1,48 @@ +title: Office Processes Proxy Execution Through WMIC +id: e1693bc8-7168-4eab-8718-cdcaa68a1738 +related: + - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 + type: obsoletes + - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 + type: obsoletes +status: experimental +description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' +date: 2021/08/23 +modified: 2022/12/02 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_wmic: + - Image|endswith: '\wbem\WMIC.exe' + - OriginalFileName: 'wmic.exe' + selection_parent: + ParentImage|endswith: + - '\winword.exe' + - '\excel.exe' + - '\powerpnt.exe' + CommandLine|contains|all: + - 'process' + - 'create' + - 'call' + CommandLine|contains: + # Add more suspicious LOLBINs as you see fit + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml index aeabf14ca..4ca453a34 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml @@ -1,4 +1,4 @@ -title: Office Applications Spawning Wmi Cli +title: Office Applications Spawning Wmi Cli Alternate id: 04f5363a-6bca-42ff-be70-0d28bf629ead status: experimental description: Initial execution of malicious document calls wmic to execute the file with regsvr32 @@ -7,7 +7,7 @@ references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/06/16 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 64daeed83..7161651e6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 -modified: 2022/07/14 +modified: 2022/12/18 tags: - attack.defense_evasion - attack.t1027 @@ -16,27 +16,27 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - selection2: + selection_2: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - selection3: + selection_3: Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|re: '.*{.*{.*{.*{.*{.*' - selection4: + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*' + selection_4: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' - selection5: + selection_5: Image|endswith: - '\powershell.exe' - '\pwsh.exe' @@ -47,7 +47,7 @@ detection: CommandLine|contains: - 'new EventSource("Microsoft.Windows.Sense.Client.Management"' - 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);' - condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter_amazonSSM and not (selection3 and filter_windef_atp) + condition: (1 of selection_*) and not filter_amazonSSM and not (selection_3 and filter_windef_atp) falsepositives: - Unlikely - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml index 7cc2ab57f..3085e60f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious Encoded PowerShell Command Line +title: Suspicious Xor PowerShell Command Line id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 related: - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton date: 2022/07/06 -modified: 2022/07/14 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index f1143d516..bc5a795f5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,13 +1,14 @@ -title: Exchange PowerShell Snap-Ins Used by HAFNIUM +title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: FPT.EagleEye + - https://www.intrinsec.com/apt27-analysis/ +author: FPT.EagleEye, Nasreddine Bencherchali date: 2021/03/03 -modified: 2022/07/14 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -17,12 +18,20 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin' - condition: selection + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: 'Add-PSSnapin' + selection_module: + CommandLine|contains: + - 'Microsoft.Exchange.Powershell.Snapin' + - 'Microsoft.Exchange.Management.PowerShell.SnapIn' + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index c68ff242a..70e2f2766 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton date: 2018/09/05 -modified: 2022/01/10 +modified: 2022/12/16 tags: - attack.defense_evasion - attack.t1059.001 @@ -14,10 +14,16 @@ logsource: category: process_creation product: windows detection: - selection: + selection_metadata: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' - filter: + selection_cli: CommandLine|contains: - 'bxor' - '-join ' @@ -25,9 +31,17 @@ detection: - '-join"' - '-join`' - 'char' - false_positives: - ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe - condition: selection and filter and not false_positives + filter_amazon: + ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe' + filter_powershell_script: + CommandLine|contains|all: + # Script part of Amazon SSM worker (But the parent is empty - see example linked below) + # Example: https://github.com/SigmaHQ/sigma/pull/3717#issue-1455440560 + - 'function Convert-GuidToCompressedGuid' + - 'ValueFromPipelineByPropertyName' + - '::ParseExact(' + - 'KB[000000-999999]' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml new file mode 100644 index 000000000..89f26df5e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml @@ -0,0 +1,27 @@ +title: PowerTool Execution +id: a34f79a3-8e5f-4cc3-b765-de00695452c2 +status: experimental +description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ + - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html + - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en + - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml +author: Nasreddine Bencherchali +date: 2022/11/29 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: + - '\PowerTool.exe' + - '\PowerTool64.exe' + - OriginalFileName: 'PowerTool.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml index e909bcbd2..dabffeceb 100644 --- a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml +++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml @@ -1,11 +1,12 @@ title: Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: experimental -description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ date: 2022/10/28 +modified: 2022/11/28 tags: - attack.execution logsource: @@ -16,7 +17,7 @@ detection: # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png - CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}" + CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{1}" filter: # This filter is used to exclude double extension files CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}" diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 3dd0c383e..be59309af 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -6,7 +6,7 @@ references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf author: Markus Neis, Swisscom date: 2019/06/04 -modified: 2021/11/27 +modified: 2022/12/18 tags: - attack.execution - attack.defense_evasion @@ -15,13 +15,13 @@ logsource: category: process_creation product: windows detection: - selection1: - Description: Java Update Scheduler - selection2: - Description: Java(TM) Update Scheduler + selection: + Description: + - Java Update Scheduler + - Java(TM) Update Scheduler filter: Image|endswith: '\jusched.exe' - condition: (selection1 or selection2) and not filter + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml new file mode 100644 index 000000000..ec89ae388 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -0,0 +1,39 @@ +title: Renamed Office Binary Execution +id: 0b0cd537-fc77-4e6e-a973-e53495c1083d +status: experimental +description: Detects the execution of a renamed office binaries +references: + - https://infosec.exchange/@sbousseaden/109542254124022664 +author: Nasreddine Bencherchali +date: 2022/12/20 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + - OriginalFileName: + - 'Excel.exe' + - 'MSACCESS.EXE' + - 'OneNote.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' + - Description: + - 'Microsoft Access' + - 'Microsoft Excel' + - 'Microsoft OneNote' + - 'Microsoft PowerPoint' + - 'Microsoft Word' + # - Product|contains: 'Microsoft Office' # prone to many FPs + filter: + Image|endswith: + - '\EXCEL.exe' + - '\MSACCESS.exe' + - '\ONENOTE.EXE' + - '\POWERPNT.EXE' + - '\WINWORD.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9a09c3246..0e7a7715a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,4 +1,4 @@ -title: Renamed ProcDump +title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2022/08/12 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1036.003 @@ -34,5 +34,5 @@ detection: condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries (and should be investigated) + - Administrators who rename binaries (should be investigated) level: high diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 7009302df..b5243e4bc 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2022/07/27 +modified: 2022/12/02 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' filter_localserver_fp: CommandLine|contains: ' -localserver ' + filter_mcafee: + - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction ' + - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf' condition: selection and not 1 of filter* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index e9d945a77..67faacd00 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,12 +1,13 @@ title: Rundll32 With Suspicious Parent Process id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. +description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 +modified: 2022/12/21 tags: - attack.defense_evasion logsource: @@ -17,7 +18,8 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' + - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required + - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control condition: selection and not filter fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index b70527f74..0490537b1 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a windows service to be stopped author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/09/01 +modified: 2022/12/22 tags: - attack.impact - attack.t1489 @@ -29,7 +29,9 @@ detection: - '\pwsh.exe' CommandLine|contains: 'Stop-Service ' filter: - CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + CommandLine: + - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 012766883..ed5fe8397 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -18,22 +18,11 @@ logsource: category: process_creation product: windows detection: - selection_1_img: - Image|endswith: '\SharpChisel.exe' - selection_1_pe: - Product: 'SharpChisel' - # Covered by Chisel Rule - # selection_2_client_server: - # CommandLine|contains: - # - 'exe client ' - # - 'exe server ' - # selection_2_flags: - # CommandLine|contains: - # - ' --socks5' - # - ' --reverse' - # - ' r:' - # - ':127.0.0.1:' - condition: 1 of selection* + selection: + - Image|endswith: '\SharpChisel.exe' + - Product: 'SharpChisel' + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage + condition: selection falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml new file mode 100644 index 000000000..f1d7d7055 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml @@ -0,0 +1,28 @@ +title: SQLite Chrome Cookie DB Access +id: 24c77512-782b-448a-8950-eddb0785fc71 +status: experimental +description: Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it +references: + - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows +author: TropChaud +date: 2022/12/19 +tags: + - attack.credential_access + - attack.t1539 +logsource: + category: process_creation + product: windows +detection: + selection_sql: + - Product: SQLite + - Image|endswith: + - '\sqlite.exe' + - '\sqlite3.exe' + selection_chrome: + CommandLine|contains: + - '\Google\Chrome\User Data\Default\Network\Cookies' # Latest chrome versions + - '\Google\Chrome\User Data\Default\Cookies' # Older chrome versions + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml index d013d6b35..ab488a002 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows author: frack113 date: 2022/04/08 +modified: 2022/12/19 tags: - attack.credential_access - attack.t1539 @@ -15,7 +16,9 @@ logsource: detection: selection_sql: - Product: SQLite - - Image|endswith: '\sqlite.exe' + - Image|endswith: + - '\sqlite.exe' + - '\sqlite3.exe' selection_firefox: CommandLine|contains: 'cookies.sqlite' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 279bd99a2..7ed781e45 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019/10/26 -modified: 2021/11/27 +modified: 2022/12/15 tags: - attack.privilege_escalation - attack.t1134.002 @@ -19,21 +19,24 @@ logsource: definition: ParentUser field needs sysmon >= 13.30 detection: selection: - ParentUser: - - 'NT AUTHORITY\NETWORK SERVICE' - - 'NT AUTHORITY\LOCAL SERVICE' - - 'AUTORITE NT\' # French language settings + ParentUser|contains: + - 'AUTHORI' + - 'AUTORI' + ParentUser|endswith: + - '\NETWORK SERVICE' + - '\LOCAL SERVICE' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' User|endswith: # System - '\SYSTEM' + - '\Système' - '\СИСТЕМА' IntegrityLevel: 'System' - rundllexception: + filter_rundll32: Image|endswith: '\rundll32.exe' CommandLine|contains: 'DavSetCookie' - condition: selection and not rundllexception + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 1f73adb0d..6c8e07fec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali date: 2022/09/01 -modified: 2022/10/26 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1027 @@ -33,6 +33,8 @@ detection: - '}\' filter_null: Image: null + filter_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" + Image: 'C:\Windows\System32\drvinst.exe' condition: all of selection_* and not 1 of filter* falsepositives: - Some FP is expected with some installers diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml new file mode 100644 index 000000000..5af183017 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -0,0 +1,41 @@ +title: Suspicious Elevated System Shell +id: 178e615d-e666-498b-9630-9ed363038101 +status: experimental +description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges. +references: + - https://github.com/Wh04m1001/SysmonEoP +author: frack113 +date: 2022/12/05 +modified: 2022/12/07 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + product: windows + category: process_creation +detection: + selection_shell: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\cmd.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'Cmd.Exe' + selection_user: + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + LogonId: '0x3e7' + filter_compattelrunner: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' + OriginalFileName: 'PowerShell.EXE' + CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + condition: all of selection_* and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..ea149ab69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1202 @@ -42,17 +42,21 @@ detection: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228 Provider_Name: 'Microsoft-Windows-Kernel-Process' - ParentCommandLine|contains: ' cat-file -s ' + ParentCommandLine|contains: + - ' cat-file -s ' + - 'show --textconv' Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: - ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + ParentCommandLine: + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' Image: 'C:\Program Files\Git\mingw64\bin\git.exe' - CommandLine|contains: 'show --textconv :' condition: selection and not 1 of filter_* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml index 31816d30e..970f2a353 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml @@ -1,12 +1,13 @@ -title: Suspicious Conhost Legacy Option +title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: experimental -description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/04/04 +date: 2022/12/09 tags: - attack.defense_evasion - attack.t1202 @@ -15,11 +16,12 @@ logsource: category: process_creation detection: selection: + IntegrityLevel: 'High' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' - '-ForceV1' condition: selection falsepositives: - - Unknown + - Very Likely, including launching cmd.exe via Run As Administrator level: informational diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 52255b0e0..6c971e5f2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2019/12/30 -modified: 2022/11/09 +modified: 2022/12/23 tags: - attack.lateral_movement - attack.collection @@ -22,9 +22,12 @@ logsource: product: windows detection: selection_other_tools: - Image|endswith: + - Image|endswith: - '\robocopy.exe' - '\xcopy.exe' + - OriginalFileName: + - 'robocopy.exe' + - 'XCOPY.EXE' selection_cmd_img: - Image|endswith: '\cmd.exe' - OriginalFileName: 'Cmd.Exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 035bc209d..fa68132c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt date: 2021/12/09 -modified: 2022/09/20 +modified: 2022/12/14 tags: - attack.defense_evasion logsource: @@ -23,6 +23,7 @@ detection: - '' filter_4688: - Image: + - 'System' - 'Registry' - 'MemCompression' - 'vmmem' diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 5d35e391a..54ad4d29a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt date: 2021/12/09 -modified: 2022/11/10 +modified: 2022/12/14 tags: - attack.defense_evasion logsource: @@ -21,6 +21,7 @@ detection: Image: null filter_image: # Windows utilities without extension Image: + - 'System' - 'Registry' - 'MemCompression' - 'vmmem' diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml index f24eb0b05..4713f9807 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml @@ -1,4 +1,4 @@ -title: Suspicious WebDav Client Execution +title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 status: experimental description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service @@ -7,6 +7,7 @@ references: - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml author: Elastic (idea), Tobias Michalski date: 2022/05/04 +modified: 2022/12/02 tags: - attack.privilege_escalation - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml index 138df7b91..03e60f2b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch date: 2022/09/28 -modified: 2022/11/23 +modified: 2022/12/02 tags: - attack.execution - attack.t1059 @@ -31,14 +31,17 @@ detection: - '\spoolsv.exe' # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe - - '\ctfmon.exe' + # - '\ctfmon.exe' # Seen several times in a testing environment filter: ParentCommandLine|contains: - '-k apphost -s AppHostSvc' - '-k imgsvc' + - '-k localService -p -s RemoteRegistry' - '-k LocalSystemNetworkRestricted -p -s NgcSvc' + - '-k NetSvcs -p -s NcaSvc' - '-k netsvcs -p -s NetSetupSvc' - '-k netsvcs -p -s wlidsvc' + - '-k NetworkService -p -s DoSvc' - '-k wsappx -p -s AppXSvc' - '-k wsappx -p -s ClipSVC' - 'C:\Program Files (x86)\Dropbox\Client\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index 244c5f234..291c1ec16 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 author: Florian Roth date: 2022/03/24 -modified: 2022/10/28 +modified: 2022/11/28 logsource: product: windows category: process_creation @@ -16,25 +16,22 @@ detection: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - ' | iex;' - - ' | iex ' - - ' | iex}' - - ' | IEX;' - - ' | IEX ;' - - ' | IEX -Error' - - ' | IEX (new' - - ' | IEX (New' + - ' | iex;' + - ' | iex ' + - ' | iex}' + - ' | IEX ;' + - ' | IEX -Error' + - ' | IEX (new' - ');IEX ' selection_combined_2: CommandLine|contains: - '::FromBase64String' - '.GetString([System.Convert]::' selection_standalone: - CommandLine|contains: - - ')|iex;$' - - ')|IEX;$' - - ');iex($' - - ');iex $' + CommandLine|contains: + - ')|iex;$' + - ');iex($' + - ');iex $' - ' | IEX | ' condition: all of selection_combined* or selection_standalone falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml new file mode 100644 index 000000000..776cd622a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml @@ -0,0 +1,40 @@ +title: Potential PE Metadata Tamper Using Rcedit +id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 +status: experimental +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +references: + - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe + - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 + - https://github.com/electron/rcedit +author: Micah Babinski +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.t1036 + - attack.t1027.005 + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' + - Description: 'Edit resources of exe' + - Product: 'rcedit' + selection_flags: + CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + selection_attributes: + CommandLine|contains: + - 'OriginalFileName' + - 'CompanyName' + - 'FileDescription' + - 'ProductName' + - 'ProductVersion' + - 'LegalCopyright' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool by administrators or users to update metadata of a binary +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml index 2fc43458a..9e0f2b328 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml @@ -6,7 +6,7 @@ references: - https://www.epicturla.com/blog/sysinturla author: Florian Roth date: 2020/05/28 -modified: 2021/11/27 +modified: 2022/11/29 tags: - attack.resource_development - attack.t1588.002 @@ -15,9 +15,7 @@ logsource: product: windows detection: selection: - Product: - - 'Sysinternals DebugView' - - 'Sysinternals Debugview' + Product: 'Sysinternals DebugView' filter: OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml index 8c3cf5bd9..d0285fd93 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ author: Florian Roth date: 2019/10/22 -modified: 2022/11/13 +modified: 2022/12/04 tags: - attack.defense_evasion - attack.t1218.011 @@ -31,6 +31,7 @@ detection: filter_vsbuild_dll: ParentImage|contains: - '\Msbuild\Current\Bin\' + - '\VC\Tools\MSVC\' - '\Tracker.exe' CommandLine|contains: - '\FileTracker32.dll,#1' diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index adfda748c..61195b186 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -5,9 +5,10 @@ description: This rule detects the execution of Run Once task as configured in t references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ -author: 'Avneet Singh @v3t0_, oscd.community' + - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA +author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)' date: 2020/10/18 -modified: 2022/07/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.t1112 @@ -19,8 +20,9 @@ detection: - Image|endswith: '\runonce.exe' - Description: 'Run Once Wrapper' selection_cli: - CommandLine|contains: ' /AlternateShellStartup' - condition: all of selection* + - CommandLine|contains: '/AlternateShellStartup' + - CommandLine|endswith: '/r' + condition: all of selection_* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml new file mode 100644 index 000000000..337be8505 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml @@ -0,0 +1,50 @@ +title: Potential Suspicious Activity Using SeCEdit +id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb +status: experimental +description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +references: + - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit +author: Janantha Marasinghe +date: 2022/11/18 +tags: + - attack.discovery + - attack.persistence + - attack.defense_evasion + - attack.credential_access + - attack.privilege_escalation + - attack.t1562.002 + - attack.t1547.001 + - attack.t1505.005 + - attack.t1556.002 + - attack.t1562 + - attack.t1574.007 + - attack.t1564.002 + - attack.t1546.008 + - attack.t1546.007 + - attack.t1547.014 + - attack.t1547.010 + - attack.t1547.002 + - attack.t1557 + - attack.t1082 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\secedit.exe' + - OriginalFileName: 'SeCEdit' + selection_flags_discovery: + CommandLine|contains|all: + - '/export' + - '/cfg' + selection_flags_configure: + CommandLine|contains|all: + - '/configure' + - '/db' + filter: + SubjectUserName|endswith: '$' + condition: selection_img and (1 of selection_flags_*) and not filter +falsepositives: + - Legitimate administrative use +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml index b71ae7f1a..7df638f02 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -10,6 +10,7 @@ references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html author: Nasreddine Bencherchali date: 2022/09/01 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1489 @@ -35,284 +36,281 @@ detection: CommandLine|contains: 'Stop-Service ' services: CommandLine|contains: - - 'VSS' - - 'HealthTLService' - - 'ThreatLockerService' - - '"Veritas System Recovery"' - - 'EPlntegrationService' - - 'EPRedline' - - '"Client Agent 7.60"' - - 'SQLAgent$SVSTEM_BGC' - - '"Sophos Device Control Service"' - - '"Zoolz 2 Service"' - - '"Sophos AutoUpdate Service"' - - '"Sophos System Protection Service"' - - 'POVFSService' - - 'MSSQLFDLauncherSTPSAMA' - - '"Symantec System Recovery"' - - 'Antivirus' - - '"Sophos Health Service"' - - 'MSSQLFDLauncherSTPS' - - 'AcrSch2Svc' - - 'MSSQLSSVSTEM_BGC' - - 'MSSQLFDLauncherSPROFXENGAGEMENT' - - 'SQLAgentSTPS' - - '"Sophos Message Router"' - - 'MSSQLFDLauncher$S8SMONITORING' - - 'MySQL80' - - 'MSSQLSECWDB2' - - 'MSSQLWEEAMSQL2008R2' - - '"Sophos Clean Service"' - - '"Sophos Web Control Service"' - - 'EhttpSry' - - 'MSOLAPSTPSAMA' - - '"Veeam Backup Catalog Data Service"' - - 'MSSQLSSBSMONITORIMG' - - 'AcronisAgent' - - 'MySQLS7' - - 'UTODetect' - - 'MSSQLFOLauncherSSVSTEM_BGC' - - 'MSSQLSBKUPEXEC' - - 'SQLAgentSPRACTTICEBGC' - - '"Sophos MCS Client"' - - 'BackupExeclobEngine' - - 'SQLAgentSVEEAMSQL2008R2' - - '143Svc' - - '"SQLsafe Backup Service"' - - 'SQLAgentSCXDB' - - '"Sophos Safestore Service"' - - 'svcienericHost' - - 'MSSQLSTPSAMA' - - 'SQLAgentSCITRIX_METAFRAME' - - 'WeanClOudSve' - - '"Sophos File Scanner Service"' - - '"Sophos Agent"' - - 'M8EndpointAgent' - - 'mSSQLSFRACTICEMGT' - - 'SQLAgentSTPSAMA' - - 'McAfeeframework' - - '"Enterprise Client Service"' - - 'SQLAgentSSBSMONITORING' - - 'MSSQLSVEEAMSQL2012' - - 'SQ1SafeOLRService' - - 'VeeamEnterpriseHanagerSvc' - - 'SQLAgentSSQL EXPRESS' - - 'MSSQ!I.SPROFXENGAGEMEHT' - - 'IMANSVC' - - 'ARSM' - - 'MSSQLFOLavocher' - - 'MSExchangeMIA' - - 'TruekeyScheduler' - - 'MSSQ0SOPHOS' - - '"SQL Backups"' - - 'MSSQLSTPS' - - 'Weems JY' - - 'MSSQ0SHAREPOINT' - - 'mfevto' - - 'msftesq1SPROO' - - 'wozyprobackup' - - 'MSSQLSSQL_2008' - - 'MSSQLSSQLEXPRESS' - - 'MSSQLSPRACTTICEBGE' - - 'VeeamRISTSvc' - - 'HMS' - - '"Sophos MCS Agent"' - '"Acronis VSS Provider"' - - 'MSSQLSVIEAMSQL2008112' - - 'HISSQLFDLauncherSSHAREPOINIT' - - '"SQLsafe Filter Service"' - - 'MSSQLSPROO' - - 'SQLAgentSPROO' - - 'MSOLAPSTPS' - - 'VeemaDep/oySvc' + - '"Client Agent 7.60"' + - '"Enterprise Client Service"' + - '"Sophos Agent"' + - '"Sophos AutoUpdate Service"' + - '"Sophos Clean Service"' + - '"Sophos Device Control Service"' + - '"Sophos File Scanner Service"' + - '"Sophos Health Service"' + - '"Sophos MCS Agent"' + - '"Sophos MCS Client"' + - '"Sophos Message Router"' + - '"Sophos Safestore Service"' + - '"Sophos System Protection Service"' + - '"Sophos Web Control Service"' + - '"SQL Backups"' - '"SQL Server (MSSQLSERVER)"' - '"SQL Server (SQLEXPRESS)' + - '"SQLsafe Backup Service"' + - '"SQLsafe Filter Service"' + - '"Symantec System Recovery"' + - '"Veeam Backup Catalog Data Service"' + - '"Veritas System Recovery"' + - '"Zoolz 2 Service"' + - '“Avast Business Console Client Antivirus Service”' + - '“avast! Antivirus”' + - '“SQL Backups”' + - '“Zoolz 2 Service”' + - '143Svc' + - 'AcronisAgent' + - 'AcrSch2Svc' + - 'Antivirus' + - 'ARSM' + - 'aswBcc' + - 'AVP' - 'BackupExecAgentAccelerator' - - 'McAfeeEngineService' - 'BackupExecAgentBrowser' - - 'McAfeeFramework' - 'BackupExecDeviceMediaService' - - 'McAfeeFrameworkMcAfeeFramework' - 'BackupExecJobEngine' - - 'McTaskManager' + - 'BackupExeclobEngine' - 'BackupExecManagementService' - - 'mfemms' - 'BackupExecRPCService' - - 'mfevtp' - 'BackupExecVSSProvider' - - 'MMS' - 'bedbg' - - 'mozyprobackup' + - 'BITS' + - 'BrokerInfrastructure' - 'DCAgent' + - 'EhttpSrv' + - 'EhttpSry' + - 'ekrn' + - 'epag' + - 'EPIntegrationService' + - 'EPlntegrationService' + - 'EPProtectedService' + - 'EPRedline' + - 'EPSecurityService' + - 'EPUpdateService' + - 'EraserSvc11710' + - 'EsgShKernel' + - 'ESHASRV' + - 'FA_Scheduler' + - 'HealthTLService' + - 'HISSQLFDLauncherSSHAREPOINIT' + - 'HMS' + - 'IISAdmin' + - 'IMANSVC' + - 'IMAP4Svc' + - 'KAVFS' + - 'KAVFSGT' + - 'kavfsslp' + - 'klnagent' + - 'LogProcessorService' + - 'M8EndpointAgent' + - 'macmnsvc' + - 'masvc' + - 'MBAMService' + - 'MBEndpointAgent' + - 'McAfeeEngineService' + - 'MCAFEEEVENTPARSERSRV' + - 'McAfeeFramework' + - 'McAfeeFrameworkMcAfeeFramework' + - 'MCAFEETOMCATSRV530' + - 'McShield' + - 'McTaskManager' + - 'mfefire' + - 'mfemms' + - 'mfevto' + - 'mfevtp' + - 'mfewc' + - 'MMS' + - 'mozyprobackup' - 'MsDtsServer' - 'MsDtsServer100' - 'MsDtsServer110' - - 'EraserSvc11710' + - 'MsDtsServer130' - 'MSExchangeES' - - 'EsgShKernel' - 'MSExchangeIS' - - 'FA_Scheduler' - 'MSExchangeMGMT' - - 'IISAdmin' + - 'MSExchangeMIA' - 'MSExchangeMTA' - - 'IMAP4Svc' - 'MSExchangeSA' - - 'macmnsvc' - 'MSExchangeSRS' - - 'masvc' - - 'MSOLAP$SQL_2008' - - 'MBAMService' - - 'MSOLAP$SYSTEM_BGC' - - 'MBEndpointAgent' - - 'MSOLAP$TPS' - - 'McShield' - - 'MSSQLSERVER' - - 'MSSQL$ECWDB2' - - 'MSSQLServerADHelper100' - - 'MSSQL$PRACTICEMGT' - - 'MSSQLServerOLAPService' - - 'MSSQL$PRACTTICEBGC' - - 'MySQL57' - - 'MSSQL$PROFXENGAGEMENT' - - 'ntrtscan' - - 'MSSQL$SBSMONITORING' - - 'OracleClientCache80' - - 'MSSQL$SHAREPOINT' - - 'PDVFSService' - - 'MSSQL$SQL_2008' - - 'POP3Svc' - - 'MSSQL$SYSTEM_BGC' - - 'ReportServer' - - 'MSSQL$TPS' - - 'ReportServer$SQL_2008' - - 'MSSQL$TPSAMA' - - 'ReportServer$SYSTEM_BGC' - - 'ReportServer$TPS' - - 'MSSQL$VEEAMSQL2012' - - 'ReportServer$TPSAMA' - - 'MSSQLFDLauncher' - - 'RESvc' - - 'MSSQLFDLauncher$PROFXENGAGEMENT' - - 'sacsvr' - - 'MSSQLFDLauncher$SBSMONITORING' - - 'MSSQLFDLauncher$SHAREPOINT' - - 'SamSs' - - 'MSSQLFDLauncher$SQL_2008' - - 'SAVAdminService' - - 'MSSQLFDLauncher$SYSTEM_BGC' - - 'SAVService' - - 'MSOLAP$TPSAMA' - - 'MSSQLFDLauncher$TPS' - - 'MSSQL$BKUPEXEC' - - 'MSSQLFDLauncher$TPSAMA' - - 'Smcinst' - - 'SQLTELEMETRY$ECWDB2' - - 'SmcService' - - 'SQLWriter' - - 'SMTPSvc' - - 'SstpSvc' - - 'SNAC' - - 'svcGenericHost' - - 'SntpService' - - 'swi_filter' - - 'sophossps' - - 'swi_service' - - 'SQLAgent$BKUPEXEC' - - 'swi_update_64' - - 'SQLAgent$ECWDB2' - - 'TmCCSF' - - 'SQLAgent$PRACTTICEBGC' - - 'tmlisten' - - 'SQLAgent$PRACTTICEMGT' - - 'TrueKey' - - 'SQLAgent$PROFXENGAGEMENT' - - 'TrueKeyScheduler' - - 'SQLAgent$SBSMONITORING' - - 'TrueKeyServiceHelper' - - 'SQLAgent$SHAREPOINT' - - 'SQLAgent$SQL_2008' - - 'UI0Detect' - - 'SQLAgent$SYSTEM_BGC' - - 'SQLAgent$TPS' - - 'VeeamBackupSvc' - - 'SQLAgent$TPSAMA' - - 'VeeamBrokerSvc' - - 'SQLAgent$VEEAMSQL2012' - - 'VeeamCatalogSvc' - - 'SQLBrowser' - - 'VeeamCloudSvc' - - 'SDRSVC' - - 'SQLSafeOLRService' - - 'SepMasterService' - - 'SQLSERVERAGENT' - - 'ShMonitor' - - 'SQLTELEMETRY' - - 'VeeamDeploymentService' - - 'NetMsmqActivator' - - 'VeeamDeploySvc' - - 'EhttpSrv' - - 'VeeamEnterpriseManagerSvc' - - 'ekrn' - - 'VeeamMountSvc' - - 'ESHASRV' - - 'VeeamNFSSvc' - - 'MSSQL$SOPHOS' - - 'VeeamRESTSvc' - - 'SQLAgent$SOPHOS' - - 'VeeamTransportSvc' - - 'AVP' - - 'W3Svc' - - 'klnagent' - - 'MSSQL$SQLEXPRESS' - - 'WRSVC' - - 'SQLAgent$SQLEXPRESS' - - 'wbengine' - - 'MSSQL$VEEAMSQL2008R2' - - 'kavfsslp' - - 'SQLAgent$VEEAMSQL2008R2' - - 'VeeamHvIntegrationSvc' - - 'KAVFSGT' - - 'swi_update' - - 'KAVFS' - - 'SQLAgent$CXDB' - - 'mfefire' - - 'SQLAgent$CITRIX_METAFRAME' - - '“SQL Backups”' - - '“avast! Antivirus”' - - 'MSSQL$PROD' - - 'aswBcc' - - '“Zoolz 2 Service”' - - '“Avast Business Console Client Antivirus Service”' - - 'MSSQLServerADHelper' - - 'mfewc' - - 'SQLAgent$PROD' - - 'Telemetryserver' + - 'msftesq1SPROO' - 'msftesql$PROD' - - 'WdNisSvc' - - 'WinDefend' - - 'MCAFEETOMCATSRV530' - - 'MCAFEEEVENTPARSERSRV' - - 'MSSQLFDLauncher$ITRIS' + - 'MSOLAP$SQL_2008' + - 'MSOLAP$SYSTEM_BGC' + - 'MSOLAP$TPS' + - 'MSOLAP$TPSAMA' + - 'MSOLAPSTPS' + - 'MSOLAPSTPSAMA' + - 'MSSQ!I.SPROFXENGAGEMEHT' + - 'MSSQ0SHAREPOINT' + - 'MSSQ0SOPHOS' + - 'MSSQL$BKUPEXEC' + - 'MSSQL$ECWDB2' - 'MSSQL$EPOSERVER' - 'MSSQL$ITRIS' + - 'MSSQL$PRACTICEMGT' + - 'MSSQL$PRACTTICEBGC' + - 'MSSQL$PROD' + - 'MSSQL$PROFXENGAGEMENT' + - 'MSSQL$SBSMONITORING' + - 'MSSQL$SHAREPOINT' + - 'MSSQL$SOPHOS' + - 'MSSQL$SQL_2008' + - 'MSSQL$SQLEXPRESS' + - 'MSSQL$SYSTEM_BGC' + - 'MSSQL$TPS' + - 'MSSQL$TPSAMA' + - 'MSSQL$VEEAMSQL2008R2' + - 'MSSQL$VEEAMSQL2012' + - 'MSSQLFDLauncher' + - 'MSSQLFDLauncher$ITRIS' + - 'MSSQLFDLauncher$PROFXENGAGEMENT' + - 'MSSQLFDLauncher$S8SMONITORING' + - 'MSSQLFDLauncher$SBSMONITORING' + - 'MSSQLFDLauncher$SHAREPOINT' + - 'MSSQLFDLauncher$SQL_2008' + - 'MSSQLFDLauncher$SYSTEM_BGC' + - 'MSSQLFDLauncher$TPS' + - 'MSSQLFDLauncher$TPSAMA' + - 'MSSQLFDLauncherSPROFXENGAGEMENT' + - 'MSSQLFDLauncherSTPS' + - 'MSSQLFDLauncherSTPSAMA' + - 'MSSQLFOLauncherSSVSTEM_BGC' + - 'MSSQLFOLavocher' + - 'MSSQLLaunchpad$ITRIS' + - 'MSSQLSBKUPEXEC' + - 'MSSQLSECWDB2' + - 'MSSQLSERVER' + - 'MSSQLServerADHelper' + - 'MSSQLServerADHelper100' + - 'MSSQLServerOLAPService' + - 'mSSQLSFRACTICEMGT' + - 'MSSQLSPRACTTICEBGE' + - 'MSSQLSPROO' + - 'MSSQLSSBSMONITORIMG' + - 'MSSQLSSQL_2008' + - 'MSSQLSSQLEXPRESS' + - 'MSSQLSSVSTEM_BGC' + - 'MSSQLSTPS' + - 'MSSQLSTPSAMA' + - 'MSSQLSVEEAMSQL2012' + - 'MSSQLSVIEAMSQL2008112' + - 'MSSQLWEEAMSQL2008R2' + - 'MySQL57' + - 'MySQL80' + - 'MySQLS7' + - 'NetMsmqActivator' + - 'ntrtscan' + - 'OracleClientCache80' + - 'PDVFSService' + - 'POP3Svc' + - 'POVFSService' + - 'ReportServer' + - 'ReportServer$SQL_2008' + - 'ReportServer$SYSTEM_BGC' + - 'ReportServer$TPS' + - 'ReportServer$TPSAMA' + - 'RESvc' + - 'sacsvr' + - 'SamSs' + - 'SAVAdminService' + - 'SAVService' + - 'SDRSVC' + - 'SentinelAgent' + - 'SentinelHelperService' + - 'SepMasterService' + - 'ShMonitor' + - 'Smcinst' + - 'SmcService' + - 'SMTPSvc' + - 'SNAC' + - 'SntpService' + - 'sophossps' + - 'SQ1SafeOLRService' + - 'SQLAgent$BKUPEXEC' + - 'SQLAgent$CITRIX_METAFRAME' + - 'SQLAgent$CXDB' + - 'SQLAgent$ECWDB2' - 'SQLAgent$EPOSERVER' - 'SQLAgent$ITRIS' + - 'SQLAgent$PRACTTICEBGC' + - 'SQLAgent$PRACTTICEMGT' + - 'SQLAgent$PROD' + - 'SQLAgent$PROFXENGAGEMENT' + - 'SQLAgent$SBSMONITORING' + - 'SQLAgent$SHAREPOINT' + - 'SQLAgent$SOPHOS' + - 'SQLAgent$SQL_2008' + - 'SQLAgent$SQLEXPRESS' + - 'SQLAgent$SVSTEM_BGC' + - 'SQLAgent$SYSTEM_BGC' + - 'SQLAgent$TPS' + - 'SQLAgent$TPSAMA' + - 'SQLAgent$VEEAMSQL2008R2' + - 'SQLAgent$VEEAMSQL2012' + - 'SQLAgentSCITRIX_METAFRAME' + - 'SQLAgentSCXDB' + - 'SQLAgentSPRACTTICEBGC' + - 'SQLAgentSPROO' + - 'SQLAgentSSBSMONITORING' + - 'SQLAgentSSQL EXPRESS' + - 'SQLAgentSTPS' + - 'SQLAgentSTPSAMA' + - 'SQLAgentSVEEAMSQL2008R2' + - 'SQLBrowser' + - 'SQLSafeOLRService' + - 'SQLSERVERAGENT' + - 'SQLTELEMETRY' + - 'SQLTELEMETRY$ECWDB2' - 'SQLTELEMETRY$ITRIS' - - 'SentinelHelperService' - - 'MsDtsServer130' - - 'LogProcessorService' + - 'SQLWriter' - 'SSISTELEMETRY130' - - 'EPUpdateService' - - 'MSSQLLaunchpad$ITRIS' + - 'SstpSvc' + - 'svcGenericHost' + - 'svcienericHost' + - 'swi_filter' + - 'swi_service' + - 'swi_update' + - 'swi_update_64' + - 'Telemetryserver' + - 'ThreatLockerService' + - 'TmCCSF' + - 'tmlisten' - 'TmPfw' - - 'BITS' - - 'SentinelAgent' - - 'BrokerInfrastructure' - - 'EPProtectedService' - - 'epag' - - 'epredline' - - 'EPIntegrationService' - - 'EPSecurityService' + - 'TrueKey' + - 'TruekeyScheduler' + - 'TrueKeyServiceHelper' + - 'UI0Detect' + - 'UTODetect' + - 'VeeamBackupSvc' + - 'VeeamBrokerSvc' + - 'VeeamCatalogSvc' + - 'VeeamCloudSvc' + - 'VeeamDeploymentService' + - 'VeeamDeploySvc' + - 'VeeamEnterpriseHanagerSvc' + - 'VeeamEnterpriseManagerSvc' + - 'VeeamHvIntegrationSvc' + - 'VeeamMountSvc' + - 'VeeamNFSSvc' + - 'VeeamRESTSvc' + - 'VeeamRISTSvc' + - 'VeeamTransportSvc' + - 'VeemaDep/oySvc' + - 'VSS' + - 'W3Svc' + - 'wbengine' + - 'WdNisSvc' + - 'WeanClOudSve' + - 'Weems JY' + - 'WinDefend' + - 'wozyprobackup' + - 'WRSVC' condition: services and (all of selection_sc_net* or selection_pwsh) falsepositives: - Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml index 688ad4185..538c99dea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth date: 2021/07/14 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.persistence - attack.t1136.001 @@ -16,15 +16,15 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_whoami: CommandLine|contains: 'whoami' - selection2: + selection_cmd_1: CommandLine|contains: - './Client/Common/' - '.\Client\Common\' - selection3: + selection_cmd_2: CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat' - condition: selection1 and selection2 or selection3 + condition: selection_whoami and 1 of selection_cmd* falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml index 522a0bb09..c1eb9f34e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml @@ -23,5 +23,5 @@ detection: - ' /im ' condition: all of selection* falsepositives: - - Unknown + - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index 91cb6862a..6c8c49a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 -modified: 2022/02/25 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -20,15 +20,14 @@ logsource: category: process_creation product: windows detection: - selection_1: - Image|endswith: '\sqlps.exe' - selection_2: + selection_parent: ParentImage|endswith: '\sqlps.exe' - selection_3: - OriginalFileName: '\sqlps.exe' - filter: + selection_image: + - Image|endswith: '\sqlps.exe' + - OriginalFileName: 'sqlps.exe' + filter_image: ParentImage|endswith: '\sqlagent.exe' - condition: 1 of selection_* and not filter + condition: selection_parent or (selection_image and not filter_image) falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index a84f52be0..18301a4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1055 @@ -20,7 +20,7 @@ detection: CommandLine|contains: '\netlogon\' filter2: - Image|endswith: '\explorer.exe' - - ImageFileName: 'explorer.exe' + - OriginalFileName: 'explorer.exe' condition: selection and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index c82b820ef..cbff1f31f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -1,22 +1,18 @@ title: Suspicious WERMGR Process Patterns -id: CBEC226F-63D9-4ECA-9F52-DFB6652F24DF +id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e status: experimental description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc. references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe + - https://github.com/binderlabs/DirCreate2System author: Florian Roth date: 2022/10/14 +modified: 2022/12/04 logsource: category: process_creation product: windows detection: - selection_img: - Image|endswith: '\wermgr.exe' - filter_img_location: - Image|contains: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' selection_susp_parent: ParentImage|endswith: '\wermgr.exe' Image|endswith: @@ -29,7 +25,13 @@ detection: - '\systeminfo.exe' - '\cmd.exe' - '\powershell.exe' - condition: selection_img and not filter_img_location or 1 of selection_susp* + selection_img: + Image|endswith: '\wermgr.exe' + filter_img_location: + Image|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: 1 of selection_susp* or (selection_img and not filter_img_location) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml index 5fef7c637..93c142377 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml @@ -8,6 +8,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth date: 2022/11/10 +modified: 2022/12/15 tag: - attack.privilege_escalation - attack.t1068 @@ -21,9 +22,12 @@ detection: - '\Sysmon.exe' - '\Sysmon64.exe' filter: - Image: + - Image: - 'C:\Windows\Sysmon64.exe' - 'C:\Windows\System32\conhost.exe' + - 'wevtutil.exe' + - 'C:\WINDOWS\system32\wevtutil.exe' + - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index 07538331c..b9162caf8 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -8,7 +8,7 @@ references: - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 -modified: 2022/08/08 +modified: 2022/11/30 tags: - attack.execution - attack.t1569.002 @@ -18,7 +18,8 @@ logsource: product: windows detection: selection_org: - OriginalFileName: 'NirCmd.exe' + - Image|endswith: '\NirCmd.exe' + - OriginalFileName: 'NirCmd.exe' selection_cmd: CommandLine|contains: - ' execmd ' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml index cdecf03d6..dee3a59b6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -1,4 +1,4 @@ -title: Suspicious Get Local Groups Information with WMIC +title: Suspicious Get ComputerSystem Information with WMIC id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: experimental description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali date: 2022/09/08 +modified: 2022/11/29 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml new file mode 100644 index 000000000..84ed9bd12 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml @@ -0,0 +1,25 @@ +title: WMIC Tamper Windows Defender +id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +status: experimental +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml new file mode 100644 index 000000000..015d42d08 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml @@ -0,0 +1,32 @@ +title: Wsudo Suspicious Execution +id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 +status: experimental +description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +references: + - https://github.com/M2Team/Privexec/ +author: Nasreddine Bencherchali +date: 2022/12/02 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: '\wsudo.exe' + - OriginalFileName: 'wsudo.exe' + - Description: 'Windows sudo utility' + - ParentImage|endswith: '\wsudo-bridge.exe' + selection_cli: + CommandLine|contains: + - '-u System' + - '-uSystem' + - '-u TrustedInstaller' + - '-uTrustedInstaller' + - ' --ti ' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml new file mode 100644 index 000000000..d941ae9fe --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml @@ -0,0 +1,25 @@ +title: Suspicious X509Enrollment - Process Creation +id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 +related: + - id: 504d63cb-0dba-4d02-8531-e72981aace2c + type: similar +status: experimental +description: Detect use of X509Enrollment +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - 'X509Enrollment.CBinaryConverter' + - '884e2002-217d-11da-b2a4-000e7bbb2b09' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml index 81ad32a3d..d7a701df1 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2022/11/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1006 @@ -24,7 +24,6 @@ detection: - 'C:\Windows\servicing\' - 'C:\Windows\CCM\' - 'C:\Windows\uus\' - - 'C:\Windows\WinSxs\' filter_3: ProcessId: 4 filter_specific: diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml index 20c31d6f8..b369a0815 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml @@ -7,6 +7,7 @@ references: - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali date: 2022/07/21 +modified: 2022/12/19 tags: - attack.persistence logsource: @@ -19,7 +20,10 @@ detection: - '\SOFTWARE\Microsoft\AMSI\Providers\' - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\' filter: - Image|startswith: 'C:\Program Files' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - Legitimate security products adding their own AMSI providers diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml similarity index 100% rename from rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 0bf48f7de..c0e5aab00 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -6,11 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/24 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1588.002 @@ -21,33 +22,44 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + # Please add new values while respecting the alphabetical order + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' + - '\ProcDump' - '\Process Explorer' + - '\PsExec' + - '\PsLoggedon' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\PsPing' + - '\PsService' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - - '\procdump.exe' - - '\procdump64.exe' + # Please add new values while respecting the alphabetical order + - '\ADExplorer.exe' + - '\ADExplorer64.exe' - '\handle.exe' - '\handle64.exe' - '\livekd.exe' - '\livekd64.exe' + - '\procdump.exe' + - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' + - '\PsExec.exe' + - '\PsExec64.exe' + - '\PsLoggedon.exe' + - '\PsLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - - '\ADExplorer.exe' - - '\ADExplorer64.exe' + - '\PsPing.exe' + - '\PsPing64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index 06cd58376..df087b4c1 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -1,4 +1,4 @@ -title: Usage of Sysinternals Tools +title: Usage of Sysinternals Tools - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry @@ -6,7 +6,7 @@ references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017/08/28 -modified: 2022/06/26 +modified: 2022/11/29 tags: - attack.resource_development - attack.t1588.002 diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index d9f20e6c5..dc8b279ac 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -19,8 +19,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\' + - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 83117c156..279985d14 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -1,4 +1,4 @@ -title: NetNTLM Downgrade Attack +title: NetNTLM Downgrade Attack - Registry id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 status: test description: Detects NetNTLM downgrade attack @@ -6,7 +6,7 @@ references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga date: 2018/03/20 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 6b5f69270..f0069ff5d 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,7 +1,7 @@ -title: SilentProcessExit Monitor Registration for LSASS +title: Potential Credential Dumping Via LSASS SilentProcessExit Technique id: 55e29995-75e7-451a-bef0-6225e2f13597 related: - - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a + - id: 36803969-5421-41ec-b92f-8500f79c23b0 type: similar status: experimental description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process @@ -10,10 +10,10 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ author: Florian Roth date: 2021/02/26 -modified: 2022/09/07 +modified: 2022/12/19 tags: - attack.credential_access - - attack.t1003.007 + - attack.t1003.001 logsource: category: registry_event product: windows diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml new file mode 100644 index 000000000..4780d88a6 --- /dev/null +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -0,0 +1,28 @@ +title: Potential Ransomware Activity Using LegalNotice Message +id: 8b9606c9-28be-4a38-b146-0e313cc232c1 +status: experimental +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2022/12/11 +tags: + - attack.impact + - attack.t1491.001 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText' + Details|contains: + - 'encrypted' + - 'Unlock-Password' + - 'paying' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index cb01e74e1..815458a31 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -2,7 +2,7 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 73c9c3ce6..86272d01d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -2,7 +2,7 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 4a251912d..7358de40c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -2,7 +2,7 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 2a306b9af..00e256f48 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -2,7 +2,7 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 57591152e..cf9b29bea 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -2,7 +2,7 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -33,7 +33,7 @@ detection: - '\Winlogon\AlternateShells\AvailableShells' - '\Windows\IconServiceLib' - '\Windows\Appinit_Dlls' - - '\Image File Execution Options' + - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0 - '\Font Drivers' - '\Drivers32' - '\Windows\Run' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index a2a4508c4..08dd1e190 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -2,7 +2,7 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index d627b0384..9385cd16e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -2,7 +2,7 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 6f6cc6e2a..77d941b03 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -2,7 +2,7 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 1d1b33595..f30a1ebe6 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -2,7 +2,7 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 4a79e6514..122227129 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -2,7 +2,7 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 -modified: 2022/11/01 +modified: 2022/12/14 tags: - attack.persistence - attack.t1547.001 @@ -64,9 +64,7 @@ detection: TargetObject|endswith: - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' - Details|startswith: - - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-' - - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' + Details|startswith: '"C:\ProgramData\Package Cache\' Details|endswith: '.exe" /burn.runonce' filter_office: Image|startswith: @@ -78,12 +76,15 @@ detection: filter_vcredist: Image|endswith: '\VC_redist.x64.exe' Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' - filter_winsdk: + filter_upgrades: Image|startswith: - 'C:\ProgramData\Package Cache' - 'C:\Windows\Temp\' - Image|endswith: '\winsdksetup.exe' - Details|endswith: '\winsdksetup.exe" /burn.runonce' + Image|contains: + - '\winsdksetup.exe' + - '\windowsdesktop-runtime-' # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe + - '\AspNetCoreSharedFrameworkBundle-' # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce + Details|endswith: ' /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index d0221d76f..84e00ba88 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -2,7 +2,7 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 3de85319d..cafd8e5b1 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -2,7 +2,7 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 0777c27a4..83d8ea3cd 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth, frack113 date: 2022/05/02 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1112 @@ -39,7 +40,11 @@ detection: - '\Perflogs\' - '\ADMIN$\' - '\Temp\' - condition: 1 of selection_* + filter_1: + Image|contains|all: # Filter FP with Avast software + - '\Common Files\' + - '\Temp\' + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index f214e54f8..2a5b69714 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,12 +1,13 @@ -title: Add Debugger Entry To DbgManagedDebugger For Persistence +title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes +description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper author: frack113 date: 2022/08/07 +modified: 2022/12/19 tags: - attack.persistence - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 38c4c79fa..0254cdb81 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali date: 2022/08/01 -modified: 2022/09/18 +modified: 2022/12/09 tags: - attack.defense_evasion logsource: @@ -22,7 +23,7 @@ detection: - '\EventLog-' - '\Defender' TargetObject|endswith: - - '\Enabled' + - '\Enable' - '\Start' Details: DWORD (0x00000000) filter_legitimate: diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml similarity index 70% rename from rules/windows/registry/registry_set/registry_set_etw_disabled.yml rename to rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 93b500a35..f32870645 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification - Registry +title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +related: + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,21 +15,32 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/11/26 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows category: registry_set detection: - selection: + selection_etw_enabled: EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' - condition: selection + selection_complus: + EventType: SetValue + TargetObject|endswith: + - '\COMPlus_ETWEnabled' + - '\COMPlus_ETWFlags' + Details: + - 0 # For REG_SZ type + - 'DWORD (0x00000000)' + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index 831bbfecd..ac9afd353 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -1,12 +1,16 @@ -title: GlobalFlags Registry Persistence Mechanisms +title: Potential GlobalFlags Registry Persistence Attempt id: 36803969-5421-41ec-b92f-8500f79c23b0 +related: + - id: c81fe886-cac0-4913-a511-2822d72ff505 + type: obsoletes status: test -description: Detects persistence using GlobalFlags in image file execution options +description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ -author: Karneades, Jonhnathan Ribeiro + - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +author: Karneades, Jonhnathan Ribeiro, Florian Roth date: 2018/04/11 -modified: 2022/09/07 +modified: 2022/12/19 tags: - attack.privilege_escalation - attack.persistence @@ -17,17 +21,17 @@ logsource: category: registry_set product: windows detection: - selection_reg1: - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\' - selection_reg2: - - TargetObject|contains|all: + selection_global_flag: + TargetObject|contains|all: + - '\Microsoft\Windows NT\CurrentVersion\' - '\Image File Execution Options\' - '\GlobalFlag' - - TargetObject|contains|all: - - 'SilentProcessExit\' + selection_silent_process: + TargetObject|contains|all: + - '\Microsoft\Windows NT\CurrentVersion\' + - '\SilentProcessExit\' + TargetObject|contains: - '\ReportingMode' - - TargetObject|contains|all: - - 'SilentProcessExit\' - '\MonitorProcess' condition: all of selection_* falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml new file mode 100644 index 000000000..c362fe0e6 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -0,0 +1,27 @@ +title: Lsass Full Dump Request Via DumpType Registry Settings +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 +status: experimental +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash' +date: 2022/12/08 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump + condition: selection +falsepositives: + - Legitimate application that needs to do a full dump of their process +level: high diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml similarity index 100% rename from rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml rename to rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml new file mode 100644 index 000000000..3377d03c1 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -0,0 +1,27 @@ +title: ETW Logging Disabled For rpcrt4.dll +id: 90f342e1-1aaa-4e43-b092-39fda57ed11e +status: experimental +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' + Details: + # This is disabled by default for some reason + - 'DWORD (0x00000000)' # Off + - 'DWORD (0x00000002)' # Off with exceptions + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml new file mode 100644 index 000000000..073cddb27 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -0,0 +1,24 @@ +title: ETW Logging Disabled For SCM +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' + Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index a288c972d..1c86770c1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -25,8 +25,7 @@ detection: - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' + - Details|contains: '\AppData\' condition: selection and selection2 fields: - Image diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index ef1c0a2b7..3952c6ac1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -5,10 +5,10 @@ description: | Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/11/22 +modified: 2022/12/07 tags: - attack.t1562.001 - attack.defense_evasion @@ -23,10 +23,13 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' + - '\handle.exe' + - '\handle64.exe' Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection and not filter falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml new file mode 100644 index 000000000..186a0e114 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -0,0 +1,60 @@ +title: Suspicious Environment Variable Has Been Registered +id: 966315ef-c5e1-4767-ba25-fce9c8de3660 +status: test +description: Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings +references: + - https://infosec.exchange/@sbousseaden/109542254124022664 +author: Nasreddine Bencherchali +date: 2022/12/20 +tags: + - attack.defense_evasion + - attack.persistence +logsource: + product: windows + category: registry_set +detection: + selection_main: + EventType: SetValue + TargetObject|contains: '\Environment\' + selection_details: + - Details: + - 'powershell' + - 'pwsh' + - Details|contains: + # Add more suspicious strings in env variables below + - '\AppData\Local\Temp\' + - 'C:\Users\Public\' + # Base64 MZ Header + - 'TVqQAAMAAAAEAAAA' # MZ.......... + - 'TVpQAAIAAAAEAA8A' + - 'TVqAAAEAAAAEABAA' + - 'TVoAAAAAAAAAAAAA' + - 'TVpTAQEAAAAEAAAA' + # Base64 Invoke- (UTF-8) + - 'SW52b2tlL' + - 'ludm9rZS' + - 'JbnZva2Ut' + # Base64 Invoke- (UTF-16LE) + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' + - Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 + - 'SUVY' + - 'SQBFAF' + - 'SQBuAH' + - 'cwBhA' + - 'aWV4' + - 'aQBlA' + - 'R2V0' + - 'dmFy' + - 'dgBhA' + - 'dXNpbm' + - 'H4sIA' + - 'Y21k' + - 'cABhAH' + - 'Qzpc' + - 'Yzpc' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index dfc509f1a..307aecb82 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -1,26 +1,45 @@ -title: Registry Persistence Mechanism via Windows Telemetry +title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 +related: + - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 + type: obsoletes status: test -description: Detects persistence method using windows telemetry +description: | + Detects potential persistence behaviour using the windows telemetry registry key. + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ -author: Lednyov Alexey, oscd.community +author: Lednyov Alexey, oscd.community, Sreeman date: 2020/10/16 -modified: 2022/03/26 +modified: 2022/12/19 tags: - attack.persistence - attack.t1053.005 logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' detection: selection: EventType: SetValue - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - - '\Command' - Details|contains: '.exe' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + TargetObject|endswith: '\Command' + Details|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.ps' + - '.vb' + - '.jar' + - '.hta' + - '.msi' + - '.vbs' filter: Details|contains: - '\system32\CompatTelRunner.exe' @@ -28,4 +47,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 887e5ad1a..f84e93c9b 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -14,6 +14,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali date: 2022/08/01 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -42,7 +43,11 @@ detection: - '\SpyNet\SubmitSamplesConsent' - '\MpEngine\MpEnablePus' Details: 'DWORD (0x00000000)' - condition: root and 1 of selection_* + filter_msmpeng: + Image|contains|all: + - 'C:\ProgramData\Microsoft\Windows Defender\platform\' + - '\MsMpEng.exe' + condition: ( root and 1 of selection_* ) and not 1 of filter* falsepositives: - Administrator actions level: high diff --git a/tests/test_rules.py b/tests/test_rules.py index a76aa41bb..0e7d70d6c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -13,6 +13,7 @@ import re from attackcti import attack_client from colorama import init from colorama import Fore +import collections class TestRules(unittest.TestCase): @@ -64,6 +65,7 @@ class TestRules(unittest.TestCase): # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): + # See Issue # https://github.com/SigmaHQ/sigma/issues/1028 files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -126,23 +128,35 @@ class TestRules(unittest.TestCase): "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth: int) -> None: + def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: if type(item) == list: - check_if_list_contain_duplicates(item, depth) + check_if_list_contain_duplicates(item, depth, special) elif type(item) == dict and depth <= MAX_DEPTH: - for sub_item in item.values(): - check_list_or_recurse_on_dict(sub_item, depth + 1) + for keys, sub_item in item.items(): + if "|base64" in keys: # Covers both "base64" and "base64offset" modifiers + check_list_or_recurse_on_dict(sub_item, depth + 1, True) + else: + check_list_or_recurse_on_dict(sub_item, depth + 1, special) - def check_if_list_contain_duplicates(item: list, depth: int) -> None: + def check_if_list_contain_duplicates(item: list, depth: int, special: bool) -> None: try: - if len(item) != len(set(item)): - print(Fore.RED + "Rule {} has duplicate filters".format(file)) + # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers + # - "base64offset" + # - "base64" + if special: + item_ = item + else: + item_= [i.lower() for i in item] + if len(item_) != len(set(item_)): + # We find the duplicates and then print them to the user + duplicates = [i for i, count in collections.Counter(item_).items() if count > 1] + print(Fore.RED + "Rule {} has duplicate filters {}".format(file, duplicates)) files_with_duplicate_filters.append(file) except: # unhashable types like dictionaries for sub_item in item: if type(sub_item) == dict and depth <= MAX_DEPTH: - check_list_or_recurse_on_dict(sub_item, depth + 1) + check_list_or_recurse_on_dict(sub_item, depth + 1, special) MAX_DEPTH = 3 files_with_duplicate_filters = [] @@ -150,7 +164,7 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") - check_list_or_recurse_on_dict(detection, 1) + check_list_or_recurse_on_dict(detection, 1, False) self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters") @@ -323,12 +337,12 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) - elif id in dict_id.keys(): + elif id.lower() in dict_id.keys(): print( Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file, dict_id[id])) faulty_rules.append(file) else: - dict_id[id] = file + dict_id[id.lower()] = file self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") @@ -659,6 +673,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + def test_references_in_description(self): + # This test checks for the presence of a links and special keywords in the "description" field while there is no "references" field. + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + references = self.get_rule_part( + file_path=file, part_name="references") + # Reference field doesn't exist + if not references: + descriptionfield = self.get_rule_part( + file_path=file, part_name="description") + if descriptionfield: + for i in ["http://", "https://", "internal research"]: # Extends the list with other common references starters + if i in descriptionfield.lower(): + print(Fore.RED + "Rule {} has a field that contains references to external links but no references set. Add a 'references' key and add URLs as list items.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'description' fields. (links and external references have to be in a seperate field named 'references'. see specification https://github.com/SigmaHQ/sigma-specification)") + def test_references_plural(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -696,10 +729,145 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + else: + # This test make sure that every rules has a filename that corresponds to + # It's specific logsource. + # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381) + logsource = self.get_rule_part(file_path=file, part_name="logsource") + if logsource: + pattern_prefix = "" + os_infix = "" + os_bool = False + for key,value in logsource.items(): + if key == "definition": + pass + else: + if key == "product": + # This is to get the OS for certain categories + if value == "windows": + os_infix = "win_" + elif value == "macos": + os_infix = "macos_" + elif value == "linux": + os_infix = "lnx_" + # For other stuff + elif value == "aws": + pattern_prefix = "aws_" + elif value == "azure": + pattern_prefix = "azure_" + elif value == "gcp": + pattern_prefix = "gcp_" + elif value == "gworkspace": + pattern_prefix = "gworkspace_" + elif value == "m365": + pattern_prefix = "microsoft365_" + elif value == "okta": + pattern_prefix = "okta_" + elif value == "onelogin": + pattern_prefix = "onelogin_" + elif key == "category": + if value == "process_creation": + pattern_prefix = "proc_creation_" + os_bool = True + elif value == "image_load": + pattern_prefix = "image_load_" + elif value == "file_event": + pattern_prefix = "file_event_" + os_bool = True + elif value == "registry_set": + pattern_prefix = "registry_set_" + elif value == "registry_add": + pattern_prefix = "registry_add_" + elif value == "registry_event": + pattern_prefix = "registry_event_" + elif value == "registry_delete": + pattern_prefix = "registry_delete_" + elif value == "registry_rename": + pattern_prefix = "registry_rename_" + elif value == "process_access": + pattern_prefix = "proc_access_" + os_bool = True + elif value == "driver_load": + pattern_prefix = "driver_load_" + os_bool = True + elif value == "dns_query": + pattern_prefix = "dns_query_" + os_bool = True + elif value == "ps_script": + pattern_prefix = "posh_ps_" + elif value == "ps_module": + pattern_prefix = "posh_pm_" + elif value == "ps_classic_start": + pattern_prefix = "posh_pc_" + elif value == "pipe_created": + pattern_prefix = "pipe_created_" + elif value == "network_connection": + pattern_prefix = "net_connection_" + os_bool = True + elif value == "file_rename": + pattern_prefix = "file_rename_" + os_bool = True + elif value == "file_delete": + pattern_prefix = "file_delete_" + os_bool = True + elif value == "file_change": + pattern_prefix = "file_change_" + os_bool = True + elif value == "file_access": + pattern_prefix = "file_access_" + os_bool = True + elif value == "create_stream_hash": + pattern_prefix = "create_stream_hash_" + elif value == "create_remote_thread": + pattern_prefix = "create_remote_thread_win_" + elif value == "dns": + pattern_prefix = "net_dns_" + elif value == "firewall": + pattern_prefix = "net_firewall_" + elif value == "webserver": + pattern_prefix = "web_" + elif key == "service": + if value == "auditd": + pattern_prefix = "lnx_auditd_" + elif value == "modsecurity": + pattern_prefix = "modsec_" + elif value == "diagnosis-scripted": + pattern_prefix = "win_diagnosis_scripted_" + elif value == "firewall-as": + pattern_prefix = "win_firewall_as_" + elif value == "msexchange-management": + pattern_prefix = "win_exchange_" + elif value == "security": + pattern_prefix = "win_security_" + elif value == "system": + pattern_prefix = "win_system_" + elif value == "taskscheduler": + pattern_prefix = "win_taskscheduler_" + elif value == "terminalservices-localsessionmanager": + pattern_prefix = "win_terminalservices_" + elif value == "windefend": + pattern_prefix = "win_defender_" + elif value == "wmi": + pattern_prefix = "win_wmi_" + elif value == "codeintegrity-operational": + pattern_prefix = "win_codeintegrity_" + elif value == "bits-client": + pattern_prefix = "win_bits_client_" + elif value == "applocker": + pattern_prefix = "win_applocker_" + + # This value is used to test if we should add the OS infix for certain categories + if os_bool: + pattern_prefix += os_infix + if pattern_prefix != "": + if not filename.startswith(pattern_prefix): + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard naming convention.".format(file)) + faulty_rules.append(file) name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md') def test_title(self): faulty_rules = [] @@ -732,12 +900,10 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print( - Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print( - Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -774,6 +940,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules without the 'title' attribute in their first line.") + def test_duplicate_titles(self): + # This test ensure that every rule has a unique title + faulty_rules = [] + titles_dict = {} + for file in self.yield_next_rule_file_path(self.path_to_rules): + title = self.get_rule_part(file_path=file, part_name="title").lower().rstrip() + duplicate = False + for rule, title_ in titles_dict.items(): + if title == title_: + print(Fore.RED + "Rule {} has an already used title in {}.".format(file, rule)) + duplicate = True + faulty_rules.append(file) + continue + if not duplicate: + titles_dict[file] = title + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules that share the same 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ @@ -806,32 +991,83 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): + + def treat_list(file, values, valid_, selection_name): + # rule with only list of Keywords term + if len(values) == 1 and not isinstance(values[0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key) + ) + valid_ = False + elif isinstance(values[0], dict): + valid_ = treat_dict(file, values, valid_, selection_name) + return valid_ + + def treat_dict(file, values, valid_, selection_name): + if isinstance(values, list): + for dict_ in values: + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + else: + dict_ = values + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + return valid_ + faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") if detection: + valid = True for key in detection: + values = detection[key] if isinstance(detection[key], list): - # rule with only list of Keywords term - if len(detection[key]) == 1 and not isinstance(detection[key][0], str): - print( - Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) - valid = False + valid = treat_list(file, values, valid, key) + if isinstance(detection[key], dict): - for sub_key in detection[key]: - # split in 2 if as get a error "int has not len()" - if isinstance(detection[key][sub_key], list): - if len(detection[key][sub_key]) == 1: - print( - Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False + valid = treat_dict(file, values, valid, key) + if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules using list with only 1 element") + "There are rules using list with only 1 element") + + def test_selection_start_or_and(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part( + file_path=file, part_name="detection") + if detection: + + # This test is a best effort to avoid breaking SIGMAC parser. You could do more testing and try to fix this once and for all by modifiying the token regular expressions https://github.com/SigmaHQ/sigma/blob/b9ae5303f12cda8eb6b5b90a32fd7f11ad65645d/tools/sigma/parser/condition.py#L107-L127 + for key in detection: + if key[:3].lower() == "sel": + continue + elif key[:2].lower() == "or": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'or'".format(file, key)) + faulty_rules.append(file) + elif key[:3].lower() == "and": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'and'".format(file, key)) + faulty_rules.append(file) + elif key[:3].lower() == "not": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'not'".format(file, key)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' ") def test_unused_selection(self): faulty_rules = [] @@ -850,8 +1086,12 @@ class TestRules(unittest.TestCase): continue if selection == "timeframe": continue - if selection in condition: + + # remove special keywords + condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ") + if selection in condition_list: continue + # find all wildcards in condition found = False for wildcard_selection in wildcard_selections.findall(condition): @@ -872,15 +1112,27 @@ class TestRules(unittest.TestCase): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved # typos is a list of tuples where each tuple contains ("The typo", "The correct version") - typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): + # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases + # We check first the logsource to handle special cases + logsource = self.get_rule_part(file_path=file, part_name="logsource").values() + # add more typos in specific logsources below + if "windefend" in logsource: + typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')] + elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource: + typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")] + elif "process_creation" in logsource: + typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")] + else: + typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") if detection: for search_identifier in detection: if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - for typo in typos: + for typo in typos_: if typo[0] in field: print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 4c13692ef..27ebcc03c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -166,6 +166,12 @@ logsources: conditions: product_name: "Sysmon" vendor_id: "11" + windows-file-change: + product: windows + category: file_change + conditions: + product_name: "Sysmon" + vendor_id: "2" windows-pipe-created: product: windows category: pipe_created @@ -235,14 +241,13 @@ logsources: conditions: vendor_name: "Zeek" vendor_type: "IDS" - zeek-category-firewall: + firewall: category: firewall conditions: - vendor_name: "Zeek" - vendor_type: "IDS" - rewrite: - product: zeek - service: conn + vendor_type: + - "Firewall" + - "Router" + - "WAP" zeek-category-dns: category: dns rewrite: @@ -852,6 +857,10 @@ fieldmappings: DestinationIp: ip_dst DestinationHostname: ip_dst_host DestinationPort: ip_dport + DestAddress: ip_dst + DestPort: ip_dport + SourceAddress: ip_src + SourcePort: ip_sport GrantedAccess: access_mask StartModule: target_process_name TargetProcessAddress: process_address diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index b3b0a6b9f..cbc432525 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -190,7 +190,9 @@ fieldmappings: ClassId: winlog.event_data.ClassId DeviceDescription: winlog.event_data.DeviceDescription # ErrorCode => printservice-admin EventID: 4909 or 808 - ErrorCode: winlog.event_data.ErrorCode + ErrorCode: + service=windefend: winlog.event_data.Error\ Code + default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus Filename: winlog.event_data.Filename @@ -337,6 +339,7 @@ fieldmappings: CommandType: powershell.command.type EngineVersion: service=powershell-classic: powershell.engine.version + service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion HostApplication: process.command_line HostId: process.entity_id @@ -446,7 +449,9 @@ fieldmappings: NewTargetUserName: winlog.event_data.NewTargetUserName NewTime: winlog.event_data.NewTime NewUacValue: winlog.event_data.NewUacValue - NewValue: winlog.event_data.NewValue + NewValue: + service=windefend: winlog.event_data.New\ Value + default: winlog.event_data.NewValue NewValueType: winlog.event_data.NewValueType ObjectClass: winlog.event_data.ObjectClass ObjectDN: winlog.event_data.ObjectDN @@ -459,7 +464,9 @@ fieldmappings: OldSd: winlog.event_data.OldSd OldTargetUserName: winlog.event_data.OldTargetUserName OldUacValue: winlog.event_data.OldUacValue - OldValue: winlog.event_data.OldValue + OldValue: + service=windefend: winlog.event_data.Old\ Value + default: winlog.event_data.OldValue OldValueType: winlog.event_data.OldValueType OpCorrelationID: winlog.event_data.OpCorrelationID OperationType: winlog.event_data.OperationType @@ -472,7 +479,9 @@ fieldmappings: PreviousTime: winlog.event_data.PreviousTime PrimaryGroupId: winlog.event_data.PrimaryGroupId PrivilegeList: winlog.event_data.PrivilegeList - ProcessName: process.executable + ProcessName: + service=windefend: winlog.event_data.Process\ Name + default: process.executable ProfilePath: winlog.event_data.ProfilePath Properties: winlog.event_data.Properties PuaCount: winlog.event_data.PuaCount @@ -563,43 +572,38 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action_ID: winlog.event_data.Action\ ID - Action_Name: winlog.event_data.Action\ Name - Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID - Additional_Actions_String: winlog.event_data.Additional\ Actions\ String - Category_ID: winlog.event_data.Category\ ID - Category_Name: winlog.event_data.Category\ Name - Detection_ID: winlog.event_data.Detection\ ID - Detection_Time: winlog.event_data.Detection\ Time - Detection_User: winlog.event_data.Detection\ User - Engine_Version: winlog.event_data.Engine\ Version - Error_Code: winlog.event_data.Error\ Code - Error_Description: winlog.event_data.Error\ Description - Execution_ID: winlog.event_data.Execution\ ID - Execution_Name: winlog.event_data.Execution\ Name + ActionID: winlog.event_data.Action\ ID + ActionName: winlog.event_data.Action\ Name + AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID + AdditionalActionsString: winlog.event_data.Additional\ Actions\ String + CategoryID: winlog.event_data.Category\ ID + CategoryName: winlog.event_data.Category\ Name + DetectionID: winlog.event_data.Detection\ ID + DetectionTime: winlog.event_data.Detection\ Time + DetectionUser: winlog.event_data.Detection\ User + ErrorDescription: winlog.event_data.Error\ Description + ExecutionID: winlog.event_data.Execution\ ID + ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New_Value: winlog.event_data.New\ Value - Old_Value: winlog.event_data.Old\ Value - Origin_ID: winlog.event_data.Origin\ ID - Origin_Name: winlog.event_data.Origin\ Name + OriginID: winlog.event_data.Origin\ ID + OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post_Clean_Status: winlog.event_data.Post\ Clean\ Status - Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status - Process_Name: winlog.event_data.Process\ Name - Product_Name: winlog.event_data.Product\ Name - Product_Version: winlog.event_data.Product\ Version - Remediation_User: winlog.event_data.Remediation\ User - Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version - Severity_ID: winlog.event_data.Severity\ ID - Severity_Name: winlog.event_data.Severity\ Name - Source_ID: winlog.event_data.Source\ ID - Source_Name: winlog.event_data.Source\ Name - Status_Code: winlog.event_data.Status\ Code - Status_Description: winlog.event_data.Status\ Description - Threat_ID: winlog.event_data.Threat\ ID - Threat_Name: winlog.event_data.Threat\ Name - Type_ID: winlog.event_data.Type\ ID - Type_Name: winlog.event_data.Type\ Name + PostCleanStatus: winlog.event_data.Post\ Clean\ Status + PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status + ProductName: winlog.event_data.Product\ Name + ProductVersion: winlog.event_data.Product\ Version + RemediationUser: winlog.event_data.Remediation\ User + SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version + SeverityID: winlog.event_data.Severity\ ID + SeverityName: winlog.event_data.Severity\ Name + SourceID: winlog.event_data.Source\ ID + SourceName: winlog.event_data.Source\ Name + StatusCode: winlog.event_data.Status\ Code + StatusDescription: winlog.event_data.Status\ Description + ThreatID: winlog.event_data.Threat\ ID + ThreatName: winlog.event_data.Threat\ Name + TypeID: winlog.event_data.Type\ ID + TypeName: winlog.event_data.Type\ Name # # Microsoft-Windows-Windows Firewall With Advanced Security/Firewall # diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index dd8556970..bd1e40acf 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -750,7 +750,7 @@ class HAWKBackend(SingleTextQueryBackend): "tags" : [ "sigma" ], "hawk_id" : sigmaparser.parsedyaml['id'] } - if 'tags' in sigmaparser.parsedyaml: + if 'tags' in sigmaparser.parsedyaml and isinstance(sigmaparser.parsedyaml, list): mitre_tactics = [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags'] ] if len(mitre_tactics) > 0: record["tags"] = record['tags'] + mitre_tactics